The Washington Post published an article today which describes the ongoing tension between the security community and Linux kernel developers. This has been roundly denounced as FUD, with Rob Graham going so far as to claim that nobody ever attacks the kernel.
Unfortunately he's entirely and demonstrably wrong, it's not FUD and the state of security in the kernel is currently far short of where it should be.
[Here is] an example. Recent versions of Android use SELinux to confine applications. Even if you have full control over an application running on Android, the SELinux rules make it very difficult to do anything especially user-hostile. Hacking Team, the GPL-violating Italian company who sells surveillance software to human rights abusers, found that this impeded their ability to drop their spyware onto targets' devices. So they took advantage of the fact that many Android devices shipped a kernel with a flawed copy_from_user() implementation that allowed them to copy arbitrary userspace data over arbitrary kernel code, thus allowing them to disable SELinux.
(Score: 3, Insightful) by tangomargarine on Wednesday November 11 2015, @11:20PM
And finally (sorry about the multiple posts):
Phoenix666 writes:
No he didn't. From the looks of it he literally just sent you an URL. Either that, or he wrote a summary the editor didn't like, so they just threw it out entirely and copy-pasted the beginning of the article.
Sorry that I'm being snippy, but we have a hard enough time figuring out the real story when the publications themselves do shoddy articles; we don't need crap summaries, too.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Thursday November 12 2015, @12:28AM
If you click the "Original Submission" link right below the article, you can see which it was.