There are only two kinds of people who regularly complain about the state of Linux security: OpenBSD advocates and security vendors who want to sell you something. Seems like an awful lot of the latter are quoted in this WaPo piece.
There's a third kind of person: people who work on products that rely on Linux being secure. Kees Cook is one of them, being a Google employee who works on ChromeOS security.
"Versions of Linux have proved vulnerable to some of the most serious bugs in recent years, including Heartbleed and Shellshock. AshleyMadison.com, the site that facilitates extramarital affairs and suffered an embarrassing data breach in July, was reportedly running Linux on its servers, as do many companies."
This from a reporter who's "specializing in privacy, security and surveillance.". How sad.
> “There is no way in hell the problem there is the kernel,” Torvalds said. “If you run a nuclear power plant that can kill millions of people, you don’t connect it to the Internet.”
This is very emphatically not an answer. Iran learned this the hard way - their centrifuges were isolated from the internet, but someone managed to get access to the memory sticks used to transfer data in and out and inject an exploit that compromised the critical machines the moment it was inserted. At some point you inevitably need to get data in and out, and that means you need a secure device. (For that matter, how are you loading software onto those devices in the first place? At some point, the software development and provisioning process will have contact with the internet.)
> Iran learned this the hard way - their centrifuges were isolated from the internet, but someone managed to get access to the memory sticks used to transfer data in and out
It's not a sufficient answer in itself, but it's a good response.
It's a lot harder to compromise a physical system than to compromise a network.
Furthermore, it's a lot harder to compromise a physical system and go undetected than to compromise a network.
Both are possible, but given an offline system with good physical security and an online system with good physical security, you're still better off with the offline version.
Yeah right like. What system cannot be compromised when you have physical access to it?
You think if they ran openBSD or Windows or Apple Server, that they would not been hacked? All systems are exploitable with [BadUSB](https://github.com/adamcaudill/Psychson) for example.
To secure this szenario. You'd have to make sure that the Sticks are not infected by any kind of malware. Or use a USB condom. No OS will ever be able to secure itself from such attacks.
Also, the only way for a meltdown at a nuclear power plant to kill millions of people would be if a bad actor used the confusion as cover while they put anthrax spores in the water supply of a major metropolitan area.
> If you don’t treat security like a religious fanatic, you are going to be hurt like you can’t imagine. And Linus never took seriously the religious fanaticism around security,
Well that's an argument that I want to take seriously.
I'll probably get downvoted to hell, but the only reason I could think of for someone to write something so ridiculously terrible is if they were paid by Microsoft or Apple to fear monger and try to prevent people from using Linux.
God I totally understand what tech reporters have to do to reach a layperson audience but I can't remember the last time an indepth story has made me feel so ashamed about journalism as a profession.
What really got me was this completely shit literary cliche:
> The Cassandra myth reached its tragic climax when she warned the Trojans that a giant wooden horse on their shores — supposedly a gift of surrender after a long siege — actually was filled with Greek warriors who soon would emerge to destroy Troy. The Trojans laughed and ridiculed Cassandra. They realized their error when it was too late.
Not only is it one of the biggest cliches in any context, but it is especially so in computer security...it's harder to think of a context in which Trojan horse is so well-known and worn other than condoms.
But worst of all, it doesn't even make any sense...who/what is the "Trojan Horse" in this scenario? Who the fuck are the Trojans for that matter?
16 comments
[ 3.3 ms ] story [ 55.5 ms ] threadThis from a reporter who's "specializing in privacy, security and surveillance.". How sad.
He is so right.
It's not a sufficient answer in itself, but it's a good response.
It's a lot harder to compromise a physical system than to compromise a network.
Furthermore, it's a lot harder to compromise a physical system and go undetected than to compromise a network.
Both are possible, but given an offline system with good physical security and an online system with good physical security, you're still better off with the offline version.
You think if they ran openBSD or Windows or Apple Server, that they would not been hacked? All systems are exploitable with [BadUSB](https://github.com/adamcaudill/Psychson) for example.
To secure this szenario. You'd have to make sure that the Sticks are not infected by any kind of malware. Or use a USB condom. No OS will ever be able to secure itself from such attacks.
Well that's an argument that I want to take seriously.
What really got me was this completely shit literary cliche:
> The Cassandra myth reached its tragic climax when she warned the Trojans that a giant wooden horse on their shores — supposedly a gift of surrender after a long siege — actually was filled with Greek warriors who soon would emerge to destroy Troy. The Trojans laughed and ridiculed Cassandra. They realized their error when it was too late.
Not only is it one of the biggest cliches in any context, but it is especially so in computer security...it's harder to think of a context in which Trojan horse is so well-known and worn other than condoms.
But worst of all, it doesn't even make any sense...who/what is the "Trojan Horse" in this scenario? Who the fuck are the Trojans for that matter?
This will become a 'talking point' along this lines of 'fast, flexible and free, pick only two or heartbleed'.
Which will be said over an expensive lunch with some salesmen from a non-free operating system company.
And then the WashPo reading boss can say 'yes yes I was just reading about this'.
... Profit.