Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
02-22-2014, 08:56 PM
|
#16
|
Guru
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,430
Original Poster
|
Quote:
Originally Posted by mancha
@hitest: If it still allows you maybe it makes sense to edit the title so it also attracts the attention of 14.1 users
and not just current users. Maybe something like: "new kernels: 14.1 (64 bit) and current (32 & 64 bit)".
--mancha
PS Your post is fine, Pat upgraded kernels in 32 and 64 bit current.
|
Done. Thanks for the suggestion.
|
|
|
02-22-2014, 09:16 PM
|
#17
|
Senior Member
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,793
|
you might want to edit the title again
14.1 (32 bit) doesn't get the kernel update
|
|
|
02-22-2014, 10:19 PM
|
#18
|
Guru
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,430
Original Poster
|
Quote:
Originally Posted by willysr
you might want to edit the title again
14.1 (32 bit) doesn't get the kernel update
|
Done. I will be as charitable with you the next time you post a grammar error. Chill.
|
|
|
02-22-2014, 10:31 PM
|
#19
|
Member
Registered: Sep 2011
Posts: 925
|
Quote:
Originally Posted by GazL
The danger is from a piggyback attack. Arbitrary code exploit in Firefox, flashplayer, java etc, or even things like xpdf, MPlayer, OpenOffice or any other app that references untrusted data, or god forbid a network facing server vulnerability, + CVE-2014-0038 = PWNED!
|
No one targets Firefox, Flashplayer, Java and Open Office (or even xpdf and MPlayer) on Linux. The installed base is so small, that even the black hats completely ignore you. Additionally rooting desktop machines is so worthless, that a Linux browser/office root exploit beyond a proof of concept is never going to happen.
Attackers go after vulnerable network services on Linux servers with good 24/7 connectivity, then they become root to hide their traces. On these systems the kernel should be updated immediately.
Don't misunderstand me, I'm not preaching lazy security. But privilege escalation on Linux desktops is not a pressing issue at all. Realistic threat assessment is keen to allocate limited time/resources with maximum effect on security.
Last edited by jtsn; 02-22-2014 at 10:37 PM.
|
|
1 members found this post helpful.
|
02-23-2014, 06:40 AM
|
#20
|
LQ Veteran
Registered: May 2008
Posts: 7,067
|
My only purpose for posting was to point out that "This vulnerability is 'local' so it doesn't apply to me because I'm the only one who uses this machine" is flawed thinking. The probability of attack and the practicalities of resourcing and scheduling maintenance are secondary issues on which individual system owners will have to make a judgement call.
|
|
1 members found this post helpful.
|
02-23-2014, 01:16 PM
|
#21
|
Member
Registered: Nov 2009
Location: Kansas, USA
Distribution: Slackware64-15.0
Posts: 865
|
Quote:
Originally Posted by GazL
My only purpose for posting was to point out that "This vulnerability is 'local' so it doesn't apply to me because I'm the only one who uses this machine" is flawed thinking. The probability of attack and the practicalities of resourcing and scheduling maintenance are secondary issues on which individual system owners will have to make a judgement call.
|
You raise a very interesting point, GazL. Good security practices are practical (and sometimes necessary!) even for single users. While the odds are very much against being targeted, it cannot be ruled out entirely.
Quote:
Originally Posted by jtsn
Don't misunderstand me, I'm not preaching lazy security. But privilege escalation on Linux desktops is not a pressing issue at all. Realistic threat assessment is keen to allocate limited time/resources with maximum effect on security.
|
As a person who is keen on getting his bachelor's in computer science, security is very much on my mind. But I hear what you're saying, jtsn. There comes a point in which one can expend too much effort for too little return. Tis the law of diminishing returns, and it applies to security as well.
|
|
|
02-23-2014, 03:23 PM
|
#22
|
Member
Registered: Aug 2012
Posts: 484
Rep:
|
Quote:
Originally Posted by jtsn
No one targets Firefox, Flashplayer, Java and Open Office (or even xpdf and MPlayer) on Linux. [emphasis added]
|
Take for instance the so-called Careto (aka "the mask") APT that has been targeting users since at least 2007. Guess which OS
is among its target OSs: Linux. Guess which is one of its primary points of entry: flash. This particular example has avoided
detection for at least seven years and should serve as a reminder that just because we're not aware of certain types of threats
and attacks, doesn't mean they don't exist.
Quote:
Originally Posted by jtsn
The installed base is so small, that even the black hats completely ignore you.
|
I'm not a big believer in "security through minority". But, for the purposes of this particular discussion I suggest at least three
things be considered:
- The effective user base
Taken jointly, Linux client-systems (e.g. Android-based smartphones and tablets, Chromebooks, and Linux desktops)
represent a large, and growing, user base (see: LinuxCon 2013 keynote).
Given this rising popularity combined with the fact their shared genetic ancestry means exploits that work on one platform
can, on many occasions, be easily adapted for use on another, we can expect any remaining protection afforded to Linux
desktops by "security through minority" will diminish over time.
- The flip-side
An aspect of "security through minority" few people consider is that finding new vulnerabilities in popular products is
difficult (easy ones have likely already been discovered and patched). In this sense, products that don't enjoy mass
adoption (smaller installed base) provide less security because there are still lots of "easy" vulnerabilities waiting to
be discovered and exploited: "insecurity through minority".
- Targeted attacks
Clearly "security through minority" doesn't apply in targeted attacks (which are on the rise). For example, it is no comfort
to SubGenius Widgets, Inc.™ (that deploys Slackware desktops to all its employees by the way) when black hats target
its employees to steal secret blueprints.
Quote:
Originally Posted by jtsn
Additionally rooting desktop machines is so worthless...
|
The evidence doesn't support this. Bad guys continue investing considerable resources specifically to root desktops and set
up spam relays, steal personal financial information, steal identities, steal intellectual property, etc.
Quote:
Originally Posted by jtsn
But privilege escalation on Linux desktops is not a pressing issue at all.
|
Care should be taken with such opinions. After all, risk aversion, risk exposure, etc. vary among individuals and organizations.
Security, specifically vulnerability management, is not one-size-fits-all.
--mancha
Last edited by mancha; 02-23-2014 at 11:18 PM.
Reason: added link to careto analysis / stylistic edits
|
|
5 members found this post helpful.
|
02-23-2014, 09:14 PM
|
#23
|
Member
Registered: Sep 2011
Posts: 925
|
Quote:
Originally Posted by mancha
Take for instance the so-called Careto (aka "the mask") APT that has been targeting users since at least 2007. Guess which OS is among its target OSs: Linux.
|
Impressive. But the Linux version just has the usual proof of concept status, because it doesn't spread in the wild. Even the AV vendor wasn't able to acquire a working sample of it...
Quote:
Taken jointly, Linux client-systems (e.g. Android-based smartphones and tablets, Chromebooks, and Linux desktops)
represent a large, and growing, user base (see: LinuxCon 2013 keynote).
|
Indeed, Android is targeted by lots of trojan horse malware, usually sneaked into the Google Play Store. This code doesn't run on a x86-based Slackware desktop.
Quote:
Given this rising popularity
|
Desktop Linux doesn't rise in popularity, it stays around 1 %, even the way more popular OS X is almost "secure by obscurity". Doesn't mean that it is a valid security concept, but it's the reality.
Quote:
Clearly "security through minority" doesn't apply in targeted attacks (which are on the rise).
|
Targeted attacks are a complete different story. Against them you are basically defenseless, because black hats buy zero-day exploits specifically for your systems. You can't fix these, because you don't know that they exist. I. e. how do you defend your machines against someone, who knew a year before you, that Debian's libSSL was a joke and all your SSH keys were compromised?
Patching known security holes only helps against untargeted mass attacks.
Quote:
For example, it is no comfort to SubGenius Widgets, Inc.™ (that deploys Slackware desktops to all its employees by the way) when black hats target its employees to steal secret blueprints.
|
To prevent that you have to store them on a non-networked computer. There is no other option.
Quote:
Bad guys continue investing considerable resources specifically to root desktops and set up spam relays, steal personal financial information, steal identities, steal intellectual property, etc.
|
They don't need root for that everyday scam. And these people don't target desktop Linux, because it isn't worth it. It is so fragmented, that you aren't even able to make malware which reliably runs on more than one specific distribution. The development expense is at least the same for every platform, while the returns scale with the market share. Black hats are not idealists, they can calculate.
Soon Slackware will be "secured" by the sole fact, that it doesn't run systemd (which is a security nightmare on its own).
Quote:
Care should be taken with such opinions. After all, risk aversion, risk exposure, etc. vary among individuals and organizations.
|
Indeed, correct risk assessment is needed to make the right decisions. There's a good chance that black hats will break into your usual insecure PHP web application and root your server, because there are dozens of these machines out there. But a a beyond-proof-of-concept exploit which specifically targets the abandoned Linux Flash player we have yet to see.
Last edited by jtsn; 02-23-2014 at 09:28 PM.
|
|
|
03-08-2014, 10:46 AM
|
#24
|
Guru
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,430
Original Poster
|
willysr,
Please accept my apologies for the angry reply. I do appreciate and value what you do for our community.
|
|
|
03-08-2014, 11:10 AM
|
#25
|
Senior Member
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,793
|
i don't feel offended by your reply, no worries
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 07:40 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|