LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-22-2014, 08:56 PM   #16
hitest
Guru
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,430

Original Poster
Rep: Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845

Quote:
Originally Posted by mancha View Post
@hitest: If it still allows you maybe it makes sense to edit the title so it also attracts the attention of 14.1 users
and not just current users. Maybe something like: "new kernels: 14.1 (64 bit) and current (32 & 64 bit)".

--mancha

PS Your post is fine, Pat upgraded kernels in 32 and 64 bit current.
Done. Thanks for the suggestion.
 
Old 02-22-2014, 09:16 PM   #17
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,793

Rep: Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881
you might want to edit the title again
14.1 (32 bit) doesn't get the kernel update
 
Old 02-22-2014, 10:19 PM   #18
hitest
Guru
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,430

Original Poster
Rep: Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845
Quote:
Originally Posted by willysr View Post
you might want to edit the title again
14.1 (32 bit) doesn't get the kernel update
Done. I will be as charitable with you the next time you post a grammar error. Chill.
 
Old 02-22-2014, 10:31 PM   #19
jtsn
Member
 
Registered: Sep 2011
Posts: 925

Rep: Reputation: 483Reputation: 483Reputation: 483Reputation: 483Reputation: 483
Quote:
Originally Posted by GazL View Post
The danger is from a piggyback attack. Arbitrary code exploit in Firefox, flashplayer, java etc, or even things like xpdf, MPlayer, OpenOffice or any other app that references untrusted data, or god forbid a network facing server vulnerability, + CVE-2014-0038 = PWNED!
No one targets Firefox, Flashplayer, Java and Open Office (or even xpdf and MPlayer) on Linux. The installed base is so small, that even the black hats completely ignore you. Additionally rooting desktop machines is so worthless, that a Linux browser/office root exploit beyond a proof of concept is never going to happen.

Attackers go after vulnerable network services on Linux servers with good 24/7 connectivity, then they become root to hide their traces. On these systems the kernel should be updated immediately.

Don't misunderstand me, I'm not preaching lazy security. But privilege escalation on Linux desktops is not a pressing issue at all. Realistic threat assessment is keen to allocate limited time/resources with maximum effect on security.

Last edited by jtsn; 02-22-2014 at 10:37 PM.
 
1 members found this post helpful.
Old 02-23-2014, 06:40 AM   #20
GazL
LQ Veteran
 
Registered: May 2008
Posts: 7,067

Rep: Reputation: 5218Reputation: 5218Reputation: 5218Reputation: 5218Reputation: 5218Reputation: 5218Reputation: 5218Reputation: 5218Reputation: 5218Reputation: 5218Reputation: 5218
My only purpose for posting was to point out that "This vulnerability is 'local' so it doesn't apply to me because I'm the only one who uses this machine" is flawed thinking. The probability of attack and the practicalities of resourcing and scheduling maintenance are secondary issues on which individual system owners will have to make a judgement call.
 
1 members found this post helpful.
Old 02-23-2014, 01:16 PM   #21
1337_powerslacker
Member
 
Registered: Nov 2009
Location: Kansas, USA
Distribution: Slackware64-15.0
Posts: 865
Blog Entries: 9

Rep: Reputation: 593Reputation: 593Reputation: 593Reputation: 593Reputation: 593Reputation: 593
Quote:
Originally Posted by GazL View Post
My only purpose for posting was to point out that "This vulnerability is 'local' so it doesn't apply to me because I'm the only one who uses this machine" is flawed thinking. The probability of attack and the practicalities of resourcing and scheduling maintenance are secondary issues on which individual system owners will have to make a judgement call.
You raise a very interesting point, GazL. Good security practices are practical (and sometimes necessary!) even for single users. While the odds are very much against being targeted, it cannot be ruled out entirely.

Quote:
Originally Posted by jtsn View Post
Don't misunderstand me, I'm not preaching lazy security. But privilege escalation on Linux desktops is not a pressing issue at all. Realistic threat assessment is keen to allocate limited time/resources with maximum effect on security.
As a person who is keen on getting his bachelor's in computer science, security is very much on my mind. But I hear what you're saying, jtsn. There comes a point in which one can expend too much effort for too little return. Tis the law of diminishing returns, and it applies to security as well.
 
Old 02-23-2014, 03:23 PM   #22
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
Quote:
Originally Posted by jtsn View Post
No one targets Firefox, Flashplayer, Java and Open Office (or even xpdf and MPlayer) on Linux. [emphasis added]
Take for instance the so-called Careto (aka "the mask") APT that has been targeting users since at least 2007. Guess which OS
is among its target OSs: Linux. Guess which is one of its primary points of entry: flash. This particular example has avoided
detection for at least seven years and should serve as a reminder that just because we're not aware of certain types of threats
and attacks, doesn't mean they don't exist.

Quote:
Originally Posted by jtsn View Post
The installed base is so small, that even the black hats completely ignore you.
I'm not a big believer in "security through minority". But, for the purposes of this particular discussion I suggest at least three
things be considered:
  • The effective user base
    Taken jointly, Linux client-systems (e.g. Android-based smartphones and tablets, Chromebooks, and Linux desktops)
    represent a large, and growing, user base (see: LinuxCon 2013 keynote).

    Given this rising popularity combined with the fact their shared genetic ancestry means exploits that work on one platform
    can, on many occasions, be easily adapted for use on another, we can expect any remaining protection afforded to Linux
    desktops by "security through minority" will diminish over time.

  • The flip-side
    An aspect of "security through minority" few people consider is that finding new vulnerabilities in popular products is
    difficult (easy ones have likely already been discovered and patched). In this sense, products that don't enjoy mass
    adoption (smaller installed base) provide less security because there are still lots of "easy" vulnerabilities waiting to
    be discovered and exploited: "insecurity through minority".

  • Targeted attacks
    Clearly "security through minority" doesn't apply in targeted attacks (which are on the rise). For example, it is no comfort
    to SubGenius Widgets, Inc.™ (that deploys Slackware desktops to all its employees by the way) when black hats target
    its employees to steal secret blueprints.
Quote:
Originally Posted by jtsn View Post
Additionally rooting desktop machines is so worthless...
The evidence doesn't support this. Bad guys continue investing considerable resources specifically to root desktops and set
up spam relays, steal personal financial information, steal identities, steal intellectual property, etc.

Quote:
Originally Posted by jtsn View Post
But privilege escalation on Linux desktops is not a pressing issue at all.
Care should be taken with such opinions. After all, risk aversion, risk exposure, etc. vary among individuals and organizations.
Security, specifically vulnerability management, is not one-size-fits-all.

--mancha

Last edited by mancha; 02-23-2014 at 11:18 PM. Reason: added link to careto analysis / stylistic edits
 
5 members found this post helpful.
Old 02-23-2014, 09:14 PM   #23
jtsn
Member
 
Registered: Sep 2011
Posts: 925

Rep: Reputation: 483Reputation: 483Reputation: 483Reputation: 483Reputation: 483
Quote:
Originally Posted by mancha View Post
Take for instance the so-called Careto (aka "the mask") APT that has been targeting users since at least 2007. Guess which OS is among its target OSs: Linux.
Impressive. But the Linux version just has the usual proof of concept status, because it doesn't spread in the wild. Even the AV vendor wasn't able to acquire a working sample of it...

Quote:
Taken jointly, Linux client-systems (e.g. Android-based smartphones and tablets, Chromebooks, and Linux desktops)
represent a large, and growing, user base (see: LinuxCon 2013 keynote).
Indeed, Android is targeted by lots of trojan horse malware, usually sneaked into the Google Play Store. This code doesn't run on a x86-based Slackware desktop.

Quote:
Given this rising popularity
Desktop Linux doesn't rise in popularity, it stays around 1 %, even the way more popular OS X is almost "secure by obscurity". Doesn't mean that it is a valid security concept, but it's the reality.

Quote:
Clearly "security through minority" doesn't apply in targeted attacks (which are on the rise).
Targeted attacks are a complete different story. Against them you are basically defenseless, because black hats buy zero-day exploits specifically for your systems. You can't fix these, because you don't know that they exist. I. e. how do you defend your machines against someone, who knew a year before you, that Debian's libSSL was a joke and all your SSH keys were compromised?

Patching known security holes only helps against untargeted mass attacks.

Quote:
For example, it is no comfort to SubGenius Widgets, Inc.™ (that deploys Slackware desktops to all its employees by the way) when black hats target its employees to steal secret blueprints.
To prevent that you have to store them on a non-networked computer. There is no other option.

Quote:
Bad guys continue investing considerable resources specifically to root desktops and set up spam relays, steal personal financial information, steal identities, steal intellectual property, etc.
They don't need root for that everyday scam. And these people don't target desktop Linux, because it isn't worth it. It is so fragmented, that you aren't even able to make malware which reliably runs on more than one specific distribution. The development expense is at least the same for every platform, while the returns scale with the market share. Black hats are not idealists, they can calculate.

Soon Slackware will be "secured" by the sole fact, that it doesn't run systemd (which is a security nightmare on its own).

Quote:
Care should be taken with such opinions. After all, risk aversion, risk exposure, etc. vary among individuals and organizations.
Indeed, correct risk assessment is needed to make the right decisions. There's a good chance that black hats will break into your usual insecure PHP web application and root your server, because there are dozens of these machines out there. But a a beyond-proof-of-concept exploit which specifically targets the abandoned Linux Flash player we have yet to see.

Last edited by jtsn; 02-23-2014 at 09:28 PM.
 
Old 03-08-2014, 10:46 AM   #24
hitest
Guru
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,430

Original Poster
Rep: Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845Reputation: 3845
willysr,

Please accept my apologies for the angry reply. I do appreciate and value what you do for our community.
 
Old 03-08-2014, 11:10 AM   #25
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,793

Rep: Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881Reputation: 1881
i don't feel offended by your reply, no worries
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Current kernel doesn't show up with rpm -q kernel command picatrix Linux - Newbie 4 03-30-2013 04:20 PM
kernel includes at /usr/src/linux/include do not match current kernel. blanny Red Hat 1 03-09-2006 08:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration