Here we go again...

revMaxx

Marius Nestor  /  Jan 19, 2016

Canonical Patches the Zero-Day Linux Kernel Vulnerability in All Supported Ubuntu OSes

All users are urged to update as soon as possible

Comments:

Glad I use Windows. Linux is not ready for popularity.

DogsB

I was going to offer a snarky reply to that comment but this fantastic captcha stopped me. =(

blakeyrat

What? It's a fair point.

Linux (and related software) has had far more critical bugs in the last 3-4 years than have been found in Windows, despite having only a tiny percentage of the users. (Not counting Android.)

Sure it's great that these bugs are being found and fixed, but if Linux had the popularity among the common person as Windows, how many people would have been drafted into a botnet as a result of this bug? Ten million? Twenty?

That's the point he's making.

(And ignoring the 500 other reasons Linux is not ready for popularity.)

Fox

@blakeyrat said:

(And ignoring the 500 other reasons Linux is not ready for popularity.)

Inb4 "just learn to use the CLI, it's way better."

Hanzo

I don't get you, Blakey. First, the article explicitly says "a local attacker".

Second, I don't know where you get the number of critical bugs from, but you can be sure that MS and the Linux community do not count in the same way.

Third, http://www.networkworld.com/article/2260410/network-security/america-s-10-most-wanted-botnets.html

Yes, Zeus alone had 3.6M infected PCs. In the USA.

So no.

blakeyrat

@Hanzo said:

Second, I don't know where you get the number of critical bugs from,

The news.

I suppose it's possible that the Microsoft ones simply don't get cute names and appear on IT news sources, but since 90% of IT news sources will do anything to run a story critical of Microsoft, that seems unlikely.

@Hanzo said:

Second, I don't know where you get the number of critical bugs from, but you can be sure that MS and the Linux community do not count in the same way.

Pedantic dickweedery.

I get them from the news. Bugs don't get news coverage unless they're critical. QED. I do not give a shit for pedantic dickweedery about "counting methods".

@Hanzo said:

Third, http://www.networkworld.com/article/2260410/network-security/america-s-10-most-wanted-botnets.html

Yes, Zeus alone had 3.6M infected PCs. In the USA.

So no.

That shows... what? Is that just a complete non-sequitur, or...? I feel like you're trying to make some sort of point or you wouldn't have typed it, but damned if I can figure out what it is.

RaceProUK

You do know that the preferred method of spreading malware nowadays is via social engineering? After all, it's a lot easier to exploit a system when the user has just invited you through the 'airtight hatchway', to borrow a phrase.

hungrier

Yep. The best security system in the world is no match for a stupid user and disable security for pron instructions.

accalia

@Fox said:

just learn to use the CLI, it's way better.

indeed. seriously, shit up and learn the CLI.

i won't promise it's better but if you learn it and use it you'll have a lot fewer problems.

gordonjcp

If anyone actually bothered to read what the "vulnerability" involves, it requires an attacker to run code locally 4 billion times to cause a 32-bit counter to overflow so that maybe they might be able to escalate privileges.

So you might be at risk if you find that someone who already has root (to install the magic code) has installed something that causes your machine to scream away at 100% CPU usage for a couple of hours until the counter wraps.

Fox

@accalia said:

indeed. seriously, shit up and learn the CLI.

i won't promise it's better but if you learn it and use it you'll have a lot fewer problems.

Because the CLI is so intuitive and user friendly, right? It's as easy as iOS. Linux is totally ready for popularity.

accalia

@Fox said:

Because the CLI is so intuitive and user friendly

if you like wearing those rose coloured sunglasses: sure.

if like me you prefer to live in the real world: no, it's just where the tools you need to do your job live.

Fox

I think you missed the blatant sarcasm on the line you quoted.

And we're talking about Linux as a popular OS, not Linux as an OS for CS professionals.

NedFodder

@blakeyrat said:

the Microsoft ones simply don't get cute names and appear on IT news sources

You mean names like Hot Potato?

Coincidentally, it also grants privileges to a local attacker.

Hanzo

@blakeyrat said:

@Hanzo said:

Second, I don't know where you get the number of critical bugs from,

The news.

I suppose it's possible that the Microsoft ones simply don't get cute names and appear on IT news sources, but since 90% of IT news sources will do anything to run a story critical of Microsoft, that seems unlikely.

Ah, well, then you might also have read in the news that the numbers are not really comparable.

Pedantic dickweedery.

I get them from the news. Bugs don't get news coverage unless they're critical. QED. I do not give a shit for pedantic dickweedery about "counting methods".

You forgot to add: because it is not convenient.

That shows... what? Is that just a complete non-sequitur, or...? I feel like you're trying to make some sort of point or you wouldn't have typed it, but damned if I can figure out what it is.

That Windows has had many more computers enlisted in botnets than what you are alluding to, despite having so few bugs.

but damned if I can figure out what it is.

That's because of the way you are: you're special.

accalia

@Fox said:

missed the blatant sarcasm

it's not blatant if you're missing <sarcasm> tags.

Magus

@Hanzo said:

That Windows has had many more computers enlisted in botnets

@Hanzo said:

That Windows has had many more computers

QED?

Kuro

that site has a picture on the right, which is subtitled

Patching Ubuntu Linux

This is said picture:

And while I know that they outline the update process in the text, I can't help but tell you guys to open your Console and type in uname -a. That'll fix all the bugs!

Filed Under: "We should patch Discourse as well! Maybe that would fix the Zero Day Vunerabilty of reporting bugs!

loopback0

@accalia said:

if you learn it and use it you'll have a lot fewer problems.

Right - because the CLI just magically causes less problems somehow?

loopback0

@accalia said:

it's not blatant if you're missing <sarcasm> tags.

It's blatant if you're not Sheldon Cooper.

accalia

@loopback0 said:

Right - because the CLI just magically causes less problems somehow?

nah. it just lets you fix them instead of going "herp-derp i dunno what's going on."

accalia

@loopback0 said:

It's blatant if you're not Sheldon Cooper.

people keep telling me i'm like this sheldon person..... who the flagar is she?

loopback0

@accalia said:

it just lets you fix them instead of going "herp-derp i dunno what's going on."

NedFodder

@accalia said:

@loopback0 said:

Right - because the CLI just magically causes less problems somehow?

nah. it just lets you fix them instead of going "herp-derp i dunno what's going on."

Fix them with what, undo.exe?

blakeyrat

@Hanzo said:

That Windows has had many more computers enlisted in botnets than what you are alluding to, despite having so few bugs.

That's the point I was making. Windows has that many computers in botnets despite being more secure. If Linux had the market penetration that Windows had, it'd be botnet city. Its numbers would dwarf Windows'.

FrostCat

@accalia said:

shit up

Thank you for this inadvertent demonstration of why CLIs are not for everyone, including the dyslexic. I know you didn't mean to be ableist.

Hanzo

@blakeyrat said:

@Hanzo said:

That Windows has had many more computers enlisted in botnets than what you are alluding to, despite having so few bugs.

That's the point I was making. Windows has that many computers in botnets despite being more secure. If Linux had the market penetration that Windows had, it'd be botnet city. Its numbers would dwarf Windows'.

Ok, I should have added quotes around "despite having so few bugs" and added a few sarcasm tags.

boomzilla

@loopback0 said:

Right - because the CLI just magically causes less problems somehow?

You'd be amazed. It's basically blakey-repellant and if it doesn't actually get rid of problems, you at least won't keep hearing about the same ones over and over and over.

jmp

@blakeyrat said:

That's the point I was making. Windows has that many computers in botnets despite being more secure. If Linux had the market penetration that Windows had, it'd be botnet city. Its numbers would dwarf Windows'.

Because nowadays it's all social engineering; people aren't in these botnets because of a worm or the like, they're in the botnet because they downloaded botnet.exe and ran it and then gave it UAC elevation.

People running Linux wouldn't change that one bit.

(And I really doubt modern Linux is particularly susceptible to worms; otherwise we'd expect the good chunk of servers running Linux to be hit by them from time to time).

fbmac

@blakeyrat said:

Not counting Android

That's a large exception. Windows is very unpopular (except for x86) too.

@blakeyrat said:

Bugs don't get news coverage unless they're critical

FrostCat

@fbmac said:

You read that wrong. Try reading it this way: "news coverage is how I categorize bugs as critical."

Of course you have to remember you're dealing with a rat who made up his own definition of the word "bug", namely "doesn't work the way I want it to."

David_C

@hungrier said:

The best security system in the world is no match for a stupid user

Back in 2004, I declared the Internet to be doomed after seeing how far the [URL=http://www.symantec.com/security_response/writeup.jsp?docid=2004-030312-0201-99]Beagle[/URL] worm spread. This malware would evade virus scanners by e-mailing itself (along with some social engineering text) as a zip file encrypted with a random password, and putting the password in the e-mail. It would direct recipients to unpack the zip file and execute the payload.

The fact that very large segments of the e-mail-using population actually did this convinced me that the problem of malware is one that can never be solved because people can be convinced to do anything.

I'm sure if I started distributing a "manual virus" - an e-mail telling people to forward it to all their friends and then reformat their hard drive - there would be tons of people dumb enough to actually do it.

@blakeyrat said:

That's the point I was making. Windows has that many computers in botnets despite being more secure. If Linux had the market penetration that Windows had, it'd be botnet city. Its numbers would dwarf Windows'.

Maybe. It's also logical to assume that if Linux was as popular, there would be many more security researchers working on Linux than there are today and problems would be fixed faster.

I don't think you (or I) can predict the "what if" future any better than any other random person you find on-line.

flabdablet

@jmp said:

Because nowadays it's all social engineering; people aren't in these botnets because of a worm or the like, they're in the botnet because they downloaded botnet.exe and ran it and then gave it UAC elevation.

People running Linux wouldn't change that one bit.

Actually I think Linux would still do a little better there, just because it's so much harder to get botnet.exe included in any of the default repositories.

Downloading stuff from a random web page and then running it with elevated privileges is a much more common pattern in Windows culture than Linux culture because that's how software has been installed on Windows for the last twenty years; I would not expect the existence of the Metro app store to change this situation for at least another ten.

swayde

@flabdablet said:

Downloading stuff from a random web page and then running it with elevated privileges is a much more common pattern in Windows culture than Linux culture because that's how software has been installed on Windows for the last twenty years;

Oh fuck off... If the thing you want (say node or oh-my-zsh) is not in the distributions package manager you are usually told to pipe a fucking script into the terminal, elevated obviously.
You CAN do it differently, but then you are not following the instructions, and Shit May Not Work

RaceProUK

@swayde said:

If the thing you want (say node or oh-my-zsh) is not in the distributions package manager you are usually told to pipe a fucking script into the terminal, elevated obviously.

Name one big-name distro that doesn't have node or zsh in their repos

swayde

GitHub - ohmyzsh/ohmyzsh: 🙃 A delightful community-driven (with 2,300+ contributors) framework for managing your zsh configuration. Includes 300+ optional plugins (rails, git, macOS, hub, docker,...

🙃 A delightful community-driven (with 2,300+ contributors) framework for managing your zsh configuration. Includes 300+ optional plugins (rails, git, macOS, hub, docker, homebrew, node, php, pyth...

sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"´

Last time i wanted to use node on ubuntu i had to hand compile it, because the default package was 200 releases old (which is like 2 weeks with node - but compatability was 'broken' enough)

flabdablet

@swayde said:

If the thing you want (say node or oh-my-zsh) is not in the distributions package manager

then you're a fairly uncommon edge case.

I'm not saying that nobody ever downloads random shit and runs it elevated on their Linux box. I'm saying that most Linux users have almost all their requirements met by software that's packaged in their distro's repositories, which means that downloading random shit and running it elevated is not business as usual, which gives Linux distros an edge over Windows when it comes to resisting the blandishments of TrojanBotnetRegistryFixer2015.exe.

jmp

@flabdablet said:

...which gives Linux distros an edge over Windows when it comes to resisting the blandishments of TrojanBotnetRegistryFixer2015.exe.

Another advantage: Linux has no registry to fix or clean.

David_C

@jmp said:

Another advantage: Linux has no registry to fix or clean

True, but if the rat's nest of files under /etc gets mangled, cleanup can be just as painful.

swayde

@flabdablet said:

then you're a fairly uncommon edge case.

I agree, but the only sensible way to distribute (uncommon) shit on Linux seems to be as source/scripts. I'd really like it if we could get something like Windows signing - a proof that what ever i Got was signed by the right person/Company and wasn't damaged in transport...

flabdablet

@swayde said:

Last time i wanted to use node on ubuntu i had to hand compile it, because the default package was 200 releases old

Yeah, well, Ubuntu.

Canonical has done a lot of excellent work polishing Debian for the desktop and slickifying the installation process, and then a lot of questionable work making change-for-its-own-sake changes to the desktop, but the Ubuntu release model has never been as flexible or useful as that of the upstream Debian distro where most of its packages come from.

Ubuntu is still a pretty good distro for people who are not interested in doing stuff off to the side of its mainstream repositories (though arguably Mint has been the better choice ever since the GNOME devs took up smoking crack) but for people who need something more flexible, it's really, really hard to do better than Debian.

Ubuntu Server in particular is essentially pointless. I honestly can't see any technical reason why any sane admin would pick Ubuntu Server over Debian Testing.

Debian currently has 4.2.4 (1 minor version behind the current LTS release) in both the Testing and Unstable repos, and 5.4.1 (the current Stable release) is in Experimental. If I needed 5.4.1 on any of my Debian Testing boxes, I would expect apt-get --compile source nodejs/experimental to be as close to hand-compiling as I'd ever need to get.

In fact, let's test that out right now.

OK, first attempt failed due to missing build dependencies. The output of apt-get source told me exactly which packages were required, and I used apt-get install cdbs devscripts dh-buildinfo libicu-dev gyp libssl-dev libuv1-dev to install them.

Trying apt-get --compile source nodejs/experimental again... waiting for a wall-o-compilation to scroll by... seems good so far. I expect I'll end up with an installable package that will just slip right in, and end up getting automatically updated when something newer than 5.4.1 eventually filters through to the Testing binary repo.

If it breaks, I'll come back here and say so.

Update: it didn't break, and installing the resulting nodejs_5.4.1~dfsg-1_amd64.deb package with gdebi worked just fine.

flabdablet

@swayde said:

the only sensible way to distribute (uncommon) shit on Linux seems to be as source/scripts.

...which is at least in principle harder to hide trojans in than binaries of dubious provenance.

But again, these edge case arguments don't really have much bearing on the main point, which is that the culture of centralized software distribution, which Linux distros have had since well before the first commercial App Store, has made and continues to make a positive contribution to the trojan resistance of Linux distros compared to that of Windows.

dkf

@swayde said:

Oh fuck off... If the thing you want (say node or oh-my-zsh) is not in the distributions package manager you are usually told to pipe a fucking script into the terminal, elevated obviously.

There's a difference of culture, I guess. Operating system kernels might be secure or not, but what matters is often what's happening elsewhere. If a widely-used app is doing things stupidly, that's a real problem that's technically independent of the OS, yet still a significant insecurity point of the ecosystem.

For example, one of the biggest points in favour of all the unixes is that they don't usually make any downloaded files executable by default. That cuts the amount of mischief right there. Which isn't to say that this makes them automatically secure, but rather it just stops a whole bunch of dumb errors from happening, making launching complex attacks much harder. The OS kernels concerned have virtually nothing to do with this.

jmp

Most browsers in Windows add an alternate data stream to downloaded files indicating they came from the internet so Explorer can annoy you when you try to open them. Same kinda thing. Not sure it's ever stopped a user who really wants to look at the dancing bunnies.

flabdablet

@jmp said:

Most browsers in Windows add an alternate data stream to downloaded files indicating they came from the internet so Explorer can annoy you when you try to open them. Same kinda thing.

I was amused, but not surprised, to find out that this feature - a feature which goes so far as to require the use of admin credentials to bypass if you try to run a downloaded executable from a non-admin account - is indeed Explorer-only. You can still launch whatever you like from inside cmd and it will work just fine (without elevation, of course, but that's fine for stuff like PuTTY which is what I was trying to use at the time).

Also amusing is that when cmd and Task Manager are both locked down by Group Policy, you can quite often work around that simply by copying cmd.exe to your desktop, renaming it as foo.exe, and running that instead.

I think MS has been taking security theatre lessons from the TSA.

Onyx

@accalia said:

nah. it just lets you fix them instead of going "herp-derp i dunno what's going on."

This is the main reason I prefer Linux for common use. No matter what other people want to claim, I run into weird little quirks of "shit's just not working right" on every OS. On Windows, I click a checkbox and pray. On Linux, I can actually do something about it (most of the time) when the checkbox doesn't fix it.

@flabdablet said:

for people who need something more flexible, it's really, really hard to do better than Debian

The only reason I recommend Mint over Debian to people is exactly due to installation of extra stuff. Driver manager for proprietary drivers, bluetooth stuff set up by default... For Joe Regular, it's just easier, and they usually don't need bleeding edge packages from Debian testing or whatever.

@flabdablet said:

I honestly can't see any technical reason why any sane admin would pick Ubuntu Server over Debian Testing.

+1. We run stable because we don't need anything more fancy (and sometimes, shit does break on testing, primarily dependencies get messed up at times), but I can always just flip the switch and install a particular package from testing. Which is nice.

flabdablet

@Onyx said:

No matter what other people want to claim, I run into weird little quirks of "shit's just not working right" on every OS. On Windows, I click a checkbox and pray.

On Windows, I generally find myself spending fucking hours googling the particular registry key that needs tweaking because they didn't think to provide a GUI control for that. On Debian, 90% of weird shit gets resolved just by installing the most up-to-date package available, and 90% of the rest you can figure out by poking around in self-documenting example config files under /usr/share.

Windows is an astoundingly configurable OS, but it's kind of weird that the most reliable way to find out how to do that is via samizdat and informed guesswork.

Even so, there remain bizarre lacunae. I have still found no way, short of physically breaking off pin 12 of the VGA plug, to prevent post-Vista Windows losing its shit when faced with noisy DDC signals generated by long VGA projector cables. I really don't understand why there's no longer a global software switch to make Windows display management ignore VGA EDID entirely. XP had one.

Onyx

@flabdablet said:

On Windows, I generally find myself spending fucking hours googling the particular registry key that needs tweaking because they didn't think to provide a GUI control for that.

You actually find such information? You either have much more patience or better googling skills than me. All I usually get is "did you try rebooting?", "please install latest drivers from the vendor" / "your hardware must be faulty" and, finally. "I recommend reinstalling and praying".

flabdablet

@Onyx said:

much more patience

This. Than most people, as it turns out.

swayde

@flabdablet said:

which is at least in principle harder to hide trojans in than binaries of dubious provenance.

Yeah, if I actually checked the downloaded script. They're usually way too complex to 'just' skim for malicious things. All you need is a single line to download a trojan or wipe the disc.