
The kernel of the argument over Linux’s vulnerabilities - zmanian
http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
======
dd9990
"Versions of Linux have proved vulnerable to some of the most serious bugs in
recent years, including Heartbleed and Shellshock. AshleyMadison.com, the site
that facilitates extramarital affairs and suffered an embarrassing data breach
in July, was reportedly running Linux on its servers, as do many companies."

This from a reporter who's "specializing in privacy, security and
surveillance.". How sad.

------
segphault
There are only two kinds of people who regularly complain about the state of
Linux security: OpenBSD advocates and security vendors who want to sell you
something. Seems like an awful lot of the latter are quoted in this WaPo
piece.

~~~
makomk
There's a third kind of person: people who work on products that rely on Linux
being secure. Kees Cook is one of them, being a Google employee who works on
ChromeOS security.

------
smegel
> “There is no way in hell the problem there is the kernel,” Torvalds said.
> “If you run a nuclear power plant that can kill millions of people, you
> don’t connect it to the Internet.”

He is so right.

~~~
makomk
This is very emphatically _not an answer_. Iran learned this the hard way -
their centrifuges were isolated from the internet, but someone managed to get
access to the memory sticks used to transfer data in and out and inject an
exploit that compromised the critical machines the moment it was inserted. At
some point you inevitably need to get data in and out, and that means you need
a secure device. (For that matter, how are you loading software onto those
devices in the first place? At some point, the software development and
provisioning process will have contact with the internet.)

~~~
chimeracoder
> Iran learned this the hard way - their centrifuges were isolated from the
> internet, but someone managed to get access to the memory sticks used to
> transfer data in and out

It's not a sufficient answer in itself, but it's a good response.

It's a lot harder to compromise a physical system than to compromise a
network.

Furthermore, it's a lot harder to compromise a physical system _and go
undetected_ than to compromise a network.

Both are possible, but given an offline system with good physical security and
an online system with good physical security, you're still better off with the
offline version.

------
Obscurification
File under FUD.

This will become a 'talking point' along this lines of 'fast, flexible and
free, pick only two or heartbleed'.

Which will be said over an expensive lunch with some salesmen from a non-free
operating system company.

And then the WashPo reading boss can say 'yes yes I was just reading about
this'.

... Profit.

------
danso
God I totally understand what tech reporters have to do to reach a layperson
audience but I can't remember the last time an indepth story has made me feel
so ashamed about journalism as a profession.

What really got me was this completely shit literary cliche:

> _The Cassandra myth reached its tragic climax when she warned the Trojans
> that a giant wooden horse on their shores — supposedly a gift of surrender
> after a long siege — actually was filled with Greek warriors who soon would
> emerge to destroy Troy. The Trojans laughed and ridiculed Cassandra. They
> realized their error when it was too late._

Not only is it one of the biggest cliches in any context, but it is especially
so in computer security...it's harder to think of a context in which Trojan
horse is so well-known and worn other than condoms.

But worst of all, it doesn't even make any sense...who/what is the "Trojan
Horse" in this scenario? Who the fuck are the Trojans for that matter?

------
serge2k
> If you don’t treat security like a religious fanatic, you are going to be
> hurt like you can’t imagine. And Linus never took seriously the religious
> fanaticism around security,

Well that's an argument that I want to take seriously.

------
dudereally
Rather sparse on direct, attributable quotes from "security experts"

------
roninb
I'll probably get downvoted to hell, but the only reason I could think of for
someone to write something so ridiculously terrible is if they were paid by
Microsoft or Apple to fear monger and try to prevent people from using Linux.

------
tomc1985
Man this takes me back to the big bad Microsoft days. Classic FUD

