A new Mindcraft moment?

Money (aha) quote :

> I propose you spend none of your free time on this. Zero. I propose you get paid to do this. And well.

Nobody expect you to serve your code on a silver platter for free. The Linux foundation and big companies using Linux (Google, Red Hat, Oracle, Samsung, etc.) should pay security specialists like you to upstream your patchs.

I personally think you and Nick Krause share opposite sides of the same coin. Programming ability and basic civility.

Perhaps there's a chicken and egg problem here, but when seeking out and funding people to get code upstream, it helps to select people and groups with a history of being able to get code upstream.

It's perfectly reasonable to prefer working out of tree, providing the ability to develop impressive and critical security advances unconstrained by upstream requirements. That's work someone might also wish to fund, if that meets their needs.

I don't see this message in my mailbox, so presumably it got swallowed.

You are aware that it's entirely possible that everyone is wrong here , right?

That the kernel maintainers need to focus more on security, that the article was biased, that you're irresponsible to decry the state of security, and do nothing to help, and that your patchsets wouldn't help that much and are the wrong direction for the kernel? That just because the kernel maintainers aren't 100% right it doesn't mean you are?

I guess that fact was too unpleasant to fit into Dijkstra's world view.

https://www.youtube.com/watch?v=VpuVDfSXs-g

(LCA 2015 - "Programming Considered Harmful")

FWIW, I think that this talk is very relevant to why writing secure software is so hard..

-Dave.

The following is all guess work; I'd be keen to know if others have evidence either one way or another on this: The people who learn how to hack into these systems through kernel vulnerabilities know that they skills they've learnt have a market. Thus they don't tend to hack in order to wreak havoc - indeed on the whole where data has been stolen in order to release and embarrass people, it _seems_ as though those hacks are through much simpler vectors. I.e. lesser skilled hackers find there is a whole load of low-hanging fruit which they can get at. They're not being paid ahead of time for the data, so they turn to extortion instead. They don't cover their tracks, and they can often be found and charged with criminal offences.

So if your security meets a certain basic level of proficiency and/or your company isn't doing anything that puts it near the top of "companies we'd like to embarrass" (I suspect the latter is much more effective at keeping systems "safe" than the former), then the hackers that get into your system are likely to be skilled, paid, and probably not going to do much damage - they're stealing data for a competitor / state. So that doesn't bother your bottom line - at least not in a way which your shareholders will be aware of. So why fund security?

On the other hand, some effective mitigation in kernel level would be very helpful to crush cybercriminal/skiddie's try. If one of your customer running a future trading platform exposes some open API to their clients, and if the server has some memory corruption bugs can be exploited remotely. Then you know there are known attack methods( such as offset2lib) can help the attacker make the weaponized exploit so much easier. Will you explain the failosophy "A bug is bug" to your customer and tell them it'd be ok? Btw, offset2lib is useless to PaX/Grsecurity's ASLR imp.

To the most commercial uses, more security mitigation within the software won't cost you more budget. You'll still have to do the regression test for each upgrade.

The state of 'software security industry' is a f-ng disaster. Failure of the highest order. There is massive amounts of money that is going into 'cyber security', but it's usually spent on government compliance and audit efforts. This means instead of actually putting effort into correcting issues and mitigating future problems, the majority of the effort goes into taking existing applications and making them conform to committee-driven guidelines with the minimal amount of effort and changes.

Some level of regulation and standardization is absolutely needed, but lay people are clueless and are completely unable to discern the difference between somebody who has valuable experience versus some company that has spent millions on slick marketing and 'native advertising' on large websites and computer magazines. The people with the money unfortunately only have their own judgment to rely on when buying into 'cyber security'.

> Those spilling our rare money/resources on ready-made useless tools should get the bad press they deserve.

There is no such thing as 'our rare money/resources'. You have your money, I have mine. Money being spent by some corporation like Redhat is their money. Money being spent by governments is the government's money. (you, literally, have far more control in how Walmart spends it's money then over what your government does with their's)

> This is especially worrying as cyber "defense" initiatives look more and more like the usual idustrial projects aimed at producing weapons or intelligence systems. Furthermore, bad useless weapons, because they are only working against our very vulnerable current systems; and bad intelligence systems as even basic school-level encryption scares them down to useless.

Having secure software with strong encryption mechanisms in the hands of the public runs counter to the interests of most major governments. Governments, like any other for-profit organization, are primarily interested in self-preservation. Money spent on drone initiatives or banking auditing/oversight regulation compliance is FAR more valuable to them then trying to help the public have a secure mechanism for making phone calls. Especially when those secure mechanisms interfere with data collection efforts.

Unfortunately you/I/us cannot depend on some magical benefactor with deep pockets to sweep in and make Linux better. It's just not going to happen.

Corporations like Redhat have been massively beneficial to spending resources to make Linux kernel more capable.. however they are driven by a the need to turn a profit, which means they need to cater directly to the the sort of requirements established by their customer base. Customers for EL tend to be much more focused on reducing costs associated with administration and software development then security at the low-level OS.

Enterprise Linux customers tend to rely on physical, human policy, and network security to protect their 'soft' interiors from being exposed to external threats.. assuming (rightly) that there is very little they can do to actually harden their systems. In fact when the choice comes between security vs convenience I am sure that most customers will happily defeat or strip out any security mechanisms introduced into Linux.

On top of that when most Enterprise software is extremely bad. So much so that 10 hours spent on improving a web front-end will yield more real-world security benefits then a 1000 hours spent on Linux kernel bugs for most businesses.

Even for 'normal' Linux users a security bug in their Firefox's NAPI flash plugin is far more devastating and poses a massively higher risk then a obscure Linux kernel buffer over flow problem. It's just not really important for attackers to get 'root' to get access to the important information... generally all of which is contained in a single user account.

Ultimately it's up to individuals like you and myself to put the effort and money into improving Linux security. For both ourselves and other people.

It even has a nice, seven line Basic-pseudo-code that describes the current situation and clearly shows that we are caught in an endless loop. It does not answer the big question, though: How to write better software.

The sad thing is, that this is from 2005 and all the things that were obviously stupid ideas 10 years ago have proliferated even more.

That is an interesting question, certainly that is what they actually believe regardless of what they publicly say about their commitment to security technologies. What is the actually demonstrated downside for Kernel developers and the organizations that pay them, as far as I can tell there is not sufficient consequence for the lack of Security to drive more funding, so we are left begging and cajoling unconvincingly.

Classic hosting companies that use Linux as an exposed front-end system are retreating from development while HPC, mobile and "generic enterprise", i.E. RHEL/SLES, are pushing the kernel in their directions.

This is really not that surprising: For hosting needs the kernel has been "finished" for quite some time now. Besides support for current hardware there is not much use for newer kernels. Linux 3.2, or even older, works just fine.

Hosting does not need scalability to hundreds or thousands of CPU cores (one uses commodity hardware), complex instrumentation like perf or tracing (systems are locked down as much as possible) or advanced power-management (if the system does not have constant high load, it is not making enough money). So why should hosting companies still make strong investments in kernel development? Even if they had something to contribute, the hurdles for contribution have become higher and higher.

For their security needs, hosting companies already use Grsecurity. I have no numbers, but some experience suggests that Grsecurity is basically a fixed requirement for shared hosting.

On the other hand, kernel security is almost irrelevant on nodes of a super computer or on a system running large business databases that are wrapped in layers of middle-ware. And mobile vendors simply do not care.

Less seriously, note that if even the Linux mafia does not know, it must be the venusians; they are notoriously stealth in their invasions.

I know the kernel.org admins have given talks about some of the new protections that have been put into place. There are no more shell logins, instead everything uses gitolite. The different services are on different hosts. There are more kernel.org staff now. People are using two factor identification. Some other stuff. Do a search for Konstantin Ryabitsev.

With "something" you mean those who produce those closed source drivers, right?

If the "consumer product companies" just stuck to using parts with mainlined open source drivers, then updating their products would be much easier.