Lesson of Free Software for James Walker... What?!

Story: Report: Linux security must be upgraded to protect future techTotal Replies: 8
Author Content
mountaineerbr

Oct 09, 2016
6:12 PM EDT
All information on the article is corrupted, incorrect, erred. I am still so sorry to see tech guys not being able to use GNU/Linux, not knowing what Linux is, not having taken a video/text lecture of Richard Stallman, Linus Torwalds, read the GNU General Public License (I reccomend reading it from the first version)... What you try and say in your article is that the "Linux" operating system should be able to run on its own, interpreting whatever its AI reckons is best so whenever a decision has to be made. That would include installing whatever functionality "Linux" thinks is necessity for the user.. I really don't understand what you expect machines to do. Security and Privacy relie totally in user's control of grants and denials of permissions, but clearly you do not follow that, consequently, the User must be held responsible for its own Freedom only in which cases he has got the chance to Decide after a transparent output of clear information...

Cheers!
penguinist

Oct 09, 2016
6:30 PM EDT
@mountaineerbr: I have to agree with many of your points. Linux is about empowering users to take control of their systems. What we do with that control is a matter of individual choice and individual responsibility.

Some users are not ready to exert control and take responsibility for their systems. Such users are happy placing blind trust in the likes of Microsoft or Apple to make their decisions for them. I personally like making my own choices, and I dislike software which assumes that it should try to "outthink" the user.

mountaineerbr

Oct 09, 2016
7:23 PM EDT
@penguinist Totally agree with you... I was thinking perhaps that group of researchers & Linux Security Experts cited in the article of JW's , such as Ryabitsev , are indeed those same *security people* Mr Torvalds hates... What to say about that other Ralph Nanda? Perhaps she is innocent but the *security people* shouldn't have used her words to compare cars & GNU/Linux security... Leftists always want to change good stuff for the sake of mutation. In anycase, it is well-known that Mr Stallman has got a yet-undeployed kernel project which was very tricky to implement some decades ago...
dotmatrix

Oct 09, 2016
7:25 PM EDT
There is much that is wrong with the article posted, the ARS article referenced in that article, and probably the presentation on which both were based.

First... Linux, the kernel, is the backbone of Android. However, Android is 'fragmented' because of the way the devices are produced and/or pre-loaded with certain 'apps' and/or the wireless carrier the end user is utilizing. The Linux kernel has nothing whatsoever to do with the fragmentation of Android.

Verdict: Not a Linux problem.

Second... The IoT devices have many security issues. Much of the problem, again, has to do with the manufacturer's designs and architectures rather than the Linux kernel. The failure of many IoT devices to include TLS and lock down ports and so forth... is a problem because the designers -- who should be professionals and experts -- are not doing due diligence to the security concerns, even obvious ones.

Verdict: Not wholly a Linux problem. Probably something like 80/20 manufacturer/Linux problem.

Third... Bugs, updates, patches and so forth. Some of this problem is, again, a direct result of a given manufacturer attempting to actively prevent end-users from manually performing those updates... along with poor update policies of the manufacturer. Many of these things are pushed out on the shelves in a 'locked' manner, sold, and then never reviewed again by the designers or manufacturers.

Verdict: Not a Linux problem.

Fourth... The comparison with car safety is silly and way off. If someone wishes to make a car analogy, it would be something like this:

"Atmel needs to add another I/O port for its microcontroller that we use to control the transmission. We have no idea how to redesign or rewire our wiring harness to accommodate the newest engine temperature sensor that we would like to use. So, if our car overheats, it's all Atmel's fault."
CFWhitman

Oct 10, 2016
5:05 PM EDT
The car analogy to me comes across as the equivalent of saying, 'This car is unsafe; it must be the fault of the engine design.' You could easily argue that they're saying the equivalent of, 'A car's engine should be designed to cut off fuel flow at 40 mph (or 65 kph) because the engine can't tell if there are crumple zones in the body or airbags in the interior.' Their argument is predicated on the idea that security of a system is almost entirely the responsibility of the kernel, which they haven't made any attempt to prove.

Incidentally, the man's name is 'Nader' not 'Nada'.
mbaehrlxer

Oct 16, 2016
10:28 AM EDT
i seem to understand the article in a different way.

first of all, on the argument of android fragmentation. of course it's not linux fault, however, fragmentation is part of what prevents easy upgrades for the linux kernel. if all mobile devices would be able to run the same same kernel, then providing an upgrade for it would be a lot easier.

the argument that the article seems to make is, that, since traditional upgrading is not easy to do, maybe another approach is needed to help make devices more secure.

then you argue that the users should be responsible for the security on their devices. but how can they be, if the devices are locked down in such a way to make changing the software on it a non-trivial, if not impossible, matter?

as a user, i reject the idea of being responsible for the security of a device whose software i can not control.

again, this is not linux fault, but, as i understand the argument, the issue could be mitigated if we were to use a different approach to security, one that does not rely on traditional patches and upgrades.

the questions of course remain:

is it a good idea to do that?

and how would that even work? (this is an interesting question, posed by mountaineerbr, that seems to get lost in the noise of criticizing the article)

in summary, sure, it's not a linux problem, but, maybe, linux could provide a solution?

greetings, eMBee.
mountaineerbr

Oct 24, 2017
10:06 AM EDT
@mbaehrlxer I do not think I lost anything during the trail of thought... There were general criticisms and very specific ones. It is to believe the general criticism was well accepted by anterior responses of membres of the forum.. The veru specific points I made are targeted to the wirter of the article. Why didn't I post in the very page that JW's worte his poor statements? Because there was no way I could it there and hopefully JW might get illuminated somehow by reading this thread...
hkwint

Oct 24, 2017
5:19 PM EDT
If you're the engine-engineer (wow, that really sounds lame in English!!!), you can point at the airbags and crumple zones not being safe, or you can just stop whining and pointing at other people, and do the job you're supposed to do, and make the engine more safe, isn't it? Otherwise you better apply for a job at Takata or Pininfarina instead of Eaton-Cummins, right?

The whole idea is to start admitting the Linux kernel (built on 1970's pre Internet-of-Evesdropping technology) is flawed, not putting ostrich head in the sand, and seeing there are ways of fixing it [1]. Android and most non-upgradeable devices are FUBAR anyway, but at least a better Linux kernel would help things like Ubuntu, OpenWRT, LineageOS et all, right?

[1] https://lwn.net/Articles/662219/
skelband

Oct 24, 2017
5:57 PM EDT
@hkwint

I understand your point, but airbags and crumple zones are not zero risk safety devices and they never can be. They provide a compromise between practicality and safety. The Linux kernel (or any kernel for that matter) is also built on similar compromises.

There are things that can be done to improve the Linux kernel like moving away from C as a system programming language which really has long had its day and move to something more like Rust where security and correctness are more "builtin" to the language itself.

But anything that deals with hardware using anything like the current hardware architecture with users sharing the same resources is necessarily complex and fraught with fundamental problems such as fairness and isolation. Microkernels also might provide a better isolation by making critical system level, privileged code a smaller attack surface.

Also, talking about "Linux" belies the fact that the majority of weaknesses in the computing environment are in the periphery of user land, not the kernel itself.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!