I can only confidently guarantee that the prostitute you end up making tender love to (lol) will shower longer than she usually does after your 5 shameful minutes of disappointing her
Drama background from the OP of the original Reddit thread:
This is beyond childish from both sides.
It started when Kees Cook (who recently became a target of one of Linus' rants that was posted here a lot) gave a talk at the Linux Security Summit and pointed out the superiority of their work over something like Grsecurity and how it's much better audited. He tried to emphasize his point by 'disclosing' what he thought was a 0-day in grsec code, apparently without talking to them first.
Brad and his ego, who unsurprisingly respond in the same childish way now drops a more severe 0-day on fucking Twitter to prove him wrong.
You know, this time, I thought Linus' rant was the other way around: I tend to disagree with his technical stance but he was right with the personal attacks. A lot of these people are immature up to a level where the carry out their fights on the back of users.
Grsec went full-autisim when they started trying to make people pay for there kernel hardening a number of years back they have continued to carry on like petulant children.. though I find it funny they are so autistic they are throwing away significant $$ dropping 0days in public.. I'd sell them on the grey market make cash and fuck your competition.
They are all just coming at the problem from a point of self intrest Kees is 100% right from a large scale security focused deployment perspective if something is broke you want it to default to ded you don't want it to continue working and perhaps allow a privilege escalation or some other unintended consequences. From Linus pov and most nerds that run a system at home or whatever they want the uptime and logs so they can fix the issue they aren't so worried about someone "apt" or nasty governments reking there shit. Linus has always been fairly loose in regards to security.
Nah I'm with Linus on this, you don't break things in a minor release to push a new security model.
That's fine to maintain in a patchset and use internally in "move fast and break things" company like Facebook or Google where you have redundancy out the ass and engineers on hand the second shit hits the fan, but you do not force that on everyone else without making sure it's actually ready.
So hey, I have a question. Why would anyone trust some nerd to write the very core of their OS and not fuck it up somehow? People don't spend hundreds of dollars on proprietary shit because they hate money. They do it because nerds are horrible at everything, including nerd shit.
Usually proprietary software is worse off and it gets patched a lot slower. Unless it's something like Microsoft or apple tbh. But it just seems that the linux kernel team really like their autism, with the exception of linus.
No, in that case it's someone who's been vetted and supervised working with a bunch of other people. They throw a bitch fit, they lose their job. You're not a nerd until you've jeopardized your way of life in order to share a bad opinion with people who don't care. That part is every bit as important as the computer aspect.
You get 99% of the peeps working on the kernel do it as a job yeah? Like I get it you are trolling but having a basic idea of how something works helps with your troll otherwise you just come across as retarded.
serious answer: while proprietary software has a lot more work put into it, and moves a lot faster in terms of default security (e.g. android/ios having fully sandboxed applications, windows getting sandboxing in the next few releases, ACLs by default beats any linux shit, etc), you get a lot less control over your attack surface
On a fairly recent windows install, like, 2 weeks ago, I currently have 83 active listening ports, all relating to Microsoft-provided processes. Reducing that number is hard since several of them are parts of services considered required for a running system, if I ask windows to kill one of them off, there is a good chance of windows going and commiting sudoku in the process
I'm not going to go install windows server 2016 to see port counts on that, but it has a lot of stuff needlessly enabled by default too iirc
linux on the other hand, while any given thing would probably have more holes in it than the windows equivalent, the fact is you can just have far less things instead, so you end up with less holes: you don't want a web browser? uninstall that shit (which you can no longer do with edge), don't want system wide search? uninstall that shit (can't do with windows), don't want to see anything? uninstall that shit (can't do with windows again) don't want fuckin' anything? go with a rump kernel, run your code in place of your OS, only your code has a potential attack surface now, nothing else.
the flexibility is what beats proprietary software for most people
Selinux has been sandboxing and doing ACL in Linux for a very long time it's pmuch what Android uses to sandbox it's also nsa approved. ASLR was default long before any of the paid oses. The rest of your comments I agree with.
I should clarify that I was talking more about the action of sandboxing, as opposed to the possibility of sandboxing
with the phone dealios, sandboxing is implicit, in BSD, you get the whole jail stuff, in windows, lol atm
on the exposed-to-humans-as-linux linux installs, aka ubuntu thanks to the AWS defaults, you get mostly non-enforcing apparmor or debian's maintained selinux, and sysadmins would still use the 3 scope chmoddery for access control (I don't got any stats tho)
so like, ubu linux for the most part is lacking that first party push-button-get-sandbox, I know cent/tiphat have better security tho
Yeah I agree most vanilla installs are woeful from a security standpoint but that goes to the second part of your first comment it's very much possible and imo from a security standpoint auditable which is important. I very much lean towards qubes (for personal use) these days for sandboxing done correctly it's memory intensive and hardware support is p woeful but for push button security it's the best out of the box.
The problem is that Linux was written by white males. We need to get some trannies and PoC in there to make sure the operating system is useless properly hardened
29 comments
1 SnapshillBot 2017-11-24
I can only confidently guarantee that the prostitute you end up making tender love to (lol) will shower longer than she usually does after your 5 shameful minutes of disappointing her
Snapshots:
I am a bot. (Info / Contact)
1 dongas420 2017-11-24
Drama background from the OP of the original Reddit thread:
1 shallowm 2017-11-24
Thread on /r/linux, if anyone's interested.
1 subpoutine 2017-11-24
Have a link to the Linus spergdump everyone’s talking about?
1 shallowm 2017-11-24
I assume it's this, where Linus criticizes Kees Cook.
1 subpoutine 2017-11-24
Looks like it, thanks.
1 wtfuxlolwut 2017-11-24
It's wasn't anything you wouldn't expect from Linus just Linus being linus http://www.zdnet.com/article/linus-torvalds-i-dont-trust-security-people-to-do-sane-things/
1 subpoutine 2017-11-24
Good find, thanks.
1 LemonScore 2017-11-24
Thanks.
1 wtfuxlolwut 2017-11-24
Grsec went full-autisim when they started trying to make people pay for there kernel hardening a number of years back they have continued to carry on like petulant children.. though I find it funny they are so autistic they are throwing away significant $$ dropping 0days in public.. I'd sell them on the grey market make cash and fuck your competition.
1 backltrack 2017-11-24
I guess he was right, security people are fucking retarded. They don't make any sense
1 wtfuxlolwut 2017-11-24
They are all just coming at the problem from a point of self intrest Kees is 100% right from a large scale security focused deployment perspective if something is broke you want it to default to ded you don't want it to continue working and perhaps allow a privilege escalation or some other unintended consequences. From Linus pov and most nerds that run a system at home or whatever they want the uptime and logs so they can fix the issue they aren't so worried about someone "apt" or nasty governments reking there shit. Linus has always been fairly loose in regards to security.
1 09f911029d7 2017-11-24
Nah I'm with Linus on this, you don't break things in a minor release to push a new security model.
That's fine to maintain in a patchset and use internally in "move fast and break things" company like Facebook or Google where you have redundancy out the ass and engineers on hand the second shit hits the fan, but you do not force that on everyone else without making sure it's actually ready.
1 midairfistfight 2017-11-24
Spender is the prime example of how "security" guys are in it for ego and showing off how right they are than actually fucking securing anything.
1 Gothmog26 2017-11-24
The userbase of Linux is the worst feature of Linux.
1 Chicup 2017-11-24
Its not a bug?
1 SpectroSpecter 2017-11-24
So hey, I have a question. Why would anyone trust some nerd to write the very core of their OS and not fuck it up somehow? People don't spend hundreds of dollars on proprietary shit because they hate money. They do it because nerds are horrible at everything, including nerd shit.
1 backltrack 2017-11-24
Usually proprietary software is worse off and it gets patched a lot slower. Unless it's something like Microsoft or apple tbh. But it just seems that the linux kernel team really like their autism, with the exception of linus.
1 glmox 2017-11-24
no way, for real?
1 siempreloco31 2017-11-24
whoa friend
1 crefakis 2017-11-24
who do you think writes the core of Windows or OSX?
It's still some nerd. It's nerds all the way down.
1 SpectroSpecter 2017-11-24
No, in that case it's someone who's been vetted and supervised working with a bunch of other people. They throw a bitch fit, they lose their job. You're not a nerd until you've jeopardized your way of life in order to share a bad opinion with people who don't care. That part is every bit as important as the computer aspect.
1 wtfuxlolwut 2017-11-24
You get 99% of the peeps working on the kernel do it as a job yeah? Like I get it you are trolling but having a basic idea of how something works helps with your troll otherwise you just come across as retarded.
1 RubyPinch 2017-11-24
serious answer: while proprietary software has a lot more work put into it, and moves a lot faster in terms of default security (e.g. android/ios having fully sandboxed applications, windows getting sandboxing in the next few releases, ACLs by default beats any linux shit, etc), you get a lot less control over your attack surface
On a fairly recent windows install, like, 2 weeks ago, I currently have 83 active listening ports, all relating to Microsoft-provided processes. Reducing that number is hard since several of them are parts of services considered required for a running system, if I ask windows to kill one of them off, there is a good chance of windows going and commiting sudoku in the process
I'm not going to go install windows server 2016 to see port counts on that, but it has a lot of stuff needlessly enabled by default too iirc
linux on the other hand, while any given thing would probably have more holes in it than the windows equivalent, the fact is you can just have far less things instead, so you end up with less holes: you don't want a web browser? uninstall that shit (which you can no longer do with edge), don't want system wide search? uninstall that shit (can't do with windows), don't want to see anything? uninstall that shit (can't do with windows again) don't want fuckin' anything? go with a rump kernel, run your code in place of your OS, only your code has a potential attack surface now, nothing else.
the flexibility is what beats proprietary software for most people
1 wtfuxlolwut 2017-11-24
Selinux has been sandboxing and doing ACL in Linux for a very long time it's pmuch what Android uses to sandbox it's also nsa approved. ASLR was default long before any of the paid oses. The rest of your comments I agree with.
1 RubyPinch 2017-11-24
I should clarify that I was talking more about the action of sandboxing, as opposed to the possibility of sandboxing
with the phone dealios, sandboxing is implicit, in BSD, you get the whole jail stuff, in windows, lol atm
on the exposed-to-humans-as-linux linux installs, aka ubuntu thanks to the AWS defaults, you get mostly non-enforcing apparmor or debian's maintained selinux, and sysadmins would still use the 3 scope chmoddery for access control (I don't got any stats tho)
so like, ubu linux for the most part is lacking that first party push-button-get-sandbox, I know cent/tiphat have better security tho
1 wtfuxlolwut 2017-11-24
Yeah I agree most vanilla installs are woeful from a security standpoint but that goes to the second part of your first comment it's very much possible and imo from a security standpoint auditable which is important. I very much lean towards qubes (for personal use) these days for sandboxing done correctly it's memory intensive and hardware support is p woeful but for push button security it's the best out of the box.
1 NSFW_Jeanne 2017-11-24
Don't people still buy Norton and Mcafee antivirus software?
1 IvankaTrumpIsMyWaifu 2017-11-24
The problem is that Linux was written by white males. We need to get some trannies and PoC in there to make sure the operating system is
uselessproperly hardened1 backltrack 2017-11-24
That's a pretty simple vulnerability. Damn, should not have dick waved in the first place if it was that easy to get yourself fucked.