More Linux Attacks of Varying Types
Last week The Washington Post published an article online stating that Linus Torvalds doesn't take Linux security as seriously as he should and causing a bit of a firestorm. Sam Varghese has the best take-down. In other news, a new trojan targets Linux systems and administers to demand a ransom payment and a new "World without Linux" video was posted.
A Washington Post article last week said that the Linux kernel, that so many systems are based on, is inherently lax in security and that Linus Torvalds isn't too concerned about it. The writer isn't a fan of Torvalds and his tone sounded as though he came into the article with an ax to grind. Craig Timberg didn't agree with any of Torvalds' philosophy and excoriated everything he said. Linus said no system can be 100% secure and there's no sense is breaking everything for something an admin should configure against. But that wasn't the right answer for Timberg.
Steven J. Vaughan-Nichols noted in his post today that "there's nothing new about the conflicts between Torvalds and some security pros. Not surprisingly, people who make their living from security are ticked off at Torvalds." Security pros are most of the sources for the Post article. Vaughan-Nichols agreed with Torvalds that, "The real security problem has always been people. More systems have been broken into by bad security practices, than by clever hackers breaking into security holes." He even said that OpenSSL Heartbleed was caused by "Magical Thinking."
Sam Varghese today commented on the subject by stating, "In The Washington Post article itself, there were many bloopers." He said Timberg didn't check the background of those he sourced to see if they had any ulterior motives or grudges. One such source was Matthew Garrett, who recently quit contributing to the mainline kernel in support of Sarah Sharp who had accused the Linux project, particularly the leader, of sexism and other -isms. Varghese said of Garrett:
Garrett has no great security credentials and has had a number of spats with Torvalds, the most recent being when he tried to get some code, that would allow Microsoft's secure boot technology to work smoothly with Linux distributions, into the kernel. Garrett did not clue Timberg in about his issues with Torvalds; he appears to have been happy to get the publicity and, in fact, in publicising the article on his own blog did not even mention that he had been quoted therein. Intellectual dishonesty is a mild description.
Varghese continued by saying that those vulnerabilities used as examples by Timberg weren't even kernel issues per say. They were userland programs. He also notes that although the article on Linux was a part of a five-part series, Timberg didn't bother to write about "the cascade of security issues that the billion-plus computers running Windows pose." By failing to include that, Timberg negates any appearance of credibility. Varghese destroyed Timberg's overblown fear-mongering attack almost point-by-point.
Several sites today carried the news of "Linux.Encoder.1," a new trojan designed to break into Linux systems, encrypt data files, and then sell the encryption key back to sysadmins. Again, most headlines say "Linux ransomware" or similar, but Arstechnica reports that the exploit is for "a vulnerability in the Magento CMS" and a security patch has been available for over a week.
In other news:
* World Without Linux: Can I Follow You?