Wasn't that the primadonna maintainer project
Hmm... Wasn't that the primadonna maintainer which could not stand Linus blowouts? That figures.
The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkaller, a kernel fuzzing tool developed by another Google software engineer, Dmitry Vyukov. That's just the tip of the iceberg. In an email to The Register, …
> Hmm... Wasn't that the primadonna maintainer which could not stand Linus blowouts? That figures.
Given Linus's track record, the maintainer was probably punished for pointing out and trying to fix security holes. Linus is famous for his disrespect of security researchers, considering them no better than "masturbating monkeys" - his words not mine.
He also thinks that people who displease him should have the brake lines on their cars cut. He's pretty sick like that.
Linus's apathetic attitude to security concerns is a tax that every computer user gets to pay - every time another Linux-enabled piece of IoT crapware DDoSes the 'net to oblivion.
"It will be interesting to see how long it takes for this to be cleaned up"
USB has long been one of those things where switching it off in its entirety is good if you can do it.
There are many, many sub-drivers for different esoteric bits of little used USB kit in the kernel tree, that any USB device could bait into life then perhaps blindside. I like to prune the kernel build around here.
However, I don't think any of the other major OS's want to throw stones round here either. Does MS sandbox its squillion USB device drivers? Doesn't Apple's connector allow the device to DMA arbitrary RAM?
Interesting. Mass quantities of downvotes... and he's perfectly right. Linus does have an odd attitude towards security. He did call security researchers 'masturbating monkeys'. https://www.cio.com/article/2434264/open-source-tools/torvalds-calls-openbsd-group--masturbating-monkeys-.html
And he did advocate cutting the brake lines of those who annoy him. https://www.theregister.co.uk/2013/09/11/torvalds_suggests_poison_and_sabotage_for_arm_soc_designers/
Ah, well, let's see how many downvotes this gets...
"He did call security researchers 'masturbating monkeys'."
And then you add a link in which he doesn't call security researchers 'marturbating monkeys'.
Actually, the link itself show who he is calling that but, of course, reading that much is too much effort.
You do know that "Linus is famous for his disrespect of security researchers (all of them?)", if it was true, which it's not, does not mean "Linus's apathetic attitude to security concerns". That you did invent yourself, and is a dumb thing to write.
As far as I can remember he has suggested the real experts, the "mean hackers", should become good citizens, from black to white, sort of, as they are the real experts as they tend to be a step ahead.
Linus has stated in public that he does not consider security vulnerabilities any different from other bugs. That's a pretty apathetic attitude to security concerns in my book...
And he has basically told real experts trying to improve the security of the Linux kernel to go fuck themselves (probably not literally - I'd expect him to use much more creative insults than that). See refusal to interact with the Grsecurity guys in any meaningful way, for example, and the half-assed Kernel Self Protection Project that followed public pressure to improve the situation (which, by the way, is most certainly not composed of 'real [security] experts')
Plus, black hat kernel security wizards are paid handsomely for their efforts at doing black hat kernel security stuff nowadays. You can't just ask them nicely to start doing work for free instead and expect anything but a chorus of laughs.
"Linus has stated in public that he does not consider security vulnerabilities any different from other bugs. That's a pretty apathetic attitude..."
Your statement is insecure due to it having a vulnerable logical assumption in it.
Feature request: Post icon of Baldrick holding an iron.
"Linus has stated in public that he does not consider security vulnerabilities any different from other bugs. That's a pretty apathetic attitude to security concerns in my book..."
Only if you assume that all bugs are treated apathetically.
Maybe he was just saying that, by definition, a security vuln is a bug, ie something is not behaving as expected and since bugs are usually treated with varying degrees of urgency, it kinda makes your claim look a bit silly.
Dear Brits, next time, before you write "cut off your nose to spite your face", please do it, try it out first. There are dumb sentences in every language, one has to assume, but this takes the top one I can think of in English. Perhaps you could provide better to prove I don't know the language that well, which of course is a fact.
Somehow I have this feeling it has suddenly again appeared due to the Brexit rhetoric. The worst sentence, in any language, I can think of is "self hating Jew" and how it is used. And no I am not. Any better contenders and yes "The Mood" is like this.
The secure boot "golden key" was found a year ago as reported by this very esteemed organ.
"The secure boot "golden key" was found a year ago as reported by this very esteemed organ."
You might want to read what you linked to "These skeleton keys can be used to install non-Redmond operating systems on locked-down computers.". They don't compromise an installed / encrypted OS...
> Unless of course it runs say Secure Boot with Bitlocker.
Well accept if the PC boots, automatically bitlocker is already decrypting stuff so the PC is still susceptible to plug in device attacks. I've just "updated" a W10 box from a vendor's encryption system to bitlocker and was horrified to see that it just boots before taking me through the security checks before being able to access the disk.
Lets face it, Windows doesn't have a great track record when it comes to security.
"so the PC is still susceptible to plug in device attacks."
Of which there are none unpatched that I am aware of. And of which those that I am previously aware of all required a valid local login first...
"Lets face it, Windows doesn't have a great track record when it comes to security."
Neither does Linux...
"I seem to recall that the Scott expedition (I think) did not fancy the real article so very much. Oily and fishy.".
They might have stayed alive if they had had some oily to burn and some fishy to eat. I am not, however, sure there was any penguins in that hopeless effort. The sorry British effort to downplay Roald Amundsen was to point out that they shared a few dogs, between them and the dogs, as they had planned. (it's still around).
Poor Scott and his men had nor penguins nor dogs, just morphine for those dreadful last hours, and his dog rescue team did not reach them in time.
See what you did here Palpy, penguins means Linux not polar expeditions (or dogs).
PS. if you find an USB stick on the grass, preferable under some leaf, and you cannot, as we all know, stop your self from finding out, if perhaps, it contains something of great importance to somebody, but certainly not meant for you.
Then do like I always do, there back in that corner lies an old laptop with Linux but no internet and apart from that there lies a stick with an Linux iso on it. Into such a laptop you stick that USB you just found and then you get disappointed and format the damned thing or then you just dump it for the next person to find out, according to the mood you are in. And then you boot that old laptop with the Linux iso USB iv it and it's all fine again what ever was on that USB, I think.
That would be 'beware of the High Sierra' now, which doesn't work so well.
Oh? Just installed it after it had its first update (10.13.1) and apart from an unwillingness to auto-mount external drives if they are encrypted (hand-mount through Disk Util or command line) it appears to work reasonably well.
That said, WTF did they do in APFS that makes filesystem checks take THAT long?!? I checked a 500GB SSD in repair mode to see what it would do, and that clocked in at 10 full minutes (twice, because I thought I'd made a mistake and fired it up again before I got myself a coffee and watched it). Ugh.