To be honest I'm not all that concerned. I mostly live in Linux. Linux is vunerable of course, but it is far less likely to be running malicious code than your average home Windows box. About 99% of my Linux software is open source and compiled from source. Therefore if it has malware in it it would be spotted and removed.
There is still a risk, but it's much less than your average Windows box which are metaphorically like a Saigon hooker. So much nasty stuff in it you can see them crawling down the desktop's legs! (sorry you got that image).
I do have a Windows laptop and a gaming machine which will now be put on quarantine, so no online banking, no sensitive stuff etc.Your hubris might be expensive. You browse the web, I presume? Javascript is seen as a major possible vector and will run just as happily on your box as it does on Windows. You can compile from source until the cows come home and still have your passwords taken from under your nose. Security through obscurity never works.
Fanboy stances on this OS or that also don't help. The problem almost always is the user and rarely ever the OS. If it really were the OS, Windows wouldn't be so dominant in the very security concious enterprise market.
I'll update my browsers, but on that front I'm angry. I have warned people for years to keep the damn script kiddies at bay. Now we even have Javascript on servers (NodeJS) FFS and Javascript with memory access. WTF? Idiots. One of the worst, most annoying languages ever written. It should have remained a junk interrupted, sandboxed, mickey mouse script tool for making text flash and modifying HTML. </rant>
Compiling from source. It's not obscurity, that's not the point of compiling from source. In fact it's the polar opposite.
Windows is popular in the security conscious enterprise market because of the centralized management AD et al, because of "single vendor", because of support, because of... on and on and on. None of them are to do with it being secure. Secure enterprises can afford the teams of people required to keep a windows network lock down enough to keep it secure. I'm sitting in one right now.
The truth is all OSs are unsafe and very leaky. Windows, macOS or Linux, it's all the same. The main difference is that Windows is much more popular, and is therefore targeted more. Any modern OS is such a huge pile of code that it's inevitable to be full of errors and vulnerabilities. No OS escapes this.
Server-side Javascript is no more or less dangerous than any other compiled language. The 'good parts' of Javascript, in its latest versions, are quite a pleasant programming language.
You can't just bundle all operating systems together. They are all susceptible to bugs and exploits yes, but there are fundamental differences.
The one that is relevant is the ability to install software. In Windows software is "live" out of the box. On most domestic systems it can install itself and run itself, anything with a .exe is fair game and fully trusted software. The stupid notifications you get are just ignored by 90% of people who invariably click "OK". You just can't do that on Linux, for one you have to be root, second you have to actually mark it executable, thirdly, outside of a distribution Linux is not binary compatible, so one size doesn't fit all. This is why Linux viruses are incredibly rare and don't propagate anywhere near as easily. There are dozens of other examples between the two OSes to compare security, but it's safe to say that it is a lot easier to sneak mal-code onto a windows machine than a Linux one. More recent versions of Windows are improving, but the basic architecture remains insecure as a multi-user system, it can be tamed, but it takes a LOT of effort to lock it down. But lets not delve into that rabbit hole of this OS verus that (though granted I started it).
To exploit these hardware vulnerabilities you need to execute malicious code. That was my point. This is harder to do on Linux, historically and architecturally.
We really need to focus on solving this problem the best we can without getting sidetracked by irrelevant squabbles.
We really need to focus on solving this problem the best we can without getting sidetracked by irrelevant squabbles.
True but I really don't think the desktop is the issue we have right now. Why hack one person when you can hack a million people?
True but I really don't think the desktop is the issue we have right now. Why hack one person when you can hack a million people?
What is the exposure really? If I go home and watch youtube all night, my yt password might be exposed? Assuming MS and Google don't just automatically load up all my passwords in memory. They probably do...
One good thing is it's read only. So they can't hack bits of memory to hijack things directly.
And ofcourse only Windows7 & 8 get slower
On Unixes, passwords never exist in kernel memory. The kernel is only aware of UID and GID which it keeps in the kernel data structure. It has no idea what a password even is.
Only passwd and login handle passwords and they are user mode programs. passwd is setuid and login is only executable by root.
At best if there are stale pipes in memory then those could be revealed but that’s it. Even ssh is a user mode process and the kernel will only handle encrypted streams.
If they unmap the kernel and only the process and any libraries it talks to are loaded into the address space then this is total isolation. The process can’t see the kernel nor read any other processes. All it does is put some shit in some registers, pray to the kernel and it falls entirely out of existence when god (Linux) answers the prayer. If you get the prayer wrong or poke around the wrong bits of the universe, behold for you are killed, unless you’re slightly attached to the universe still at which point you are a zombie. I don’t like zombies. Zombies eat your brains.
Windows: fuck knows. Between COM, bits of msgina, lsass, bits of kernel OM, some sticky tape, string and some dead rodents, your guess is as good as mine. This is the company that managed to put LSASS in a little Hyper-V sponsored pit of despair, declare security victory and only the next day end up with a CVE. MSFT can’t outrun some crap kicked out by some hippies from the 1970s on way too much green that hasn’t changed a whole lot.
Psss idiots.
Disclaimer: slightly too much wine this evening.
The mitigation strategies are different and the surface area is smaller on Unixes. Way smaller.
Also there is secondary mitigation with MAC (SELinux) which kills off a huge portion of entry vectors. Bar timing attacks via browsers, which are now pretty much mitigated by reducing timer resolution, the main attack vector is system access because you need to run arbitrary code on the target.
This isn’t an OS war, it’s a mitigation architecture war now.
Plus it looks like we can get some performance back now in a few months, looking at Linux 4.14. PCID is coming in. Incidentally OSX already uses thisnas does Hyper-V but not windows server (wtf)
This has been my life since it dropped for ref.
Indeed. Couldn’t agree more.
I’ve actually got about 500 machines on all platforms to save from this mess. There are no winners really. Everything is fucked, slow or on fire. Also some vendors who have patched their appliances have patched too quickly and botched it. Total nightmare.
Reducing resolution is adding a work factor yes. Is it enough, we don’t know yet. A good point.
So back in about 1995 I should have taken the the other coloured pill at this moment in time. Any one want to hire an EE. Will solder for pennies.
And ofcourse only Windows7 & 8 get slowerIs that speculation on your part or based on numbers?
And ofcourse only Windows7 & 8 get slowerIs that speculation on your part or based on numbers?
On Unixes, passwords never exist in kernel memory.
Disclaimer: slightly too much wine this evening.
And ofcourse only Windows7 & 8 get slower