Many Millions of Linux are affected by this security hole

[6502coder]

And from another zd.net article about this same subject:-

http://www.zdnet.com/article/how-to-fix ... -day-flaw/

...this quote:-

This, according to another programmer working on mediating the problem, is far from unique. "Security companies are always making a big deal of little problems for their own benefit."

'Nuff said, really.


Mike.

Agreed, Mike, 'nuff said...which is why I posted that same link here 3 days ago (see about 8 posts above)

[amigo]

There is mal-ware which runs under both linux and windows -it's called grub4dos -the bootlace.com installer runs under both -same binary.

[starhawk]

While that statement does not really deserve a response, I'll give it one, against my better judgement.

I have used grub4dos almost exclusively since joining this forum, mostly because making "real" GRUB work is nearly impossible (I've done it once, so I have to put the "nearly" in there). I personally have never seen any evidence of malware or malware-like behavior associated with grub4dos, its wizard, and their functions, nor have I heard reports of any such behavior before -- and I think if it existed I'd've heard or noticed SOMETHING by now. Not to mention that your post is a little short on substantiation.

So, with all due respect, sir, I regret to inform you that your post is complete bullshit, and you should strongly consider taking it down so as not to mislead newcomers to the forum and to Puppy.

[Mike Walsh]

And from another zd.net article about this same subject:-

http://www.zdnet.com/article/how-to-fix ... -day-flaw/

...this quote:-

This, according to another programmer working on mediating the problem, is far from unique. "Security companies are always making a big deal of little problems for their own benefit."

'Nuff said, really.


Mike.

Agreed, Mike, 'nuff said...which is why I posted that same link here 3 days ago (see about 8 posts above)

D'oh! Sorry, 6502coder; half asleep here. I'm right in the middle of a rotten bout of the 'flu.....and not really 'with it' at all at the mo!


Mike.

[Burn_IT]

There are huge security holes in ALL computer systems, whether Linux, Windows,MAC, DOS, Android or any of the thousands of others.

The vast majority are caused by people using them.

[eric52]

Yeah, I trace most of my computer problems to somewhere between the keyboard and the chair.

[amigo]

starhawk, have you looked around and read some in the grub4dos sources?? I don't mean to say that grub4dos itself is malware -just that grub4dos contains a program called bootlace.com which will run under linux, windows or DOS -16bit assembly code for x86.

[jamesbond]

@amigo, you seem to be quite dismissive towards grub4dos. Is there something you know that I don't? (this is a serious question).

Unlike some of their worse compatriots, the people who forked grub4dos from grub has always made its source available from day one; and one can even see how bootlace.com is coded (it is very clever code but I don't see any mischief there).

[Ted Dog]

I do not trust the clever code either found in grub4dos. More from behavior between handoff between BIOS and System being booted. Something is happening and long odd delays occur semi randomly between cold first boot and any other boot.
I have a actual server that will even give boot change warnings and refuses to boot if loaders change. Back to back grub4dos changes loader.

[amigo]

Sorry, I don't even mean to say that bootlace.com is malware either. It does demonstrate how th same binary can be run on various OS's though.

I will comment more about grub4dos, though. The fellows working on the code are *very* smart people. Most of their efforts have been pointed at getting pirated copies of MSWindows to run from *anywhere* ,like from RAM or make XP think it is running from a floppy disk, for what it's worth. The guys have made lots of nice things possible for us, like booting *.iso images directly from a hard disk, or elsewhere. These are certainly folks who could throw you a curve -software-wise.

Some years ago, when grub-0.97 was still a live project, I set about creating my own version of grub, incorporating about 35 patches from all the major distros -both fixes and feature additions. I also worked on back-porting some of the early grub4dos features into grub-0.97. Right away it was obvious, the calibre of the hackers working on grub4dos. They all operate strictly under aliases, changing them from time to time. Nowhere are any real names brought into relation with the aliases. The location of the source repos changes 3-4 times each year, sometimes is carried out on forums, as attachments, (sound familiar?). Most links lead to binary blobs with no mention of the supposed sources.

When you do get sources, they contain binary blobs which I could/would not believe originated from a build of the the sources they were included in. In the early years, the code changes were made available as patch files and were relatively clean. What I mean is that one patch file would contain exactly one complete bug-fix or feature addition. Later, the changes became completely messy, with the difference between one version and the next *micro* increment amounting to thousands of lines of changed code, with features fixes and pure white-space changes all mixed together -without any comments in the code or in the patches.

By now, if you create a diff between their sources and the original, you'll get a patch file of over 500,000 lines. And, if you compare any two branches(two different devs) of the code, you'll get a disturbing picture, indeed.

The devs would appear to be well sought-after, both by the authorities and probably the anti-authorities.

I would most certainly not use any of their binary blobs and would not use any of their sources which I could not get an overview of. Period.

One often-overlooked feature of the GPL is that it not only dictates that you release the source code for binaries that you distribute, it also insists that the build process be completely transparent -you are supposed to also distribute any configuration files and/or scripts used to build the binaries. The point of it is that anyone should be able to reproduce the binary exactly, when compiling the sources on an identical system.

I do gain a little trust in a developer when they gladly share their (supposed) sources, but I do put their build to the test -after having a sharp view around the sources and build files. There are devs who sneak any really spammy stuff into make files and install scripts, so even running 'make' blindly is risky.

Recently, I've been working a lot with Android. It's really difficult to find apps which are open-source! Luckily, some of my favorite stuff, like the terminal emulator(jackpal) and busybox are open source -even Stephen Ericson open-sourced the sources to his busybox installer -but he doesn't tell how he produces the busybox blob contained in the installer. But other projects cover that part, so you can compile your own blobs and compile his installer with them inside. The most-used 'su' app, SuperSU is not open-source! Does that sound any warning bells? Sure. I'm looking at the alternatives.

[starhawk]

I'm sorry, but I'm all out of tin foil...

[Ted Dog]

Try a mylar family sized chip bag. Just find one which smells ok. I do NOT recommend Dortoes or sour creme. Your hair will smell like it.

[starhawk]

I think you missed my point...

[Ted Dog]

No I was making a point about saving money for cranial RF protection, where you trying to make a over treaded weak attack about people not trusting code?


You should be casting tin foil hats about, you have your oddities as well.
BtW, New X files TV series are off to a good start..

[starhawk]

What I was trying to point out is that there is nothing inherently harmful or suspicious about grub4dos. jamesbond concurred and corroborated, and I should think that given what he's done for the Puppy community --and more-- you and amigo rather owe him an apology and some respect. As for your insult aimed at me... I'll just tell you what my mother would, if she were here: grow up.

I'm making my exit from this thread with this post, as I don't suffer fools and I won't be around lies. Heaven forbid the two of you should ever get a level head on your shoulders -- I daresay you wouldn't know what to do with yourselves if you did...

[unicorn316386]

I'm sorry, but I'm all out of tin foil...

I think you missed my point...

Not much of a 'point', just a weak empty attack, as Ted Dog said.

If you wanted to make an actual valid point, you could try talking about the grub4dos source code itself.

[gcmartin]

This thread has open our eyes to understand couple of issues that exist with systems code and security.

As reported in meetings/seminars with Systems Security peoples of the past, they all have agendas for those issues they raise for which no known security threat exist, yet. This does have a level of importance as it suggest to developers where they should review the exposure risk.

The risk factor is the most important piece of ANY security being addressed.

The risk, here, is 2 fold: Can someone get to the console of your system to exploit its boot structure for malice needs? Can a planned bot be added to a running system to exploit it booting for the console user's purpose?

In most meetings, we would acknowledge the Security concern, review, and, if necessary, set a plan to address the risk.

For this thread's opening post, I find the report and risk of questionable value and it only applies to a very, vary, narrow, potential of circumstance which makes a system vulnerable.

At some point, every OS working with hardware has to start thru gaining access to boot and setup for user operations. There must be some level at which to begin as the trust relations starts with the BIOS giving access to the starting OS. That, to me (and others, I'm sure) is a requirement and carries acceptable extremely low risk for OSes I have come to trust.

@Amigo brings a point up and it shows that there is potential for someone to have planted a useful exploit at the very start of the system. This could exist anywhere with ANY OS. In the 90s, there were 2 instances I am aware of (MS and Novelle) where one of their developers did such in systems released to the field. It was discovered and appropriate action was taken.

Lately, I am aware of another Public BIOS program floating on the Internet which if downloaded and started without allowing it to complete its mission, you will be left with a system whose BIOS is destroyed and your system a vegetable never able to get beyond the BIOS logo.

This, could, as well, be done EASILY here in Puppyland.

"Just because the source code is available for review, does NOT mean an exploit does not exist or cannot be introduced."

I think that is an acceptable message for all of us.
Edit: "others"

[Burn_IT]

Availability of the source only means anything in security terms if:
A) you can examine it for holes:
B) you actually use it and not any other supplied version.

As a software vendor to security forces I could never supply pre compiled software.
Even if software that had been supplied before was included in a later package, it still had to be source only with the scripts to manually build it.

All this and I have/had full security clearance that I held for most of my working life.

[tomhewitt]

[jamesbond]

@starhawk - no need for apologies, I asked amigo and I got the answer I was looking for.

@Amigo - Thank you for the insight about grub4dos. As for smart-devices (Android, iOS, Windows, or otherwise) I have one additional comment to say: when people "root" or "jailbreak" their phone, they are actually using a local privilege exploit like the one discussed in this thread. In fact, if everything is fully secured, you can't "root" them anymore