[Cryptography] Use Linux for its security
J.M. Porup
jm at porup.com
Thu Sep 29 08:45:17 EDT 2016
On Wed, Sep 28, 2016 at 12:39:15PM -0400, Jerry Leichter wrote:
>
> >> Not.
> >
> > Everyone who complains about this situation should have asked himself:
> > "When did I last donate my time and effort to essential code review?"
> > (including efforts to reduce complexity).
> >
> >> "Critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery."
> >>
> >
> > And what are the alternatives? Use Apple for its security?
> It's worth reading the talks and articles linked to from the article I referred to
> (http://arstechnica.com/security/2016/09/linux-kernel-security-needs-fixing/). The fundamental criticism is that Linux is way behind the times: It's still trying to squish one security bug at a time, rather than using more modern techniques that close off entire classes of attacks, even if no specific ones have been identified; or like ASLR that make exploits much more difficult even if attacks are found. None of these is perfect, but they raise the bar.
As the author of the Ars Technica article mentioned, I concur. If this
subject interests you, please go to the primary sources and watch the
videos--you can read me quoting Kees Cook, or you can watch his talk
yourself.
If you care about this issue, I recommend the latter.
jmp
More information about the cryptography
mailing list