Linux ABSOLUTELY BTFO!!!!

fuck off

Problem is GStreamer (and hundreds of other Linux packages) that are not tested for security holes.

And none of the Linux userland is sandboxed. NONE OF IT!

So fucking sad.

Holes of this type were fixed in Windows 98.

>discuss it on the linux general
>discussion on /fglt/

It's an old issue and gstreamer was always more or less shit.

saged

>this is a shit thread. sage and ignore everyone. If you want to talk about the article, maybe start a new thread that isn't so baity, or discuss it on the linux general
>fuck off
DAMAGE CONTROL & IMMENSE BUTTHURT

If these bums spent less time ricing their shitty desktops and more time on fixing broken things Linux might actually be usable for the average person.

fuck off

But it is usable user

So in other words. Linux is safe but all the half assed DEs and desktop utilities are basically complete shit and full of holes.

I'm using gstreamer gnome and firefox, am I ok?

>If these bums spent less time ricing their shitty desktops and more time on fixing broken things Linux might actually be usable for the average person.
They're dumb NEETs. If they could actually code and find & fix bugs, do you think thye'd have to resort to using a Hobo OS?

Problem is that these people have zero skills and all they can do is fuck around with conf files and rice their CP desktops.

Linux on desktop has been dead for a decade and it will remain dead.

Jesus Christ, how much is microsoft paying pajeets for FUD?

>If you don't use chrome(ium), Gstreamer, and tracker, you are unaffected by this particular potential exploit.
That's like saying: if you don't use desktop at all, you're not affected, you fucking c-u-c-k.

ISSUE IS THAT THIS SHIT SHOULD NOT BE POSSIBLE. PERIOD.

>Thus the decision of GNOME's Tracker software to use these parsers is a questionable design choice. GStreamer is not the only problematic software used by Tracker. ImageMagick has a purpose similar to that of GStreamer. It supports reading 177 different image formats and it has seen a constant flow of vulnerability reports over the years. Many other libraries that Tracker uses to identify ISO images, extract MP3 tags, or parse playlists look at least potentially problematic. Again, from a usability perspective, the choices made by Tracker make sense. For a desktop search, being able to parse the metadata of a wide variety of different file types is a desirable feature. But security-wise it looks like a recipe for disaster.

Read that again, you fucking dumbfuck.

Linux on desktop is RIDDLED with security holes!

The main problem is the stupid GNOME tracker service and chrome

>sage and ignore everyone
IF YOU IGNORE THE THREAD, THE PROBLEM WILL GO AWAY!

Lincuck logic, everyone!

Don't use GNOME.

Seccomp is used by a bunch of projects, thanks to google. Sadly coreutils won't implement it, but if you really that sandbox fan, you can have a workaround with firejail.
Linux is tested, but automated testing isn't enough and peer review aside the devs lacks manpower. You can be safe on linux but you can't goof around with random files and unprotected ports. That's all.

>Linux on desktop is RIDDLED with security holes!

I give you the opportunity to break my system with a random site. I will click on it. You have 5 minutes.

so basically a file format windows can't even handle anyhow--without gstreamer or equivalent library, is somehow problem with linux when in reality it's a gstreamer bug.

ok

Not only that, but there are Chromium forks that include patch sets which remove malicious features. Inox browser, Iridium browser, Ungoogled-chromium.

>This could be a default behavior to re-align with other browsers, to avoid known security headaches, and probably some as-yet-undiscovered ones too.
>Absent action from the Chrome developers, there is fortunately a setting that can be used in environments where security is a concern: chrome://settings -> Show advanced settings -> Downloads -> Ask where to save each file before downloading.
>However, the default download behavior is one where you can point to e.g. Firefox’s solution as demonstrably superior: the user has to accept any random attacker supplied bytes before they are dumped to disk in a well known and indexable location, with an attacker supplied filename and extension.

>0-day disclosure
>was fixed in upstream within 2 days

wow it's nothing

microshill FUD, carry on with your life

>WHAHHHHH
>Mommy, why did this bad man make this thread and took a giant shit on a piece of software that I use? Why did he expose it to be what it truly is: a bug-ridden POS? I'm gonna go play in a different sandbox from now on where no one can tell me the truth!

a lot of butthurt from this building

I didn't say you shouldn't use a DE, i said if you don't have all 3 particular pieces of software on your machine you are unaffected by this PARTICULAR exploit. I agree that it's serious, but OP is shit.

Learn to fucking read user. don't get your knickers in a twist over someone that actually agrees with you.

The OP is clickbait garbage. I'd be happy to have a real discussion on a real thread.

More like, linux has a lot of poorly written software, not enough sandboxing, and inconsistent security practices.

too bad sandboxing is a meme

next you're going to say Non executable memory works too.

You're saying I'm less secure than on an OS (win 10) that send all of my keystrokes directly to the feds?

>The OP is clickbait garbage. I'd be happy to have a real discussion on a real thread.
it's not written by some MICROSHILLNEWS.COM website but by LWN.net. Do you even know what LWN is, you fucking butthurt retard?

>Hur dur I can barely understand written English so I have to resort to ad hominem attacks beacuse someone might disagree with me
this is you. I acknowledged the validity of the article, summarized it, and told everyone to fuck off to a better thread. Shitposting shouldn't be tolerated.
90% of linux users are on chrome and use GNOME. This is a big deal. the OP, however, is the kind of cancer that we shouln't tolerate. The article isn't shit at all.

The OP is trash, not the article. OP stands for Original Post, or sometimes Original Poster, and is used to refer to the top post or its author on online discussion boards. faggot

>butthurt
>i-i-i'm gonna attack the tone of voice! yes, that will work. that will lessen the article's brutal truth.
stay mad user!

ps: or maybe you could spend some time security testing that bug-ridden OS of yours instead of shitposting on here?

>fixed months ago
>big deal

laughing now linus?

Non-cancer thread. Everyone is welcome.

Why so salty?

He warned us, Sup Forums.

>spam

>linux

How many backdoors does NSA have inside of Linux? Dozens? Hundreds???

Less than those of Windows seeing that they actively were part of the NSA's PRISM program

ubutnut is fine like a car that only drives in reverse is fine

openbsd.org/errata59.html

Ever heard of SELinux? It's literally NSA inside of Linux.

I fell for my girlfriends bleeting to try linux.

I expeceted it to at least support my hardware. What I found was that almost nothing (as in, single digit number of my important hardware). I couldn't even use openGL. My sound drivers were gone, and I had a bitch of a time figuring out what was wrong with it, but try as I might, no sound ever came from those speakers.

I hooked up a second monitor to my laptop. The second monitor didn't get recognized.

My girlfriend and I broke up promptly afterwards. People who think linux has even a minute chance of winning over Windows are probably the same people who believe a rib woman was convinced by a talking snake to eat from a magic tree.

Sure

Why hasn't Linux ever been audited?

install gentoo

If I made a .iso of a pre-skinned, tweaked install of WinXP, called it Doofo Linux and claimed that it was a distro that promised 100% compatibility with Windows only you had to use command line instead of terminal I bet it would become the most popular "Linux" distro there was.

Linux only has popularity because people think they are 1337 hackers for using it.

GET IN HERE Sup Forums!

fosdem.org/2017/schedule/event/linux_desktop_versus_windows10/attachments/slides/1730/export/events/attachments/linux_desktop_versus_windows10/slides/1730/fosdem_linux_desktop_security.pdf

Fascinating overview! Go scroll through this presentation and let's have a honest discussion about Linux on Desktop.

and the leet haxorz try to fire up bash...

>And none of the Linux userland is sandboxed. NONE OF IT!

Ubuntu has Apparmor with a bunch of profiles, Gentoo hardened has SELinux policies etc.

So yeah, some of Linux userland in certain distributions does come with some sandboxing.

>Why hasn't Linux ever been audited?
No one wants to do it because the truth would sink 100s of companies that depend on Linux. NSA also doesn't allow it.

PS: DoD and NSA are RedHat's biggest customer, btw. NSA is literally paying for most of Linux development. That's why RedHat is creating all those security-deficient pieces of software like SystemD.

>Ubuntu has Apparmor with a bunch of profiles, Gentoo hardened has SELinux policies etc.
ALL BYPASSED

Tracker doesn't even have a profile (Ubuntu's own mediascanner does though). How exactly do you bypass something which isn't even active?

I was merely correcting the NONE assertion.

>This was too easy. It should not be possible to find a serious memory corruption vulnerability in the default Linux desktop attack surface with just a few minutes of looking. Although it's hard to say it, this is not the kind of situation that occurs with a latest Windows 10 default install. Is it possible that Linux desktop security has rotted?

LMAOOOO
WHAT HAPPENED TO ALL THESE "AUDITORS"
LMAOOOOOOOOOOOOO

>WHAT HAPPENED TO ALL THESE "AUDITORS"
they're too busy ricing their anime desktops, of course.

wtf i hate linux now

This exploit was dicovered in November and fixed in late december. The patch has been implemented in all of the major distros.
The bigger problem with linux security is that it's reactive, rather than proactive. Honestly it isn't much better or worse than the shit Apple and Microsoft do, but it's delusional to think that by using linux you are somehow much safer.

wtf I love getting fucked in the ass by win10 now

>The bigger problem with linux security is that it's reactive, rather than proactive.
Well said. While Linux community fixes bugs fast, problem is that there's so many of them lurking around because no one's looking for them.

Big companies like MS/Apple/Google have hundreds of people who do nothing but hunt for bugs in their products. Linux doesn't have that. Linux community just has NSA which finds bugs but doesn't report them.

BSD shills are worse than windows fanbois now.

Now that's just not fair, other people do audit Linux. Raytheon SI, BAH, Lockheed, they all have VR departments selling Linux 0days to the NSA

>If you use Linux as your main desktop OS, you're MUCH LESS secure than if you use Windows 10!
If you use Windows 10 your data is secure in Microsoft's servers.

Enjoy your unpatched security flaw, cucko:
github.com/lgandx/PoC/blob/master/SMBv3 Tree Connect/Win10.py

>Linux doesn't have that.
Shellshock found by google. Their interest in the system makes this argument odd. They also found exploits in windows that ms won't/can't fix despite their crappy 3 month rule. Chet Ramey may not into code reviews, but at least know how to fix his shit.

>Now that's just not fair, other people do audit Linux. Raytheon SI, BAH, Lockheed, they all have VR departments selling Linux 0days to the NSA
SAVAGE

Fun facts;

1. The leading cause for insecurity in Linux is Xorg/Xserver. This literally renders a system completely vulnerable to literally anyone with an Internet connection.

2. Wayland fixes this, unfortunately this means you have to chose between KDE/GNOME and it isn't ready for use.

3. MAC like SELinux/Apparmor can help with this, though SELinux is overly complicated.

4. OpenBSD uses Xenocara which is a very secure version of Xorg/Xserver meaning you can use a DE/WM of choice whilst also having a very secure OS.

Take away messages;

1. If you want to use Linux, Fedora 25 comes with Wayland by default and SELinux preconfigured out of the box.

2. If you don't want to use GNOME/KDE/Wayland then use OpenBSD.

amen to this
unfortunately there are a lot of people who believe you are inherently more secure for using macos/linux. As if the smaller marketshare somehow is protecting you (same stupid theory that pro-closed source proponents claim that the less eyes are on it = naturally the safer it is).

Why hasn't Linux adopted Xenocara then?

So the actual takeaway here is that Fedora and OpenBSD are literally the only options for those who can't afford Mac/Windows.

>1. The leading cause for insecurity in Linux is Xorg/Xserver. This literally renders a system completely vulnerable to literally anyone with an Internet connection.

The xserver hasn't been remotely accessible except through a SSH tunnel on pretty much every distribution for how long?

t. fedora shill

Laziness, it would mean having to re-write a lot of code for DE's and WM's. Most that use Linux don't actually care about privacy/security. They just take comfort in the feeling that they are more secure because the magazines say so, ignorance is bliss.

Wayland

Read Joanna's blog;

The Invisible Things Lab's Blog: The Linux Securirty Circus

Written by the creator of QubesOS

>opencuck
no thanks

hmmm... she has a conflict of interest tho.

Does it suddenly make the xserver remotely exploitable?

If you want to appeal to authority for bashing Linux security just do it, don't try to parrot their arguments poorly and make a fool of yourself.

Xenocara is older than Wayland.

The real reason is: Wayland came from Red Hat. Xenocara didn't.

>Null ptr deref that requires the target to connect to a smb share
Lmao absolutely useless fuck off

>Shitposting shouldn't be tolerated

Is this your first time visiting this website?

This thread scares me because I use Linux on desktop right now.

How do we fix Linux, Sup Forums?

Switch to an operating system that uses a better kernel

You should have listened to Dave Cutler

*GNU/Linux

sorry, not possible.

sorry, I'm using Linux. even the name of my distro has Linux in the name. go to bed Richard.

Use Fedora 25 w/GNOME or KDE on Wayland. Or OpenBSD/QubesOS.

>I don't run Chromium
>I don't run Tracker
>Exploit was patched two months ago

Really makes me think, meanwhile...

theinquirer.net/inquirer/news/3004026/windows-smb-zero-day-exploit-goes-live-on-github-after-microsoft-fails-to-fix

>Linux Desktop security
>gstreamer

If you go around downloading random audio files with reckless abandon, you sort of deserve what you get no matter what OS you use.

Still can't wait for someone to throw this shit into a torrent of a hollywood film. My my my....

Imagine ACTUALLY posting these things unironically to rationalize spending so much time on an abysmal platform. Really activates your almonds!!

That is a null pointer dereference, which isn't exploitable for anything other than denial of service, and requires the user connect to an external samba share. It's a worthless exploit.

Had linux on laptop for 6 yrs in total, no virus ever.
DOwnloaded the most downloaded piratebay win10 keygen, got fucking chink virus with bilion chinese shitty apps in task manager.
:D

Wow you mean downloading shady software led to you getting pwned? Surprising!

Imagine being a pajeet and unironically shilling broken, exploitable, anti-privacy poo in loo software.

>Denial of service exploit
>Worthless
Tech-illiteracy detected.

>Had linux on laptop for 6 yrs in total, no virus ever.

why would anyone bother hacking a GNU/linux poorfag? Once you installed win10 you announced to the world you might have some value, hence the hack
:D