On Tue, Jul 17, 2018 at 11:21:15PM +0200, Alessandro Selli wrote: > My point is that the chances there is a backdoor in the Linux kernel > are about as high as the chances tomorrow an alien ship abducts the world's > leaders to take them captive to another solar system
Actually, it's pretty likely some odd driver has a limited backdoor (aka an intentional exploitable bug), and 99.999% chance there's a number of unintentional bugs the NSA, GRU and so on know of but don't let the public know, saving them for high-value targets. Then there are local exploits. Ted Ts'o for example keeps fuzzying ext4 for years yet exploitable bugs still pop up frequently -- usually just DoS but arbitrary code execution isn't unheard of. That's a simple filesystem -- on the other hand, we got plenty of ridiculously complex filesystems as well. And ones like qnx4/qnx6 that have been effectively unmaintained for years, yet have modules enabled in distro kernels (including ours), probed whenever someone inserts a removable filesystem. Current desktop environments do so even when the screen is locked. Same for other USB subsystems. All it takes is a device on the other end of the USB cable to identify itself as a 1997 Mattel Sidewinder joystick or such, whose driver has slightly inadequate input validation, to exploit a locked machine. Or so on, so on... > that there's no way we, or any single minor distro devs, could make the > kernel any more secure than it currently is and that trying to do it would > drain a huge amount of resources Minor distributions should follow the rule: "Do one thing and do it well." Choosing secure defaults is in scope, but searching for backdoors is not. This is upstreamish work, thus it's not a distro thing. For free software to work, any capable developer should cooperate, but you do such audits without the distro hat on. Meow! -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable And Non-Discriminatory prices. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
