I'm personally surprised that there has not even been a single mention of the CIA hacking that Wikileaks has brought to our attention recently. For those who are in the dark, I'm talking about this:

http://finance.yahoo.com/news/wikileaks-cia-hacking-dump-sends-161808201.html

And notice that article mentions that this even affects our beloved Linux! :(

I'd figure that this would be the headlining discussion on all tech boards, but maybe nobody cares? Well, I for one care, and I'm going to get this conversation ball rolling!

While we do allow "political" discussions as they relate to open source, please do not take this thread into purely political territory. This is an important issue and I would hate for it to be closed because someone cannot resist commenting about their rights, the evil nature of the CIA, the motivations of Governments, etc.

Keep the thread narrowly focused on the topic, please! I've closed too many of these important threads because they have drifted where they ought not have.

=buzzed.lightyear;13618554 but maybe nobody cares? Well, I for one care, and I'm going to get this conversation ball rolling!

I think we all care :(....but what's the solution?:confused:

I think we all care :(....but what's the solution?:confused:

I have long taken the view that the safest thing to do is not put any data that you wish to remain fully private anywhere near the internet.

I think we all care :(....but what's the solution?:confused:

Well, for one we can patch those exploits. ;)

But here's another question I have (not just for you, but for everyone reading this comment). Can open source software really be patched satisfactorily if the source code is on the web for everyone to view? For example, the FBI claims that they can create an exploit for TOR (The Onion Router) literally the exact same day that a new version of the software is released due to the open source nature of the software. [Now given this might just be something they claim just to scare thieves, however, it is something to consider.]

Just food for thought.

I have long taken the view that the safest thing to do is not put any data that you wish to remain fully private anywhere near the internet.

+1:)
I have found that if I look at "Am I secure" more like... viewing it in this Definition.
Example: Am I secure, or Insecure>>>To= do I feel "secure enough". This is just an on going way of life.

I have long taken the view that the safest thing to do is not put any data that you wish to remain fully private anywhere near the internet.

Somebody said something on a certain imageboard years ago that really resonated with me - "always assume that whatever you say or do is being recorded somewhere and can be used against you to your detriment". The thing is, while I agree with your statement regarding keeping things away from the internet, even having your smartphone in the same room means you could be being recorded [this is one of the reasons I don't use a smartphone] or having your Samsung TV within a few feet. I think that these days, very few people are 100% untrackable and unhackable. I wouldn't even trust TOR or DuckDuckGo. There are sliding scales though, e.g. it's better to use Linux than MS or Mac, so there's no need to invite trouble. But these days you have to be very very careful. They say that there are 'safer' Linux distros like Debian, Gentoo, Arch etc, but they're beyond me, certainly at this point. The irony is that Ubuntu's security is way better than Debian's, or so I've read.

The Wikileaks stuff may serve to wake up the naïve and the apathetic to the fundamentally non-private nature of the Internet, but it's not news to anyone who has been remotely interested in security. Also, I'm in complete agreement with QIII: the penchant to flog any one particular government or three-letter agency is totally misplaced. All governments of all stripes do it. They just aren't in Wikileaks' cross-hairs.


The major flaw in TOR has been well known for years. If a well-financed and large enough agency can overload the TOR network with pseudo-bogus relay points, then it becomes possible to de-anonymize Tor's packet routing.
Open source is not immune to penetration by virtue of its open-source nature. This is a common (and tiring) misconception. The latest Linux kernel has over 12 million(!) lines of code. Any construct that complex will have myriad exploitable holes. The difference is that, once revealed, those holes can be patched without relying on some obscure private agency to take their time getting around to it, and then having to just take their word that the job was done properly.
Closed-source code is just as vulnerable, witness the thousands of ransomware exploits and millions of malware signatures almost all built to attack proprietary OSes. But the risk is orders of magnitude harder to grapple with because of the inherent nature of the code (it is not open to analysis).
The question:
Can open source software really be patched satisfactorily if the source code is on the web for everyone to view?…is—I think—addressing the wrong issue, because no software, whether open- or closed-source, can be patched "satisfactorily". The phrase "satisfactorily" is too ambiguous and subjective to mean anything other than "satisfactory to me".
Security/privacy is not a light switch that is either on or off. It is actually a continuum in which some players are more aware of their exposure than others and have the smarts/motivation to reduce that exposure to the point where they are unlikely to be targetted by the bad guys. In this respect, it's no different than real life: people who have their wits about them are less likely to get robbed or mugged than those who blithely walk around flaunting their cash and taking no precautions. But it is impossible to render oneself immune to mugging. Even the expedient of never leaving one's house still leaves one exposed to home invasions.

To be honest, while I do not discount the dangers of state actors on my privacy, I am a hundred times more concerned about mobsters, sociopaths and script kiddies screwing up my life just for the profit/malice/kicks of it. Really, the overriding and perhaps only positive that I think the Wikileaks revelations has achieved is to bring renewed focus to the topic of security/privacy that too many people are blithely ignorant of and oblivious to.

Open source is not immune to penetration by virtue of its open-source nature. This is a common (and tiring) misconception. The latest Linux kernel has over 12 million(!) lines of code. Any construct that complex will have myriad exploitable holes. The difference is that, once revealed, those holes can be patched without relying on some obscure private agency to take their time getting around to it, and then having to just take their word that the job was done properly.


Ah, I never considered that. Thank you for the explanation. In fact, I was reading that Linux security vulnerabilities can be patched in mere hours instead of weeks like it is common for Microsoft to do. So do you think that the patches for Ubuntu will actually arrive before Microsoft releases their security patches?


To be honest, while I do not discount the dangers of state actors on my privacy, I am a hundred times more concerned about mobsters, sociopaths and script kiddies screwing up my life just for the profit/malice/kicks of it. Really, the overriding and perhaps only positive that I think the Wikileaks revelations has achieved is to bring renewed focus to the topic of security/privacy that too many people are blithely ignorant of and oblivious to.

That's true. I know a lot of people who think they are immune from hackers just because they have a premium security suite or connect behind a VPN. While both of these defense mechanisms are good to have, they do not make you invincible. Hopefully these Wikileaks do wake people up.

But I'm still curious as to how apathetic people are going to be. Do you think people will actually cry out for tighter control of clandestine government agencies, or do you think they will be completely apathetic like they were during the Snowden Leaks? Back then, Snowden expected people to put pressure on the government to curb the spying power of these agencies through legislation; but aside from people complaining about it in the comments section of various websites, nobody actually cared to do anything about it.

The Wikileaks stuff may serve to wake up the naïve and the apathetic to the fundamentally non-private nature of the Internet, but it's not news to anyone who has been remotely interested in security. Also, I'm in complete agreement with QIII: the penchant to flog any one particular government or three-letter agency is totally misplaced. All governments of all stripes do it. They just aren't in Wikileaks' cross-hairs.


The major flaw in TOR has been well known for years. If a well-financed and large enough agency can overload the TOR network with pseudo-bogus relay points, then it becomes possible to de-anonymize Tor's packet routing.
Open source is not immune to penetration by virtue of its open-source nature. This is a common (and tiring) misconception. The latest Linux kernel has over 12 million(!) lines of code. Any construct that complex will have myriad exploitable holes. The difference is that, once revealed, those holes can be patched without relying on some obscure private agency to take their time getting around to it, and then having to just take their word that the job was done properly.
Closed-source code is just as vulnerable, witness the thousands of ransomware exploits and millions of malware signatures almost all built to attack proprietary OSes. But the risk is orders of magnitude harder to grapple with because of the inherent nature of the code (it is not open to analysis).
The question:…is—I think—addressing the wrong issue, because no software, whether open- or closed-source, can be patched "satisfactorily". The phrase "satisfactorily" is too ambiguous and subjective to mean anything other than "satisfactory to me".
Security/privacy is not a light switch that is either on or off. It is actually a continuum in which some players are more aware of their exposure than others and have the smarts/motivation to reduce that exposure to the point where they are unlikely to be targetted by the bad guys. In this respect, it's no different than real life: people who have their wits about them are less likely to get robbed or mugged than those who blithely walk around flaunting their cash and taking no precautions. But it is impossible to render oneself immune to mugging. Even the expedient of never leaving one's house still leaves one exposed to home invasions.

To be honest, while I do not discount the dangers of state actors on my privacy, I am a hundred times more concerned about mobsters, sociopaths and script kiddies screwing up my life just for the profit/malice/kicks of it. Really, the overriding and perhaps only positive that I think the Wikileaks revelations has achieved is to bring renewed focus to the topic of security/privacy that too many people are blithely ignorant of and oblivious to.
+100 Very nicely put Sir!:)



But I'm still curious as to how apathetic people are going to be. Do you think people will actually cry out for tighter control of clandestine government agencies, or do you think they will be completely apathetic like they were during the Snowden Leaks? Back then, Snowden expected people to put pressure on the government to curb the spying power of these agencies through legislation; but aside from people complaining about it in the comments section of various websites, nobody actually cared to do anything about it.
Best leave that sleeping dog lie....way to close to breaking CoC, and derailing this very nice thread.:)

…Linux security vulnerabilities can be patched in mere hours instead of weeks…Please be sceptical of these sorts of urban myths. No OS gets patched in hours. There is a critical process of analysis, recoding, review and numerous levels of approval. Quality control must be maintained, at least some idea that the cure won't be worse than the malady, etc. And Linus is a notorious stickler for elegant code and no unintended consequences. No… I'm afraid that the myth of a bunch of garage hackers churning out code as a hobby is long behind us, if it was ever anything more than a myth to start with.

Incidentally, it is unwise to slag Microsoft on these forums or anywhere else. They have long since taken security very seriously and in some respects, they practice better structured security protocols than on many open source projects.
I know a lot of people who think they are immune from hackers just because they have a premium security suite or connect behind a VPN. While both of these defense mechanisms are good to have, they do not make you invincible.You're describing the "magic app" thinking that is, frankly, one of the banes of real security.
Hopefully these Wikileaks do wake people up.Indeed, that's the only major positive that I see coming out of these so called "revelations".
But I'm still curious as to how apathetic people are going to be. Do you think people will actually cry out for tighter control of clandestine government agencies, or do you think they will be completely apathetic like they were during the Snowden Leaks? Back then, Snowden expected people to put pressure on the government to curb the spying power of these agencies through legislation; but aside from people complaining about it in the comments section of various websites, nobody actually cared to do anything about it.You are getting dangerously close to that topic of politics that QIII warned us about.

I will answer you by reiterating a previous point: why all the Sturm und Drang about government surveillance and focus on people's apathy towards the Snowden revelations when people can't even be bothered about do something about ransomware? It is guesstimated that ransomware surpassed the one billion dollar mark last year. $1,000,000,000! And it is growing by something like 250% a year. Isn't that far more alarming than the Jason Bourne fantasies that pervade the fevered imaginations of the tinfoil hat set? I would have imagined that Americans would be up in arms and demanding congressional action on this flagrant extortion racket long before they pay attention to anything else. I know what I want to do with my limited time and resources, even on a matter as important as security—and it isn't worrying about the CIA. It is important to cultivate a sense of proportion about the real issues in life.

The main issue is not the CIA, but criminals and terrorists using the same hacking techniques, before, during, and after the wikileaks compendium.
We could certainly have a technical conversation about the specific Linux/Ubuntu portions affected and hopefully link to sites explaining how to patch the holes and exploits. That seems like that would be the most productive. And of couse, posting the security fixes here on this site is preferred also.

I'd rather not mention any exploits by name or procedure until we have the actual fixes available right away and directly available before describing anything whatsoever about the holes/exploits. Let's spread good news, not bad techniques to make us all hackable.

criminals and terrorists using the same hacking techniques, before, during, and after the wikileaks compendium.
Scary :shock:

Is there, or will there be, a ClamAV-compatible database of these hacks? That is, something like Sanesecurity's "hackingteam" database (http://sanesecurity.com/usage/signatures/).

Or is such a database not needed for ClamAV to catch these hacks?

Yes, I realise that it might be totally unnecessary if I apply all the security updates. But it won't hurt to have ClamAV capable of catching this stuff, if such a database exists.

Please be sceptical of these sorts of urban myths. No OS gets patched in hours. There is a critical process of analysis, recoding, review and numerous levels of approval. Quality control must be maintained, at least some idea that the cure won't be worse than the malady, etc. And Linus is a notorious stickler for elegant code and no unintended consequences. No… I'm afraid that the myth of a bunch of garage hackers churning out code as a hobby is long behind us, if it was ever anything more than a myth to start with.

Ah, I see. I read that on a pro-Linux blog several months ago. I'm actually new to the world of Linux (I made a New Years Resolution to learn how to use Linux this very year), so I'm still learning. After some Google searching, I've found the blog:

https://www.ibm.com/developerworks/community/blogs/6e6f6d1b-95c3-46df-8a26-b7efd8ee4b57/entry/is_open_source_software_less_secure230?lang=en

The claim is located under the "Updates and Patches" section.


I will answer you by reiterating a previous point: why all the Sturm und Drang about government surveillance and focus on people's apathy towards the Snowden revelations when people can't even be bothered about do something about ransomware? It is guesstimated that ransomware surpassed the one billion dollar mark last year. $1,000,000,000! And it is growing by something like 250% a year. Isn't that far more alarming than the Jason Bourne fantasies that pervade the fevered imaginations of the tinfoil hat set? I would have imagined that Americans would be up in arms and demanding congressional action on this flagrant extortion racket long before they pay attention to anything else. I know what I want to do with my limited time and resources, even on a matter as important as security—and it isn't worrying about the CIA. It is important to cultivate a sense of proportion about the real issues in life.

It's interesting that you phrase it as "can't be bothered to do something about ransomware" because it's my understanding that you as a user must download and execute the ransomware yourself. I'd imagine that the majority of cases come from either illicit/shady websites (such as piracy websites like The Pirate Bay) or from sheer dim-wittedness (such as opening an email attachment from an otherwise obvious scam email). Now I'm sure not every single case falls into those two categories, but couldn't we say that the majority of ransomware victims are "getting what they deserve" so to speak?

To this day, I've never even gotten a single virus, spyware, or other type of infection; and I can't understand how there's so many people out there who get these infections. And ransomware? That one should be easier than the rest to avoid. Besides, what can our government even do about it? Most of these ransomware infections come from countries outside of US jurisdiction. We can politely ask China or Russia to crack down harder on ransomware programmers, but isn't that the extent of what we can do?

…I've found the blog…under the "Updates and Patches" section.The reality is more complex. The patch may have been written in a few hours but it does not get applied in such a short time. And it's the application that counts.

It is instructive to delve into the Ubuntu security process: https://www.ubuntu.com/usn/ You will find that there is a very stringent and well-structured process to handle security notices, patches and updates/upgrades. But it all takes time. Vulnerabilities are also rated according to a scale with "critical" patches sometimes pushed out within days (never heard of hours), but those rated "low" taking their leisurely time. It is also important to be realistic about the process. Security patches are almost always treated seriously, but usability and compatibility patches, not so much.


It's interesting that you phrase it as "can't be bothered to do something about ransomware" because it's my understanding that you as a user must download and execute the ransomware yourself. I'd imagine that the majority of cases come from either illicit/shady websites (such as piracy websites like The Pirate Bay) or from sheer dim-wittedness (such as opening an email attachment from an otherwise obvious scam email). Now I'm sure not every single case falls into those two categories, but couldn't we say that the majority of ransomware victims are "getting what they deserve" so to speak?We need to be a lot more sympathetic to the victims of ransomware. I'm not reprimanding you by any means, so please don't take it that way, but your statements are a common misconception.

Modern ransomware is extremely cunning and cleverly socially engineered to snooker even the most diligent. If you were a young salesperson desperately looking for new business for your firm and received an email to the effect that I am a prospective customer with a purchasing budget of over 10 million a year, and my requirements were contained in the attached document, would you open it? Unless the organization has installed some rather sophisticated safeguards, sometimes that's all it takes to encrypt the whole organization's network. Hospitals, universities, businesses and whole municipalities have been ransomed. It's a big problem, isn't going away, and all too often, the poor victims really can't be blamed.


To this day, I've never even gotten a single virus, spyware, or other type of infection; and I can't understand how there's so many people out there who get these infections.Then count your blessings and make whatever propitious sacrifices are appropriate to your favourite computing gods. But please don't be too hard on the poor victims. I look after only about a dozen Ubuntu machines for friends and family. When they were still running closed-source OSes, two were hit with ransomware. One suffered an erasure-attack due to a poorly configured remote desktop app. This last was running Lubuntu.
…what can our government even do about it? Most of these ransomware infections come from countries outside of US jurisdiction. We can politely ask China or Russia to crack down harder on ransomware programmers, but isn't that the extent of what we can do?Another misconception. Eastern Europe and China may make the news, but ransomware comes from everywhere these days. It is sold as a service on the dark web: one can "rent" such ransomware and pay the "owners" through a portion of the profits. It is ubiquitous, growing and relentless. It is also a toxin that poisons the lives of its victims disproportionately to the money involved. They feel victimized and abused and end up losing trust and respect for technology in general. Because I've seen the damage first hand, I feel very strongly about this particular form of pond scum.

What can be done about it is another discussion altogether. I don't want to write an essay about it. Suffice to say that while the solutions are not easy to implement, there are many things that can be done to catch the scumbags, make them pay in terms of incarceration, and prevent a lot of such victimization at the outset. But the solutions require a commitment of resources and money, and that urgency is not present either in officialdom or in the general populace yet. If you want to raise awareness and embark on a crusade, I would humbly submit that this issue is the one that is truly worthy of your attention.

Last but not least, to further puncture the stereotype of the Russian/Chinese cracker, many of the most productive and hardest working contributors to the Linux kernel and the FOSS ecosystem at large are Russian and Chinese developers. Our whole community would be drastically diminished if they stopped contributing.

I've rambled on too long. Will bow out of this thread now.

The reality is more complex. The patch may have been written in a few hours but it does not get applied in such a short time. And it's the application that counts.

It is instructive to delve into the Ubuntu security process: https://www.ubuntu.com/usn/ You will find that there is a very stringent and well-structured process to handle security notices, patches and updates/upgrades. But it all takes time. Vulnerabilities are also rated according to a scale with "critical" patches sometimes pushed out within days (never heard of hours), but those rated "low" taking their leisurely time. It is also important to be realistic about the process. Security patches are almost always treated seriously, but usability and compatibility patches, not so much.

Thanks for the link! I'll be sure to study up on the security process.




We need to be a lot more sympathetic to the victims of ransomware. I'm not reprimanding you by any means, so please don't take it that way, but your statements are a common misconception.

Modern ransomware is extremely cunning and cleverly socially engineered to snooker even the most diligent. If you were a young salesperson desperately looking for new business for your firm and received an email to the effect that I am a prospective customer with a purchasing budget of over 10 million a year, and my requirements were contained in the attached document, would you open it? Unless the organization has installed some rather sophisticated safeguards, sometimes that's all it takes to encrypt the whole organization's network. Hospitals, universities, businesses and whole municipalities have been ransomed. It's a big problem, isn't going away, and all too often, the poor victims really can't be blamed.

Oops, sorry. You're right, we do need to! You know, that reminds me of something. A couple months ago I and my co-workers were discussing a news story about a company whose head of HR literally created a document with many of their employees' names and social security numbers in it, and emailed the entire thing to a scammer who claimed to be the CEO. The conversation went along the lines of "How could someone be so stupid?" "They should have employees take idiot tests in addition to skills tests." And so on and so forth. Same line of thinking was rippling through the comments sections of various news websites. But you know what? You're 100% correct. It's not the victims fault the scammer created the ransomware and tricked the victim in the first place! It's the fault of the scammer, however, it seems our society is quicker to blame the person who opened the attachment rather than the person who created the attachment. I guess it's rubbed off on me, because that's pretty much how I looked at these situations as well. But now I'm going to start viewing it from a different perspective.


Then count your blessings and make whatever propitious sacrifices are appropriate to your favourite computing gods.

Well, I wouldn't go that far. I just figure sticking to mainstream websites and using common sense when opening email attachments will get you through life without a single infection.

I see what you mean by "make them pay in terms of incarceration". In my hometown, a co-founder and administrator of Darkode was arrested by the FBI. He got only one year in prison as his sentence:

http://archive.jsonline.com/news/crime/feds-say-suburban-milwaukee-man-created-online-bazaar-for-hackers-b99538879z1-315519701.html


I've rambled on too long. Will bow out of this thread now.

You've done something far more important than that. You've educated me. I say that's a noteworthy accomplishment. ;) Anyways, it's been a pleasure to discuss all of this with you.

The main differences between Linux/BSD/Mac security and Windows security:
1. On Windows, there are large numbers of exploits that have been known for years and which MS do nothing about.
2. On Linux/BSD a newly found problem is fixed within hours and then the follow up reviews carry on to make sure it is fixed properly.
3. The APIs and libraries of Linux/BSD are changing all the time - it is a dynamic development environment.
4. Linux/BSD has a more advanced permissions system (MAC, RBAC a.k.a SELinux and AppArmor) than Windows, which can limit damage when malware is let loose.

The result is that it is difficult for anyone to write malware that will keep working for more than a few months on a specific Linux/BSD distribution, while any malware written for Windows, will keep working in the wild for years/decades on any version.

The main differences between Linux/BSD/Mac security and Windows security:
1. On Windows, there are large numbers of exploits that have been known for years and which MS do nothing about.
2. On Linux/BSD a newly found problem is fixed within hours and then the follow up reviews carry on to make sure it is fixed properly.
3. The APIs and libraries of Linux/BSD are changing all the time - it is a dynamic development environment.
4. Linux/BSD has a more advanced permissions system (MAC, RBAC a.k.a SELinux and AppArmor) than Windows, which can limit damage when malware is let loose.

The result is that it is difficult for anyone to write malware that will keep working for more than a few months on a specific Linux/BSD distribution, while any malware written for Windows, will keep working in the wild for years/decades on any version.

Add that to the fact that Microsoft programs security vulnerabilities into the operating system and then proceeds to call them "features" (I'm looking at you Smart Multi-Homed Name Resolution), and I'd say your list is pretty accurate.
I'll admit I laughed out loud when DuckHook claimed that "Microsoft has long since taken security very seriously." :lolflag:
I wasn't originally going to go down that road, but now that you mentioned it, I'd have to agree with you 100%. I suppose if you took a specific area of Microsoft security patching you could make the argument work, but I'd say that consumer security is very low on Microsoft's list. Why do you think they continue to release scare articles about Windows 7 claiming that it's "very insecure" and that both consumers and businesses alike should upgrade to Windows 10? This is especially significant because Windows 7 is still within the Microsoft support period. If Microsoft really was taking security seriously (which they are not), then they themselves wouldn't be posting press releases in which they call one of their very own products "insecure".

OK. This has taken a turn for Microsoft bashing, which, like politics, is proscribed by the Forums Rules.

Thanks everyone for your input.

Closed.