I’ve never understood why the entire Linux Leadership Community has promoted and/or ‘Allowed’ the promotion of the lie that Linux is the “most secure Operating System” around. I am no expert, but it has been clear to me for some time that the Linux OSes are totally insecure, and yet the outright lie of Linux being the “securest OS” is openly allowed.
This total lack of Linux ‘n OSS security is why companies like Google, Amazon, and Microsoft create their own OSes based on the Linux kernel. I have a page that addresses some of the Linux security issues – *Linux Security Issues*. Geez … Linux ‘n OSS are hackers paradises. The Linux Kernel is *NOT* the ‘Holy Grail’ that the Linux “Holy Inquisition” pretends it to be.
Robin Mitchell of electropages has done an excellent job of covering ‘n summing up of this story – The University of Minnesota Banned by Linux – Why Open Source is Problematic:
Recently, two researchers from the University of Minnesota and fellow graduates could upload intentionally buggy code and junk code into the Linux Kernel and accepted by the community. Why did the researchers do this, how did the Linux community react, and what does this demonstrate about open source software?
How can anyone actually believe that “Open-source software” (OSS) is not a *MAJOR* Security Risk?!? Why has the entire Linux Leadership Community tried to cover up this simple fact for decades? Be sure to read the article by Robin Mitchell ‘n I going to list some of his points:
- The paper describes how the two researchers could generate code that claims to fix one bug in the Linux kernel while intentionally introducing other bugs. The Linux kernel is open-source, and as such, can be accessed by the wider community, and anyone can suggest changes to the code via submissions.
- The goal of the research paper was to demonstrate vulnerabilities in open-source software, and how the approval process may need to be reconsidered.
- Undoubtedly, the Linux community has absolutely lost their minds over the situation and are demanding blood (figuratively).
- But, when the source code to a project is totally open, it is also open to those with malicious intent, and as such can study the code to look for vulnerabilities. The vulnerabilities are further worsened when an open-source project accepts public code submissions. As such, the research team demonstrated how accepting such code could be used by malicious parties to create entry points.
- Therefore, the research paper demonstrates that simply trusting project maintainers and code submitters cannot be relied upon.
- No matter how much you may hate the University of Minnesota for messing around with the Linux Foundation, understand that they have demonstrated that no system is perfect. That open-source can, and have most likely, been attacked already.
The article also has a great video that helps understand this story:
I couldn’t actually find a definition on the internet of what “Hypocrite Commits” is, but will try to sum up how Robin Mitchell explains it in the above video (not an exact quote): ‘Hypocrite Commits is a stealthy way to insert something, whilst introducing one code that fixes a minor flaw, but also setting up a second code that is an actual vulnerability that could be damaging, i.e. “nasty stuff”.’
In closing, I will add a quote by Jonathan Corbet from his An update on the UMN affair:
The old saying still holds true: one should not attribute to malice that which can be adequately explained by incompetence.
- Will add this post to the series on the *Linux Security Issues* page.
LINUX IS LIKE A BOX OF CHOCOLATES – you never know what you’re gonna get!