Adios gdm and WTF…

Scored another 20MB of disk space by removing gdm and various theme packages. Nothing against the crunchbang login screen and it’s not like I’m running out of space on my hard drive. I was more interested in this:

             total       used       free     shared    buffers     cached
Mem:           998         76        922          0          4         45
-/+ buffers/cache:         26        972
Swap:         2094          0       2094
Total:        3092         76       3016

I had about 20MB more RAM available without gdm, etc., even though I wasn’t yet running wireless (this is with my “bigger” 2.6.30.1 kernel). I’ll add a screenshot here:

My .xinitrc is only “exec ratpoison” because my .ratpoisonrc has all my startup commands in it already. Thought everything was okay until I noticed the nm-applet icon seemed stuck on searching for the network. For the first time while using #! I was prompted to enter my WPA passphrase. Huh, what’s up with that? Hadn’t done that before at work or at home or library or anywhere else.

If something is set up between NetworkManager and gdm, that’s really fucked up. Why are all these distros spawning and thereby tying networking to X? Argh. I’m going to look for alternatives. I know there’s wicd, and I looked briefly at trying wifiroamd (but didn’t try it) while using Fedora.

About to quit ratpoison and find out if I have to enter my WPA pass again.

UPDATE: Fixed it by copying relevant lines from /etc/pam.d/gdm to the login file in the same directory, e. g., so that pam_gnome_keyring autostarts. That is a really fucking stupid way to set up something like that, IMO, but that’s how I’ve usually thought about Ubuntu (and Gnome as well) anyway.

New Zero Day – Linux Kernel

I’ve written repeatedly about the myth that Linux is inherently more secure. It always falls on deaf ears because some people don’t want to be bothered with the truth that all complex software is inherently vulnerable and insecure.

Here’s more proof that Linux has its own share of vulnerabilities.

The latest exploit affects kernel 2.6.30 and earlier versions. Bojan Zdrnja at Sans writes that Brad Spengler of grsecurity discovered this and adds:

Why is it so fascinating? Because a source code audit of the vulnerable code would never find this vulnerability (well, actually, it is possible but I assure you that almost everyone would miss it). However, when you add some other variables into the game, the whole landscape changes.

How so? Spengler writes in the comments to his POC that this vulnerability not only bypasses SELinux but is strengthened by it. Zdrnja explains:

While optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn’t exist in the source code. This will cause the kernel to try to read/write data from 0×00000000, which the attacker can map to userland – and this finally pwns the box.

Is Linux or gcc to blame? Both/same. How many insist on “GNU/Linux”? Complex code, mutiple layers. So many links that there are bound to be some weak ones even if they’re not readily apparent by looking at the pieces rather than the sum of the whole. As Zdrnja concludes, “Fascinating research… again shows how security depends on every layer.”

Spengler’s solution is for administrators to compile the kernel with fno-delete-null-pointer-checks.

Remember what Linus said about masturbating monkeys? Or how many fanboi and other FSF-type sites raise anecdotal evidence about things like pwn2own as “proof” that Linux is insurmountable to attack or that Linux is more secure than Windows? It’s all bullshit.

Windows is more exploited because it’s prevalent. Linux has enjoyed security through obscurity, which is only obscurity and certainly not security. This isn’t the first or only exploit in the Linux kernel and it sure as hell won’t be the last. It really doesn’t help when so many in the Linux community — including Linus — are either nonplussed by vulnerable code, oblivious to security issues, or even willing to lie about it and spread their FUD that Windows is the only inherently insecure operating system and that Linux is inherently secure.

Time to get serious about security rather than treating it as an afterthought or engaging in deceit, especially if you want greater marketshare on computers, servers, phones, PDAs, DVRs/PVRs, or any other device that can run Linux. Otherwise, you’re a fucking joke.

(edited)

UPDATE – 18:20 21 July 2009: I found more at Register about this:

The “NULL pointer dereference” bug has been confirmed in versions 2.6.30 and 2.6.30.1 of the Linux kernel, which Spengler said has been incorporated into only one vendor build: version 5 of Red Hat Enterprise Linux that’s used in test environments. The exploit works only when a security extension knows as SELinux, or Security-Enhanced Linux, is enabled. Conversely, it also works when audio software known as PulseAudio is installed.

An exploitation scenario would most likely involve the attack being used to escalate user privileges, when combined with the exploitation of another component – say, a PHP application. By itself, Spengler’s exploit does not work remotely.

With all the hoops to jump through, the exploit requires a fair amount of effort to be successful. Still, Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux, including the build offered by Red Hat. He told The Register he published the exploit after it became clear Linus Torvalds and other developers responsible for the Linux kernel didn’t regard the bug as a security risk.

With millions of eyeballs, it still takes only two to find what everyone else can’t or won’t see.

Linus wrote that it’s not a Linux problem but a setuid problem, which Rob Graham of Errata Security points out is a “design ‘flaw’ that is inherited from Unix” that is “going to be with us for many years to come.” Ahh, yes. That’s the same ol’ Unix which some ignorant dolts wildly claim is what makes Linux and OSX and so many other things invincible and safer than Windows despite the truth. And ample evidence to the contrary.

Spengler’s beef now, though, is that Linus and his team haven’t clearly disclosed the problem. In complaining about the fact that his POC led to the issue being categorized as DOS, Spengler said, “It kind of makes the vendors think the security is better than it actually is.”

That should set off alarm bells to anyone using Linux, especially if beguiled about its inherent security.

Open Source Is Driven By Profit, Not by Egalitarianism or Selflessness

Some fellow commenters at distrowatch operate under the childish delusion that open source is some kind of equalizer against corporate interests. Nothing could be further from the truth. As I pointed out earlier this morning, most of the changes to the Linux 2.6 kernel have come directly from corporations or people who work for them.

Corporations don’t do this with any other intention but to further their own self interests. Whether they do it to make Linux work or work better with their hardware or to make more general improvements in some area, they’re doing it because it affects their bottom line. IBM, Oracle, HP, Intel, and so many other companies have become big players in open source because they can monetize it. If there were no profit potential, they wouldn’t be as involved as they are.

Sun Microsystems were very candid and upfront about their reasons for licensing their software under various open source licenses. They did it to sell support and hardware. They didn’t have the best possible business model for monetizing their open source software (hence the sale to Oracle) but they were very clear that open source had everything to do with trying to expand their business and much less to do with some sort of selflessness or egalitarianism (though some of their people tried to suggest otherwise).

I think where some people really miss the boat in trying to distinguish between open source and proprietary software as it relates to corporations is that these are two separate coins rather than two sides of the same one. Companies exist to make profits whether they participate in open source or keep their own code closed up. Neither side is really about “control” or oppression, but about maximizing revenue streams and keeping costs low. In that sense, there’s zero difference between closed and open source shops except the part about whether their code is obtainable or not.

Companies are no different from the individuals who work in them. Everyone gets up and goes to work because there’s something in it for them. Everyone. That includes “selfless” types like monks and nuns because they, too, are working for some kind of reward whether it’s financial or spiritual, in this world or in the next. A nun gets up in the morning for the same reason a tycoon does. There’s no difference. Take away profit or spiritual rewards and both will find something else that will provide them with more than their respective starting points. People always do what’s in their own self interest, and only sacrifice their own interests when that’s actually in their interests to do so.

Open source is only egalitarian in the sense that anyone can participate and (usually) the best ideas end up rising to the top. That doesn’t change what I wrote above about self-interests. Lone wolf programmers who contribute do so to fill their own needs or for back-patting that accompanies doing things which benefit others. Those are rewards. Without them, few sane people would bother.

While there are many open and closed projects driven by lone wolves, companies involved in open source or closed source drive most of the innovation in the software world and are the leaders in the direction things go. Not because they’re inherently evil or controlling, particularly in relation to “ambitionless” or “selfless” (ha) individual programmers, but because they have the resources to drive innovation and are driven to do things the market — their customers — desire. Nothing at all to do with controlling customers, but filling others’ needs and trying to create more demand.

It’s time for the proponents of open source who use these vapid arguments against “corporate interests” to stop making fools of themselves. Open source would be a joke were it not for corporate interests and the resources they’ve poured into making open source better.

It’s also time for me to shake the dust off my feet at distrowatch. Those who want to worship RMS can do so if they choose. I appreciate the contributions he’s made to free/open source — I’m posting this from within emacs running Linux with all the usual GNU-age accompanying my current distro (despite my attempts to replace as much of it as possible with BSD/MIT-licensed alternatives). But, as I wrote yesterday and asked again this morning, he can’t be the father of something that already existed before you people say he fathered it.

Think about it.