That article is two years old. What was the stable kernel version at that time?Fred Barclay wrote:I agree... and disagree. (That is an option, right?revian wrote:And do you know why that is? Because it's a waste of time to devote resources toward writing malware that specifically targets a system that is designed to be as secure as possible and maintained by people who can't help but learn about system security...Fred Barclay wrote:.. there are no current Linux malwares that I am aware of.
No system is 100% secure. But, saying that Linux will be targeted more as it becomes more popular is, in my opinion, incorrect.)
Linux is not designed to be as secure as possible. See http://www.washingtonpost.com/sf/busine ... -argument/.
I'd like to highlight this:I agree completely with this. A perfectly secure system, by definition, would be unusable. We have to make reasonable security compromises in order to assure that Linux is usable. Just look at SELinux. It's a great addon to Linux that can stop entire classes of attacks... but if you stick with the most powerful settings, your computer would be almost unusable. You have to adapt it (read that "make security compromises") until you find the right fit for your daily use."Security of any system can never be perfect. So it always must be weighed against other priorities -- such as speed, flexibility, and ease of use -- in a series of inherently nuanced trade-offs."
Now as to the popularity leading to a bigger target thing, I still believe there will be a temporary upsurge in known Linux vulnerabilities as, or if, Linux becomes more popular. It's a natural outgrowth of Linus' Law: "Given enough eyeballs, all bugs are shallow." The more popular Linux is, the more eyes there will be on the code. The more eyes, the more overlooked security bugs will be found. (I'm taking a wide view of "Linux" here - the kernel, the GNU tools, and additional utilities you could reasonably expect to be on a system.) Heartbleed was overlooked for 2 years (2012 - 2014), DirtyCow was overlooked for 9 years (2007 - 2016), and Shellshock was overlooked for a full 25 years (1989 - 2014). It's a little shortsighted, in my opinion, to think there aren't more shellshocks out there just waiting to be found.
The good newsis that this would only be temporary. Once the bugs are found and fixed, they're over and done. I don't expect a narrative where the attacks continue to increase in severity and frequency forever. Thanks to the open nature of the kernel source code, we have the incredible freedom to find and fix these bugs rather than relying on a corporate security team to find, triage, and fix (or not) bugs, and it's all done in the open where everyone can see.
Yes, we can agree to disagree.. that is certainly an option