It's 2017: Linux and Firefox suck at security

Who fucking cares.

File: 1422308184247.jpg (38KB, 720x540px) Image search: [Google]

38KB, 720x540px

>GNLoo/Shitnux

File: IMG_2256.jpg (122KB, 728x1146px) Image search: [Google]

122KB, 728x1146px

>not using FreeBSD

do these statistics include unknown vulnerabilities?

>>58323767
>using modern methods like systemd-nspawn.
>like systemd-nspawn.
>systemd

Lennart pls.

>>58323767
>I think we need more proactive security measures in Linux
Too bad the majority of the Linux community is against this (most notably Linus Torbalds).
Now that grsecurity is closed source also hasn't helped.
Now that the monolithic systemd arrived, also hasn't helped.
SELinux is crap.

OpenBSD has always taken the opposite approach to this and most OSes from that family are much better off.

>>58323895
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities.

Well if you want better security you can chroot firefox and problem solved

>Study sponsored by Microsoft and Google

File: wuh.png (208KB, 1683x1113px) Image search: [Google]

208KB, 1683x1113px

>>58323767

>>58323767
If you went trough those you'd find that they're full of third party software vulnerabilities somehow listed under the OS. Just the code execution listing Ubuntu contains dozens of Firefox vulnerabilities, multiple Flash vulnerabilities, three OpenOffice vulnerabilities from 2010 and 2011 along with 14.04 specific lockscreen bypass techniques listed as code execution vulnerabilities for some reason.

If the MacOS listing is what I remember it to be, it also lists every version of OSX going back to versions like 10.0 that are obviously not being maintained anymore.

In short: Somebody is definitely desperate for attention when they're listing vulnerabilities in application software as vulnerabilities for the underlying OS.

File: Crysis 3.jpg (45KB, 660x400px) Image search: [Google]

45KB, 660x400px

>>58323767
100 rupees deposited to your vindaloo pot

>>58323767

>Microsoft Office has less vulnerabilities than Debian Linux

What a fucking fantastic comparison.

>>58324163
since Microsoft can't code, it's probably a good comparison if you look at the total number of lines of code

>>58323885
FreeBSD is actually pretty bad at security. They don't even have ASLR. freebsd-update didn't check signatures until this year when a public exploit was discovered (and they didn't notice users until they were forced to).

>>58323885
>using holey cheese meme os
>not OpenBSD

>>58325175
Hardened OpenBSD with full-disk encryption is the way to go if you're paranoid.

>>58323767

Click on debian
Read the first line

>Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer.

>KMAIL

They are counting the vulnerabilities from every software that debian has access to?

what a joke

>>58325254
If you're paranoid SubgraphOS is the way to go. If you want a priv/public cloud that survives any failures you want SmartOS + Zones + Solaris reliability tools (behind OpenBSD firewall).

Theres also mbox/firejail to contain browsers pdf readers on reg linux or bsd, or sandboxie on Windows.

>>58325333
what about qubes? it's snowden-verified.

>>58323988
>suse
>61
Does that mean openSUSE is the best Linux OS?

>>58325254
OpenBSD is good, but I can't really use it for several reasons:
- Installing anything outside the base system decreases security significantly.
- You have to trust a third-party for stable package updates.
- I can't rest easy nowadays running a non-sandboxed modern browser.

Personally, I think right now the best choices are Qubes OS for desktop and OpenBSD for servers.

>>58325333
I haven't used Subgraph OS, but from what I've read it's still pre-alpha and very buggy. But it's certainly among the most promising things out there, I wish their application firewall was used by other distros.

>>58323942
Some distros are better (by default) than others.

For example latest Fedora desktop uses Wayland (no more X11 everything runs as root) and SELinux sandboxes just so you don't hang yourself with easy 1990s levels of insecurity which is what the vast majority of regular distros are. (talking default install here, not building your own GrSec patched hardened gentoo).

If anybody here is using Debian the first thing you want to do is use firejail to contain your browser (or run it in KVM) or Mbox https://pdos.csail.mit.edu/archive/mbox/

If anybody here is using a BSD then you want to do things like create a zero priv user for PDF reading, edit your pf firewall so that user has no outside connections, chroot the pdf reader ect. Basically 90% of vuln comes from the browser (and esp it's addons using NDK) and pdf files. Focusing all your efforts on just those two things and you have a pretty safe box regardless of what OS you run. The rest of the vulns come from old USB bugs they still haven't fixed (that were fixed with GrSec patches) and TCP/IP stack bugs that will continue to deliver as the Linux protocol stack is a pile of pure buggy trash code.

If you're interested in this shit then read whitepapers: https://www.nccgroup.trust/us/our-research/?research=Whitepapers and follow the people who develop SubgraphOS https://twitter.com/bleidl?lang=en

You can also get academic journal access to security journals through sci-hub of course, find a journal and paste it's DOI number or link into sci-hub and presto free paper. Just remember it's a .pdf and take above precautions

>>58324163
You're just jealous that notepad has less vulnerabilities than Ubuntu.

>>58325604
SmartOS is the best one can get when it comes to running a cloud, public or private, and if that cloud must, without compromise, function correctly in the face of even the most severe failures, hardware or software wise. Zones + ZFS + fault management architecture (fmadm(1M) / svcadm(1M)) make it possible.

You can also tune any of your VMs using DTrace (!!) so means you can run Linux binaries or whatever else with KVM (called Zones on SmartOS) and get realtime optimization feedback as you run in production.

I'm talking about running mission critical servers that serve millions of people that absolutely cannot ever go down such as concurrent erlang stacks for a financial exchange. SmartOS uses OpenBSD's pf firewall too but of course you would want to drop in OpenBSD in front of it anyway just to sanely scrub traffic going to your cloud.

Qubes is for enterprise business use, so if you're a finance dude logging into trading accounts all day and want to keep all those credentials separate in case some employee clicks on a spear fishing attempt. If you were instead l337 hacker selling stolen credentials or something and actively being targeted by cops or nation state agencies you would want to use SubgraphOS regardless of it's alpha stage

>>58325604
OpenBSD before pledge this was true (only the base system was 'secure') http://www.tedunangst.com/flak/post/going-full-pledge

They've put pledge into most of the packages and everything is on by default so if that package tries something out of bounds it will die. Pledge is really, really easy to use and to add to existing packages. Combine that with executive space protect by default and it's probably the most default secure OS anywhere with modern exploit mitigations. seccomp() + grsec dicking around you have to really know what you are doing to handle that kind of complexity it's easy to shoot yourself in the foot unless your distro already comes pre configured with it.

>>58323767
Debian has a firewall. But you have to install and enable it. I trust Linux a lot more than windows. And I use Windows 8. Plus I bet a lot of these "security" issues are related to their Internet browsing. People who play in the mud shouldn't be surprised when they get muddy.

>>58323767
ungoogled chromium + firejail = privacy + security
Use gentoo hardened for ultimate security.

>>58326111
>ungoogled chromium
Nice idea, but I can't trust it fully. Chromium is too big and changes fast, something could slip.

>>58323988
Gee I wonder if there's any correlation between how many use or how popular the so called vulnerable software is?
>Stats

>>58326007

>>58325175
>>>58325254
Enjoy your false sense of security.
There are simply not enough eyes on openBSD

>>58326176
Keep in mind all the money is in compromising iOS/OSX or Windows (or Chromium). There's no money in compromising Linux distros yet they still have the top amount of public security advisories.

These are also major, MAJOR security vulns like last April when it was discovered you can inject malware into any kernel.org TCP/IP stack remotely or redirect users (esp Tor users) to malicious sites and relays.

The problem is of course default kernel.org where all protections are disabled, and default distros who have zero protections because they want to push optimization/performance and "user friendliness". Windows at one time pushed this then after the gongshow that was Windows ME they put serious money into auditing and formally verifying their kernels. A latest Windows system is much harder to break into than Ubuntu LTS, esp if said Windows user is using Sandboxie then you need ninja or state level skills to bypass that kind of kernel protection running by default.

You can get all this on Linux too but it means building your own kernel and turning on the kernel.org mainline protections. Then it means patching with GrSec (which is no longer offered public) so you have to run a testing version, or use Gentoo/Arch distro. It also means you have to manually tune a lot of things, because you'll see all these guides where they try and get you to turn off protections just to use a browser with MPROTECT on meaning you're just insecuring your system again.

Then there's the whole world of SELinux complexity which Redhat/Fedora uses. This is why often by default you'll see it turned off by sysadmins because you can spend weeks debugging SELinux logs trying to figure out what's going on. SELinux when developed by the NSA was never supposed to be an actual solution, it was merely a proof of concept that role based security could be put into the Linux kernel which at the time was so insecure a 10yr old kid with hacktheplanet.txt could launch a blind shell.

>>58326370
The eyes on it matter though, such as crypto engineers who develop OpenBSD, lifelong security experts and Microsoft who reviews OpenBSD code before they (steal) it to put in their own kernel. NCC Group also fuzzed the shit out of the OpenBSD kernel last year for free and had a team audit the entire TCP/IP stack.

btw I don't even use OpenBSD so I'm not shilling it, just the whole meme of 'not enough eyes' means nothing considering all the eyes on OpenSSL

Chrome has less vulns because google pays goyim relatively large sums of money to find them. multiple times a year. firefux doesn't have God's covenant money.

>>58323767
People have turned to Linux and are actively reporting vulns. What's surprising you?

>>58326543
Chrome has less vulns because it's much better designed and has a lot of mitigations Firefox doesn't. In fact Mozilla literally plans to use Chromium's code for sandboxing in Firefox, and they're so stupid they're using two different, incompatible versions of said library (https://bugzilla.mozilla.org/show_bug.cgi?id=925471).

Mozilla can only dream about this:
https://www.chromium.org/developers/design-documents/sandbox
https://www.chromium.org/Home/chromium-security/education/security-tips-for-ipc

btw if anybody is interested in any of this shit simply fuzz the linux kernel yourself using TriforceAFL https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/june/project-triforce-run-afl-on-everything/

Build your own kernels and then write your own unique test cases for them. If you get good at this there's a job for you somewhere. Nostarchpress also has bootloader hacking books coming out this year which are really good

>>58323767
>its the year 2017 of our lord
>still using some else kernel
cuckish t bh