2 statements from that report are very worrying.....

"Sophie in ‘t Veld, a Dutch MEP, Speaking to The Independent, she said:“Let’s turn this around and imagine this is not the United States having unlimited access to our data but the government of Mr Putin or the Chinese government – would we still wonder if it’s an urgent issue? Nobody would ask that question.”

"Isabella Sankey, Director of Policy for Liberty, said: “US surveillance ambitions know no bounds. The chilling US Foreign Intelligence Service Act treats all non-US citizens as enemy suspects.”

Only non-US citizens? I thought it was amended in secret to cover everyone on the planet.

---

2 statements from that report are very worrying.....

"Sophie in ‘t Veld, a Dutch MEP, Speaking to The Independent, she said:“Let’s turn this around and imagine this is not the United States having unlimited access to our data but the government of Mr Putin or the Chinese government – would we still wonder if it’s an urgent issue? Nobody would ask that question.”

"Isabella Sankey, Director of Policy for Liberty, said: “US surveillance ambitions know no bounds. The chilling US Foreign Intelligence Service Act treats all non-US citizens as enemy suspects.”

What's so worrying about the second quote?

I was always taught in military security the first people to be worried about are your "friends". Your "enemies" are usually obvious, but which of your "friends" is about to cause trouble.

2 statements from that report are very worrying.....

"Sophie in ‘t Veld, a Dutch MEP, Speaking to The Independent, she said:“Let’s turn this around and imagine this is not the United States having unlimited access to our data but the government of Mr Putin or the Chinese government – would we still wonder if it’s an urgent issue? Nobody would ask that question.”

"Isabella Sankey, Director of Policy for Liberty, said: “US surveillance ambitions know no bounds. The chilling US Foreign Intelligence Service Act treats all non-US citizens as enemy suspects.”

---

Again, those of us that are able, should use our own cloud...

---

#resist

British internet users' personal information on major 'cloud' storage services can be spied upon routinely by US authorities

The Foreign Intelligence Surveillance Act, known as FISA, allows US government agencies open access to any electronic information stored by non-American citizens by US-based companies. Quietly introduced during the dying days of President George W Bush’s administration in 2008, it was renewed over Christmas 2012.

Another "suitably patronized" FOSS project:
http://www.pasadenastarnews.com/breakingnews/ci_22472695/researchers-warn-widespread-networking-gear-bugs

Researchers warn of widespread networking gear bugs
Bugs in widely used networking technology expose tens of millions of personal computers, printers and storage drives to attack by hackers over the regular Internet, researchers with a security software maker said.

http://en.wikipedia.org/wiki/Universal_Plug_and_Play

The UPnP Forum is a computer industry initiative to enable simple and robust connectivity to stand-alone devices and personal computers from many different vendors. The Forum consists of over eight hundred vendors involved in everything from consumer electronics to network computing.

800 vendor eyeballs should be enough. Is your FOSS showing?

---

Wow!

Of all the widespread examples, and compared to the unmanageable blizzard of malware and exploits that Windows appears to suffer... You have just those *two* examples?...

Did you read those reports? Red October is a highly professional operation with the current thought that it has to be a "Nation State".

That proves that any O/S can be hacked & should Linux reach the pinnacle of No 1 O/S then we will definitely be seeing the equivalent breaches of security a la windoze!

---

Play nice boys. There's plenty of software for everyone.
:-)

---

#resist

Note also that open peer review ensures state of the art practice for suitably patronized projects.

suitably patronized is what, 0.1% of FOSS projects?

There goes your mud slinging again.

You are right, after a quick check the real number is likely closer to 0.001%.

Perhaps you just aren't aware of how much FOSS is out there, most of it developed by a single programmer. That or you say FOSS but mean only the top 100 FOSS projects.

---

Already have to which you replied to one - Cisco Phones. However, no comment on the Red October issues......

Wow!

Of all the widespread examples, and compared to the unmanageable blizzard of malware and exploits that Windows appears to suffer... You have just those *two* examples?...


I'll let you do the leg work on those! Choose your own expense and goodness or other...

IT is still what we make it...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Note also that open peer review ensures state of the art practice for suitably patronized projects.

suitably patronized is what, 0.1% of FOSS projects?

There goes your mud slinging again.

What matters are those projects of significance that make a difference. Just is in natural evolution, there is a lot of wastage as new ideas are tried out by new people. The best and/or most 'interesting' survive and prosper.

Perhaps that is why Linux systems have already 'taken over' for where it matters... Linux systems certainly have a far better record than certain other system for thwarting malware...


IT is what we make it...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Note also that open peer review ensures state of the art practice for suitably patronized projects.

suitably patronized is what, 0.1% of FOSS projects?

---

Can we have some real comment and links rather than the lame mud slinging please?

IT is indeed what we make it...
Martin

Already have to which you replied to one - Cisco Phones. However, no comment on the Red October issues......

... or are you arrogantly assuming that ALL the systems hacked were Windows?

---

... One of the main points it makes is that no matter how many sets of eyeballs look at code, unless you apply design discipline to those eyeballs, errors will be present. ...

Indeed so.

Note also that open peer review ensures state of the art practice for suitably patronized projects.

Hence, is that why Linux is steadily taking over the computing world?...


We really do need a good worthy competitor system to Linux that similarly includes freedom for the users, lest we suffer the evil of there only being Linux...

IT is what we make it,
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

That vulnerability is very obviously not on mainstream Linux kernels!

I smell an assumption of how you want the world to be.

Well, for your disparaging assertion, please list the bug report or rather the world headlines for such a dire problem for the Linux kernel.

How does that compare to Microsoft Windows?

How does that compare to other proprietary systems?


Can we have some real comment and links rather than the lame mud slinging please?

IT is indeed what we make it...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Excellent read:
NBS 500-75 Validation, Verification, and Testing of Computer Software
http://books.google.com/books?id=arNTsaD5FxEC&pg=PR2&lpg=PR2&dq=nbs+special+publication+500-75&source=bl&ots=L_sOiOQKHh&sig=Vy2D5SBaPCLYOxZ8N4LZeHSPCjA&hl=en&sa=X&ei=Ar0CUaWEFMTVigLW1YGQDw&ved=0CC4Q6AEwADgK

One of the main points it makes is that no matter how many sets of eyeballs look at code, unless you apply design discipline to those eyeballs, errors will be present.

A couple others you should look at are, if you care about software:
NBS 500-93 Software Validation, Verification, and Testing Technique and Tool Reference Guide
NBS 500-98 Planning for Software Validation, Verification, and Testing,
NBS 500-99 Structured Testing: A Software Testing Methodology Using the Cyclomatic Complexity Metric

---

That vulnerability is very obviously not on mainstream Linux kernels!
Disclaimer: Merely my own personal opinion as ever...

I smell an assumption of how you want the world to be.

---

Are you sure your phone is secure?

Cui's hack works by overwriting portions of the kernel space in the phone's memory. That allows him to gain root access to the phone's Unix-like firmware system and take control of the digital signal processor and other key functions.

Just wonder which Linux kernel the phone is running. And is the bug allowing the overwrite present in other flavors of that kernel running on other devices.

Doesn't cisco use a highly customized, almost proprietary version of Unix/Linux family OS?

In other words, I doubt it's a kernel that's commonly used, or even resembles one. But I would be curious to know.
Wouldn't be surprised if it was 2.6 if it is a "normal" kernel they use.

Indeed so: It's an 'embedded device' that is stripped down to the minimum... Those phones first came out quite a long time ago and so are likely based on whatever kernel version was in vogue at that time...

The actual flaw is: "due to a failure to properly validate input passed to kernel system calls from applications running in userspace". See: Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability

To exploit the vulnerability, you need to have physical access to the phone or a successful remote login. So, difficult to exploit unless you have a "James Bond" janitor wandering around reprogramming them!...


That vulnerability is very obviously not on mainstream Linux kernels!

No software is infallible to proprietary rush! And we become more vulnerable as we rush to ever more elaborate interconnected systems...


Aside: Should those researchers now be persecuted in a similar way to Aaron Swartz for exposing something so obviously highly illegal and world-shatteringly damaging?... They've very clearly and publicly executed a 'break-in'. The USA laws are there and vague enough for doing that, for the threat of 50+ years unto bankruptcy and death...


IT is what we make it,
Martin

Disclaimer: Merely my own personal opinion as ever...

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Are you sure your phone is secure?

Cui's hack works by overwriting portions of the kernel space in the phone's memory. That allows him to gain root access to the phone's Unix-like firmware system and take control of the digital signal processor and other key functions.

Just wonder which Linux kernel the phone is running. And is the bug allowing the overwrite present in other flavors of that kernel running on other devices.

Doesn't cisco use a highly customized, almost proprietary version of Unix/Linux family OS?

In other words, I doubt it's a kernel that's commonly used, or even resembles one. But I would be curious to know.
Wouldn't be surprised if it was 2.6 if it is a "normal" kernel they use.

---

#resist

Just wonder which Linux kernel the phone is running. And is the bug allowing the overwrite present in other flavors of that kernel running on other devices.

Well with all the 1000's of posts on this forum alone regarding O/S'es & their weaknesses, just wonder what happened to the peer review in this case!

Also, with the Red October issue - Isn't many of those systems run by governments/corporations running linux?

---