lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47324.1321880520@turing-police.cc.vt.edu>
Date: Mon, 21 Nov 2011 08:02:00 -0500
From: Valdis.Kletnieks@...edu
To: Darren Martyn <d.martyn.fulldisclosure@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Ubuntu 11.10 now unsecure by default

On Mon, 21 Nov 2011 12:24:03 GMT, Darren Martyn said:

> 1) Read the latest kernels source over a long period of time, looking for
> bugs and to get a better understanding of how it works on that level

Just keep in mind that you will never finish reading the kernel source, as it's
currently sitting at somewhere near 14M lines of code, and every 3 month
release window has more new lines added than any one person can review. Most of
the patches are posted ot the linux-kernel mailing list, which as a result
weighs in at around 450-600 pieces of mail every day.  Enjoy drinking from the
fire hose.

That's why the current arrangement of subsystem maintainers exists.

Doesn't mean that you can't review the important heavily used parts of the
kernel and learn something - that's probably only a quarter million lines of
code, and things like the VFS code don't change as fast as the drivers and
architecture code. I would reccomend reading Linux Device Drivers, 3rd Edition
(available online, just google for 'LDD3').  Note that the concepts still
apply, but due to the ever changing kernel API, sample code will probably not
compile without some reworking.

> 2) Build my own distro

More of same - though Linux From Scratch will at least teach you how it works.
But you'll go nuts trying to keep up to date on patches for all the components of
a system big enough to use day-to-day. (Have fun reviewing the patches and
then building OpenOffice or Firefox from source every time upstream releases
an update - and then there's all the code in xorg and Gnome/KDE, and....)

> 3) Write my own network manager based off the LORCON/MadWiFi drivers (using
> PyLORCON bindings) for the GNOME interface to replace the not-reliable
> "network manager" applet.

This one is probably the most achievable, and NetworkManager *is* a total
piece of barely-usable crud.  Do however keep in mind the following:

1) The MadWiFi drivers only work for Atheros chipsets, and a *lot* of boxes
have other wireless (lots of Intel chips out there, among other things).

2) MadWifi has been deprecated, and the wireless maintainer's advice is to use
the ath5k and ath9k drivers instead. If those two drivers don't work for your
Atheros, work with them to get the driver fixed - all the other Atheros users
out there will thank you.

3) You *really* want your userspace to be using the mac80211 interfaces instead,
so that they will work with non-Atheros cards as well.

Good luck...

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ