Video download link | md5sum 8ed4cfdf3592835bf34827d2120392c7 Associating Linux With Catastrophe Creative Commons Attribution-No Derivative Works 4.0



Summary: The mainstream media seems very eager to associate "Linux" with security problems, even more so this year because that helps distract from much worse culprits (e.g. remotely exploitable system-compromising holes in Microsoft and other low-quality proprietary software); now that a patch is being offered for a bug (local privilege escalation) the Microsoft-funded media makes it sound like the sky is falling

THERE is a torrent of Linux-hostile coverage today, following more calm and more factual coverage yesterday afternoon.

The video above shows the coverage in (roughly) the order of appearance/publication. It looks like they compete over who can make the most drama/commotion/panic. We saw the same thing only weeks ago.

The problem with some of the sensationalism shown above is, one needs to have a user account, so there's already some degree of trust. Surely, without any exception, accounts aren't being handed out to random people and if those people are clients, then the management likely has their bank account details already (hence real identity and some grip for accountability's sake, e.g. penalty in case of sabotage). Web shells aren't just put out there for anyone to access.

It's worth noting that the bug was discovered by accident, by mere serendipity, and wasn't part of some fishing expedition for severe edge cases. To exploit the bug one needs machine access, one needs to be logged in, not necessarily with physical access but a dedicated account (with ability to issue commands expressively, not through some GUI, i.e. with input sanitisation). It's basically a privilege escalation issue, i.e. users being theoretically capable of executing things at a level higher than they were granted (or manipulation of file at a level higher than one's own). As the fix is already available and was made available before the bug was disclosed the risk is significantly lowered. The false headline from Dan Goodin, as shown above, is probably a desperate attempt to elevate click numbers. Goodin has already been sued for defamation over his shoddy 'reporting' and over the years we called him out so many times. TechRadar, typically notorious for clickbait, actually had a decent headline this time around. ⬆

"Our products just aren't engineered for security."

--Brian Valentine, Microsoft executive

Xenophobia or scapegoating is Microsoft's face-saving tactic of choice, as it's persuasive and alluring (even more effective at times of war)