I've worked in enterprise security teams for the last decade. This is spot on. It's retarded and will never change because there is no accountability. Corporate IT don't give no fucks.
Corporate IT is doing what software developers have taught them through experience and pavlovian condition:
Don't touch anything, because it will break if you touch it.
IFF people who release software learn how to release security patches and bugfixes that don't include new features or break existing parts (except when breaking changes are actually needed), then, after several years of good results from pushing changes, Corporate IT will be conditioned to just push security fixes, it's not a big deal, plus it's important.
Unfortunately the world doesn't run off technical ability though. Oracle is a mammoth because it's proficient at extracting value and profit from its businesses. Don't get me wrong, I agree with you in principle, but it's the equivalent of someone destroying artwork and making a gain from it and wondering how they get away with it when the world doesn't care about art, they care about money.
IIRC, Oracle got a huge boost from US government as it was the semi-official database engine developed (for the Navy?) with taxpayer funds, then deployed (again with taxpayer funds). I'm not complaining, the US probably needed a better DB engine, but it was partly luck, partly backroom agreements that launched and supported Oracle for years. That said, maybe I got my facts badly mixed up.
You are probably right. I recall reading that Oracle development was funded by a DARPA-style mechanism, but I may have confused it with something. As MrMorden says in another comment it was likely the CIA who funded the development.
This seems like another strange workaround. We need to change the way the operating system behaves for the future. The problem is default allow for untrusted code to execute. Everyone recognises this as the problem, no one wants to step forward and implement the change.
We do it for mobile, mostly, the desktop needs the same shift.
You're right, but people complaining shouldn't dictate life. People also complain about being crushed by ransomware. Not to say they don't have a valid point, but the paradigm needs to change.
We used trusted stores for certificates and mobile applications, it's time for the desktop to do the same beyond drivers.
Not to say things won't creep through, but default allow needs to go for this to be truly solved, not a new feature or vendor product.
Grsecurity wouldn't exist if Linux made security a priority. It doesn't, because backwards compatibility and features is more important to them. It doesn't mean because Linus says something so strongly on a subject is right or wrong, he is generally abusive and rants and has for years.
Grsecurity is important to some people, not all, and vice versa for the features and backwards compatibility crowd.
Personally I'd hope someone in Linus position would see both sides of the fence, but he doesn't and always has some mouthy outrageous opinion. So this is zero surprise.
To be even weakly fair, access is a component of security. If their patches break software, they would be breaking someone's security.
That is, backwards compatibility deserves that high bar. Ideally, you could get security without breaking things. If you can't, at least use care and take incremental steps to get things in.
If backwards compatibility is broken, what you wind up with is a subsection of users that out of necessity use versions of linux with none of the updates that secure the product. You can't just tack on security patches that break user-required features willy-nilly, there's a big cost paid here.
Some evidence in favor is that, at least in the early days of Linux, Microsoft took the same strategy of prioritizing backwards compatibility over security - and reaped the rewards by becoming extremely popular and extremely full of security holes. So clearly the strategy worked for MS. On the other hand, MS did respond and prioritize security, and was able to pull it off without compromising backwards compatibility too much. (For instance, last week's stack-clash vulnerability straight up doesn't exist on Windows because MSVC and the NT kernel have been doing the right thing with stack probes for years.)
But some real evidence against is that this whole backwards-compatibility thing is a kernel policy, not a userspace policy; no distro cares nearly as much. With the a.out to ELF transition and libc5 to libc6 transition back in the day, and to this day with OpenSSL versions, the GCC 5 libstdc++ ABI change, etc., there's not a ton of backwards compatibility in what binaries you can actually run on a real-world Linux system. It seems hard to believe that the kernel-to-userspace compatibility story is what made Linux popular, given the vast amount of userspace-to-other-userspace incompatibility.
I don't think it's "very" strong. It might just be "strong".
Rehashing MS's 90s-00s history of prioritizing security creates an unfair assumed comparison. Linux doesn't get to control userland the way MS does. I don't want to belittle MS's efforts, but the attack vector is a lot smaller in NT. Linux has way more features and use cases than the NT kernel ever has (maybe by an order of magnitude). We also don't have the complete picture on NT because of the source being closed.
> With the a.out to ELF transition and libc5 to libc6 transition back in the day, and to this day with OpenSSL versions, the GCC 5 libstdc++ ABI change, etc
You need to remember that Linux's use cases are way bigger than being able to build C binaries and stay forward with SSL. It's easy to forget, but Linux is hardly just servers, they are probably the biggest embedded foot print outside the no-OS or RTOS space, tons non-PC peripheral and consumer electronic applications. You're calling out one set of features that a huge swath of Linux consumers probably never touched for a decade (remember its only been recently that embedded applications have communicated over a network, or had to do so securely).
This might be doing others a disservice. Don't avoid certification altogether, some people actually enjoy the study/test and tangible outcome of certification. I personally have none, it's not for me.
Rather avoid certification if you just want to have 20 lines on your resume to look like a ninja and brag. I'm a hiring manager in infosec, and same deal if you brag about certs I start to tune out.
Yes, as the other comment says. They become eligible to apply for EAD only after 3 months. You then need to wait for the EAD, which processing time varies depending on location.
