Linux is so secure! Windows is so insecure!

Just recently I have mentioned how Linux is mostly just more secure, because it’s less popular, while essentially being technically just as prone to security errors, as e.g. Windows is.

Now, a couple of days later, we get this, as if someone wished for it to surface:


That’s a bad one … actually in a place where I wouldn’t have suspected it.


Surely they would need my password to gain access? Plus I’m not connected to anything with remote access. I’m not a server. Would they only be able to gain access whilst sat in front of my computer?
This report is not very clear, mostly computer jargon that I am unfamiliar with, especially the tables about how the security team going over the lines of code, which read as jargon to me. Is this vulnerability aimed more at servers? answer no it’s world wide, they were not clear enough of how the hacker would get into my computer, if my computer was going to be attacked??

I think it is going to be the norm from now on, if Linux is to keep up with today’s tech? The lines of code in the Kernel now, go way over Trillions and Trillions. The amount of man and woman hours spent writing or adding code to it, then having to get it passed to say it works, let alone finding any bugs, vulnerabilities. Plus I highly doubt that Linus Torvalds is happy about this? I watched this video of late, with news of what is going on in Linux, but do we take it as face value?

Sure. But most servers on the entire earth run plain old Linux. So this being a vulnerability for servers, makes it much worse, in this case.


I see by being able to transfer it over to other computers, who are updating from their servers. I get it now. Takes me a while to cotton on, because I was getting my head around what I was reading in the report.

1 Like

I would say, this is one of the results of relying on C as the main (only) implementation language for the kernel.

If I understood the article correctly, here we have again a too long “string” (path lengths > 1GB) poking into areas of the memory where it doesn’t belong (like in >90% of all critical security breaches). The reason for that is obviously that C doesn’t have a proper string type in the language core. All strings in C are in fact arrays of characters with some ad-hoc wrapper around them.

Whilst, of course, in C++ (not in C) there is the standard library with its string and lists types, those not being part of the language core, leads to the ridiculous situation that nearly every bigger software project has its own implementations for these rather basic data types, creating the need for complex type-casting operations which add additional security risks.


Thank you, soulmate. :grinning_face_with_smiling_eyes:

I’m preaching and preaching and most people don’t want to hear this: if they would simply use a safer and slightly slower language or a language like Rust, which is mostly pretty much the same, all that wouldn’t have happened.
The biggest valid excuse they have for using C is of course historicity, so we can’t really blame them.
BUT we can blame all the people saying C is fine in 2021…

Allow me to share a photo of the stereotypical C programmer and advocate:


This is fine mull it over a cup of tea.
All problems seem to ease with a nice cuppa tea?
Something horrific happens, like back in World War two a bomb crashes through the lounge.
Let’s have a nice cuppa tea? I’ll pop the kettle on, it’ll all be better after a cuppa tea.
Heard that a lot as a child, the question that I always ask is.
What are they putting in the tea to make everything better?


The idea that a good cupper fixes everything, is very British.

We Germans would rather say: Have another beer!


Crap - not looking forward to getting pinged next week by “security engineers” (they’re not even engineers! All they do is clickety-click-click on their numpty little graphical doohickies - find something and say “here - fix this”, or “here, investigate this” - the worst ones are “off-shores” from a remote location and they’re genuine numpties - and I’m being polite - they get paid per security ticket they log against us infrastructure people - but they OFFER NO F–KING advice on how to remediate or ameliorate - hence they’re f–king numpties)…


So they won’t just send you the patch? They’ll rather you go through trillions of code yourself?