Buggy Linux USB Stack

[yogi]

I love to find articles like this: https://www.zdnet.com/article/new-fuzzi ... nd-freebsd

Researchers found one bug in FreeBSD, three in MacOS (two resulting in an unplanned reboot and one freezing the system), and four in Windows 8 and Windows 10 (resulting in Blue Screens of Death).

However, the vast majority of bugs, and the most severe, were found in Linux -- 18 in total.

Let me first say that I'm not as anti-Linux as I used to be due to all the research I've been doing with it over the past year or so. Yet, there are some basic flaws in the arguments I hear regarding Linux vs Windows. My favorite has to do with FOSS, but this article is about vulnerabilities that lead to security issues. Linux has always been advertised as way more secure than Windows, but some high level researchers recently found way more flaws in the Linux kernel than they did in Windows. I'm not happy that the Linux kernel is flawed, but I am glad that somebody has hard evidence against that security argument Linux supporters like to use.

The article is more about the device used to test the USB stack, which they overflowed using a portable USB fuzzer. This is just a gizmo you plug into a USB port and send gobs of random data. That causes what is known as stack overflows, and it is at that point the system (any system) becomes vulnerable. The Linux kernel development team knows about all these things but apparently is a little slower than the rest of the field getting patches made.

[Kellemora]

Not much different than a denial of service attack by flooding a system with more than it can handled causing a crash.
That doesn't mean they were able to hack into the system and steal data from it.

Almost all hacking is done by getting into a computer through a program they installed that left doors open for them to do so. Heck, most of the browsers out there have gaping holes put there so outside services can make use of them for data to do whatever the outside service does, whether for good or for evil. But once those doors are known by the good guys, it's not long before the bad guys find out about them and use them to hack into peoples computers.

With as big as the kernels are getting by including all the drivers in the kernels, all it takes is an open door in one of those drivers and the problems begin.

Hackers keep looking more and more at Linux than they ever have in the past. But this is because so many devices are now using the Linux kernel, and then folks with Windows computers are viewing the information from those devices.
Many Schmartz-Fonz are also connected to the owners WiFi system which is an open door into all their devices using same.

Check out how many folks have been hacked through those RING doorbell cameras, even when they themselves don't even have one, but can view one, that's all it takes.

[yogi]

Stack overflow attacks often cause the kernel to crash and thus allow access to parts that can't be reached otherwise. DDoS attacks use up all the network ports to prevent anybody from connecting at all. The two are almost opposite approaches to hacks. Most hacks from what I read are done by people who have legal access to the system. This approach could involve an outsider that has the proper login credentials of the system admin, for example, but a lot of disgruntled employees are also giving gray hairs to security enforcers. This is why phishing is such a popular sport. The idea there is to gain legal access without a need to hack a system flaw. The next most popular method of hacking is to trick the sysop into downloading an executable. Those are the things that get the most publicity but in fact are the least used methods by the pros. Brute force is probably non-existent these days but you would not think so by the way people insist you create complex and impossible to remember passwords that are hard to guess. Guessing might become popular again when quantum computing gets cheaper, but for now there are better ways.

[Kellemora]

Some people only live to mess with other people and cause problems they themselves will never know about.

What I worry about most is hackers getting into the nuclear power plants or our utilities systems.
Seems like for safety, all of their controls would be 100% in-house with no outside connections.
Some of our electric repair trucks have the ability to remotely turn off power line runs.
What if someone hacks into it and turns it back on while they are working on the wires?

Going back to when I was a teen, being a ham helped figure it out since we could monitor the signals.
We had several traffic lights that used Tone Signals to trip the relays.
All we had to do was tune to the band they were using and record those signals.
Then practice keying the mike on a CB radio to the exact beat used at each light.
Seems like we had to be on channel 7, and you had to have the beat just right.
So it wasn't just the pitch of the tone, it was the pulse the lights waited for.
Traffic light relays prevented them from being green in all directions. If the relay tripped from red to green, the other side went to red, after the yellow pause.
We had phun with this until enough of us figured it out and they put some type of filter that blocked us.

Although it was not done on purpose. One of the filter tanks went bad on the hospital paging system, and it kept causing two or three of the tornado warning sirens to go on for about 15 seconds each time they paged a certain beeper. It was the doctor who owned the beeper that put two and two together and reported it to the hospitals communications department. All he said was something like, I don't think this is a coincidence as it is happening too often. Every time my beeper goes off, so do the warning sirens for a few seconds. The hospital got a repair crew out there real quick to check their system to see what's up, and also gave the doc a new beeper. Some folks said they never fixed the problem, just put that beeper under lock n key, hi hi.

Speaking of beepers. You wouldn't believe how many of them were squealers. Meaning folks could hear them running.
I never had a squealer, but did hear a couple on folks walking around in department stores, and they couldn't hear it themselves, but other people could.

Beepers were about the easiest thing to hack into using ham radios and a code key.

[yogi]

Don't want to scare you too much, but it has been published already that Chinese state actors are manipulating our power grid. There have been select mass outages over the years, some of which were suspicious. The opsec people say it's the Chinese military and each attempt to shut down the system is getting bigger and more successful. They are probing and testing at the moment but will eventually be able to turn out the lights everywhere if this trend continues. On the positive side we are not just sitting back and watching it happen. However, each shut down is a surprise and could not be prevented entirely.

I don't know about messing with traffic controls. Sounds like something that could land you in jail. LOL

[Kellemora]

It is areas like this where the computer age is actually becoming a problem as more and more places, especially utilities and the like move over to using computers, which are susceptible to all kinds of attacks.

If they stayed with using Manual Switches for everything, and only use computers to keep track of the switch positions, things wouldn't be so bad, as the hackers couldn't turn on or off anything remotely.
However, they could fake a call to turn one of the manual switches off.

Don't know of this is true or not, but there was a story going around when Debi worked at Nova, a company who handled credit card transactions. They can see when a hacker gets in and trying to get deeper into the system, and they can usually knock them back out easily enough. But supposedly there was one who not only got in, but was working his way through the system and the blocks were not working. They tried shutting down as he was getting into the databases, and they found themselves locked out. One of the IT guys ran out to his truck, grabbed a shotgun, loaded it, and shot the power wires to the building which killed all the electric to the whole building.
Poor guy got fired, even though he stopped the hacker from getting to the data, hi hi.
It was just a story floating around when Debi was working their, and supposedly happened a long time before she ever started working there, so is probably just a mythological story to make it look like their system was more secure than it really is, hi hi.

I don't think anyone ever got in trouble for causing the traffic lights to cycle in your favor faster than normal by sending pulses. But they did add filters or made changes so it didn't work for very long, after so many learned about it, hi hi.

[yogi]

The stories I've run across about network security suggest the utilities network is the least secure of them all. There isn't really much of value in those network controllers so that stealing data isn't the motivation to hack them. There is a lot of concern about the unexplained outages only because of the strategic significance of some state actor being able to turn our lights out. The security efforts made in that area were meager to non-existent. It costs a lot of money to lock down any big system so that the utility companies never paid much attention to it. I believe that is all changing now.

The shotgun toting IT guy sounds like a made up story. LOL Those are the kind of things that have an element of truth in them and people expand on it from there. It is indeed possible to track an intruder particularly if they go into parts of the system that are restricted. This should set off all kinds of alarms. However, as I mentioned elsewhere, the latest approach to hacking is to not intrude from the outside. The hack wanting to steal data from storage already has the pass phrases to allow him to do it. The tracking software sees it as an authorized access and doesn't usually flag it. With people working from home, this is a very tempting way to hack because a legitimate user can be spoofed easily enough.

[Kellemora]

One of my first wife's uncles worked for a small power company in the county right before you got to Phelps County.
When I say worked for, he was pretty high up on the food chain, one of the main system controllers.
As the town grew they added a second steam plant, and about the time they were ready to build a third, a higher up said they should connect to the power grid, it would be cheaper and they would have fewer outages.
They had next to no outages as it was, and after they connected to the grid or main service lines, next came closing the older steam plant. Once that happened, they had more power outages than in the history of the towns own electric service, and of course, the cost kept going up.
Most of the old town areas were on a smaller local grid, or at least by twin service like we were in St. Louis County.
But none of the newer areas had any type of backup. It was single feed to nearly everything new. Much like how things are down here!

I do know after Nova became Elavon, they made major changes to their IT department. It is supposedly hack proof due to something they call air-gap and independent local systems. Store terminals are isolated in X-number of connections that are not linked physically with any of the other systems. Data can only be moved from one system to another internally, or so they say.

[yogi]

Yes, an air-gap security system is nearly bulletproof. The problem with them is the transfer of data. It can't, or should not, be done; everything must remain internal to the system. The invention of USB memory sticks made things a little easier. Data can be transferred from machine to stick then to another machine. It was then discovered that USB memory can be compromised. I don't recall how exactly the data on the stick got to the outside world, but that is what a compromised USB memory stick allows. It has to do with radiation during the data transfer. The bad actor must be fairly close to the stick in order to pull off the robbery and that is not likely to occur. It's still the best system around, but not 100% bulletproof. Only 99.9%. LOL

The problem with upgrading old systems is exactly what you describe. There is no substitute for the old way. It's the new way or no way. Thus when the old way becomes obsolete there are limited choices. You can stop what you are doing altogether or convert over to the new way. Because the new methods are modern and of a different generation that the original, the methodology is more complex, i.e., more expensive. Anything made today cannot be done for the same price it was fifty years ago. When it comes to public utilities it's not just a matter of old vs new. The reason changes were made lay in the growth of the population. More people to serve must require more expense to accomplish the task. I often wonder how utility companies manage to stay in business. They are highly regulated and must plan expansions and rate increases many years in advance. Then they must petition the authorities, public hearings and all, before permission is granted; or in most cases denied. By the time the increase is approved, even greater increases are required and what was approved won't cover the greater needs. No normal company can operate that way.

[Kellemora]

Memory stick (USB sticks) do make several things easier, and they are faster than swapping out 5-1/4 floppies, hi hi.
As you know, my accounting computer is NOT on my LAN, it stands alone. I do have it on my KVM switch though.

I must have been confused about what they call air-gap technology. I thought it meant they used a laser light transmitter and receiver sorta like WiFi only direct line of sight laser lights. Although in retrospect, I don't see how that would stop a hacker since the data is still being transferred from one machine to another. I guess I thought that from a system I saw in a company I was at on a tour one day.

I can copy my data to USB stick using the port on my KVM, and then switch computers and copy the data from the USB stick to my main computer in order to print or send it to someone on-line. When I was doing backups to the house, I would plug in a LAN cable just long enough to do the transfer. But now, no LAN is connected to it at all. I just use a USB stick like I mentioned above and transfer it to my computer then to the house. At least I know no one can hack into my accounting computer because it is not connected to anything, hi hi.

Each time I did a major upgrade of my system, I would create a new partition, or use an older partition, and install the new OS on the clean partition. This solved a lot of problems of doing a system upgrade over an existing install. Also, I still had the old system to fall back on. I was even leery of moving a copy of my /home directory to the new install, because it might be missing something the new install needed. So I would only move my data folders over.
Having so many computers and never deleting anything is how I ended up in the pickle of having so many copies of everything, and now I'm checking every folder and file to see if they match and if not why not, hi hi.
Very slow and painstaking process!

[yogi]

The term "air gap" generally refers to a secure network, or single computer. It is secure because nobody and nothing touches it directly from an unsecured network. Imagine you and I exchanging some sensitive data. I generate it on my computer which for this example is defined to be secure, i.e., I alone have access to the data. There is quite a bit of "air" between O'Fallon and Knoxville, but lets assume you need this sensitive data for your secure network to operate. Keep in mind that neither my network nor your network ever came into contact with anything that might be a security risk. In order to preserve that level of security, the data could be placed on a storage medium and hand carried, or in our case I would drive over in my car and have that USB stick in my pocket until I reached your place. You plug the USB memory into your secure system and extract the data. The USB stick is then put into an acid bath and dissolved.

This is not fantasy, by the way. There are systems, air gap system, where this kind of thing happens all the time. The .1% security risk in my example occurs when I put the data onto the USB memory stick. If it is compromised it will amp up the signals just enough for the spurious radiation to reach the bad actor with a receiver hiding in the bushes outside my window. It has been shown that this can be done easily with the thief standing around in the same room while the data is being transferred do the stick. So, when I do the transfer, nobody is allowed in the room. I could line my walls with the same kind of metal you have around your fortress above the garage. In fact, if I had data that was as sensitive as this example depicts, that's exactly what I'd be doing.

Basically, that's what air gap networks are all about.

At least I know no one can hack into my accounting computer because it is not connected to anything, hi hi.

If you transfer data from your (secure) accounting computer to some other network, that transfer is the risky part of the operation.

We talked about upgrades in the past. Linux seems to have a problem doing that even tough its promoters say it's flawless. The help forums are full of people who have major problems after upgrading an operating system. A clean install is the only way to fix those problems most of the time. So, you have the right approach. Don't upgrade. Always do a clean install and then modify things that can be modified after that. As far as keeping multiple copies of everything you ever touched goes, well, that's not an area tech support can help you with. LOL

[Kellemora]

If you recall, I was so leery of WiFi, when I did buy a WiFi router, it was connected to my existing router and only two IP addresses were allowed to connect to it, and they had to also use a password, hi hi.
I basically had the same settings on both routers, plus the firewall.
My original router finally gave up the ghost, so I pulled it out and now only use the WiFi router in the house.
Plus I now have an Access Point router in my office hardwired to the LAN.
It has its own password. But the router itself needed one to connect to my other router.
I didn't want to use it as a Repeater, but it would have saved a couple of problems, until I ironed them out.

Going way back to when I first set up my LAN from the house to the office, I used to unplug it from my LAN Switch when I left my office at night. Turned out that wasn't such a good idea for several reasons. The big one was all the computers had to resync the clocks again, and things they did at night no longer worked, so I had to wait for them to all upgrade themselves, not the OS, but things like weather, time, notices, etc. The second was, those little plugs wear out, not the plug but the socket in the Switch must have got worn or scratched in such a way it wouldn't have a solid contact all the time. I guess they only have a super thin film of gold plating on them.

It's been a few years, but I tried a Rolling Upgrade once, I think it was when I was using Ubuntu, but could have been something else. It caused me more grief than Carter's has pills. Especially if it upgraded the kernel because it didn't keep my drivers when it did so. So many times I faced a black screen because it dropped my video driver or installed one it thought was the one that worked. After a while I found out I could block the kernel upgrades but take the other upgrades, and then upgrade the kernel manually later. Even so it was a big hassle to recompile the kernel.
No longer had this problem when I switched to Debian and did not allow auto-upgrades.

I don't know how they do it, but I learned the reason my host provider is always up.
When they upgrade their servers, they only do them one bank at a time.
But before that happens, they route all the users over to another server and don't start the upgrade until nobody is on that bank of servers. Companies that are always live require a different method to ensure they have no downtime, not even for a split second, but they didn't say how they handled doing the upgrades in those cases. But somehow they do it without the log-in dropping. I don't know much about servers, but since they use so many computers and drives, I assume they are not always on the same computer anyhow. Either that or they might be able to twin a connection somehow.

I guess I'm just to old to figure some of this stuff out, the way things move forward faster than I move, hi hi.

[yogi]

While it's technically feasible, it's not a good practice to have more than one router on a given network branch such as your home LAN. There can be conflicts and performance degradation when two or more devices are trying to do the same thing. There are domain controllers to handle multiple routers but your situation doesn't warrant such an investment. I can sympathize with anybody who is hesitant to use WiFi, but oftentimes that concern is exaggerated. It's true that your LAN is vulnerable to intercepts when it's broadcasting over WiFi, but does it matter? When it comes to networking it's best to keep the KISS principle in mind. Fewer opportunities for error means more consistent performance.

It does seem like a small miracle when big companies update their servers. We had only a few under my watch at Motorola and all the updates were done on live systems when possible. When it was not possible the server updates were performed when there was low usage, such as on Sunday nights. When you get into dozens or hundreds of servers such as an ISP might maintain, in some ways the problem is simplified. There must be redundancy to cover any network outages or DDoS attempts, and it is pretty common to do exactly what you described. The traffic is moved off the target to be updated so that there is no interruption in service. The the updated server(s) is hot swapped into the system. Here too you don't want to do such things during times of heavy traffic, but in theory the end user would never notice when one of the servers in the bank went down or came on line. It's all transparent.

There are a few Linux distros that live on rolling upgrades. I guess I have some in my collection and they do happen to upgrade without incident. It seems to be a trend lately for maintainers to favor rolling upgrades, or at least make it an option. My Android clever phone seems to use rolling upgrades because it has new features that never required a full install to enable.

[Kellemora]

It's been a long time ago, but I think I could set the WiFi router to NOT be a Name Router and let the big router handle that. So it a way, it didn't act any different than a LAN Switch.
And the WiFi router I have up here is set up as an Access Point, so it too is not acting as a Name Server.

Makes sense on the main servers getting redundant in order to pull one offline long enough to do an upgrade.
I don't see why the signal couldn't be switched easily the more I think about it.
Look at cell phones as you hop from tower to tower while driving down the road and the calls do not drop.

Linux Mint 19.3 seems to have some upgrade nearly every day, sometimes more than once a day. Then it may go three or four days without an upgrade, then a whole slew of them one right after the other.
I have Mint on another computer, probably version 18 I suppose and it is rare to get an upgrade anymore.

Currently the weather apps on all of my computers seems to be down. I like to know what the outside temperature is, and am connected to two different weather sources, and both of them are currently down, and have been for a long time now.

[yogi]

I'm not sure to what you refer when you mention Name Router. I know you and I have different terms for the same thing, but I can translate what you mean most of the time. LOL There is something called a Domain Name System (DNS) that is generally a server that has lookup tables to translate URL's into IP addresses. Frequently the DNS is resident at your ISP's site but it does not have to be. A lot of places offer DNS service and you can even do it yourself on your own equipment if you were so inclined. DNS is a bit like the host file in your Linux system; DNS keeps network clients organized while your host file does similar translation for your local machine only.

A router simply sends signals to individual client nodes on the network. It's only a switch in it's purest sense, but a rather smart switch. It's pretty hard to buy a device for your home that only does routing. A lot of other junk tools and apps often are packaged with the router. I suppose it could be possible to have settings that would disable the routing ability of the router, which seems like a rather odd thing to desire. In that case you would have a bridge that simply allows all signals to pass through the box to all clients on the network. Some other hardware could be doing the actual routing in that case. Access points and switches are just entry points that can be added to an existing network, but neither does any actual routing of signals.

There is also a Dynamic Host Configuration Protocol (DHCP) which generates and assigns the IP addresses for devices on the network. It's often packed into the same box as the router, but this service too can be on any device tied to the LAN. The DHCP service assigns IP addresses to the devices that are receiving the router's signals. It all sounds complex if not messy. In reality it's pretty simple when viewed from a functional diagram point of view.


I don't use Linux every day in spite of the fact I have around half a dozen or more distros at my fingertips. If I let them all sit idle for one week, they all are out of date and require updates. Contrary to popular belief, more likely than not they will have to be rebooted after the updates. That usually is only done when kernel mods are added, deleted, or modified or when the kernel itself gets updated. That happens frequently and is considered a benefit by many Linux users. It's a royal PITA as far as I'm concerned. I'll be checking into my Linux Mint 19.3 this week and if my memory serves me right it is one of the OS's that switched to rolling releases. Of course a standard version install is always an option, except in my case where it seems to be a requirement in the majority of cases. Oddly enough the version numbers can change even with rolling releases in Linux. That's how Mint got to the .3 level. Windows is still Windows 10. They too have feature releases about twice a year, but the version remains the same. That is truly a rolling release model.


I'm not surprised to see your comments about the weather programs. They all work fine until you need them, such as when a major storm or hurricane threatens. Then the entire weather network seems to go bonkers. They obviously don't have enough servers to handle any high demand. It's been like that as far back as I can remember too. I have some specialty programs that seem to be immune from this kind of overload, Windy and Real Time Lightning. You can't get the kind of information you do for the general apps, but you can track the storms very well using these special programs. And, oddly enough, the weather apps on the clever phone are never affected like the PC programs are. At least I've not seen it in my case.

[Kellemora]

Yes, DHCP is what I meant, hi hi.

The maintainer of the weather app has abandoned it, and Yahoo dropped it as obsolete.

There are a few new options now, but you have to install the location in your local repository list, then sign in with the service, then install the new applets.

Says Yahoo dropped it way back in January, but it still worked through March if yours used an api, whatever that means.

Windows 10 has NUMEROUS Versions, they just don't show them as different numbers.
https://en.wikipedia.org/wiki/Template: ... 0_versions

[yogi]

OK on the DHCP. For sure you will have trouble if there is more than one of those servers on your network.

As far as versions of Windows goes they are rolling releases. The codename column tells you when new features were added to an existing model, but they are all considered updates, not upgrades. They don't redevelop a new version of Windows each time there is an update. Ubuntu, for example, spends two years between its LTS releases building an entirely new operating system that for the most part is not backward compatible. The kernels are dramatically different and I believe that is the single most problem with upgrading instead of dong a fresh install. That is the beauty, or marketing gimmick, behind the concept of Windows as a service. Linux is not a service and thus developed along entirely different lines. As far as I'm concerned it doesn't matter how they do it. Linux gets a clean install with every different release. Windows gets reinstalled every week on my laptop because I'm doing the beta testing. I'm in that bottom line group you see in the chart under the name of Fast Ring.

The most important development issue that separates Windows from Linux is the methodology used to build the operating system. At Microsoft the operating system is built as a single unit. Each department must validate its contribution to verify that it wont break the core system. This is a team effort. At Linux building an operating system is done by a committee with each member going it's separate way. You know, there is Debian, for example. Then there are dozens of independent developers who don't bother to check out Debian to see if it works with their brainchild. All the Mint people are interested in is the Mint part of the operating system. The Ubuntu and Debian parts could be broken but that's not their problem as long as the Mint environment works. That might give testimony to validate the concept of Free and Open Source Software, but it sure isn't a great way to build a reliable operating system.

[Kellemora]

There are literally thousands of people writing programs that run on Windows of which Windows really has no control over, other than licensing.

Programs like Ubuntu OS, or Linux Mint OS are just that Programs that run on the Debian OS.
They are not actually an OS although they claim to be. They are a program running as an OS on another OS which does most if not all of the work.

Just like Windows Programs have to rely on Windows OS to function, Ubuntu, LInux MInt and others written on top of Debian, rely on Debian OS to function. And Debian relies on GNU to function, hi hi.

Debian must be pretty dang reliable for others to add their bells and whistles programs on top of it and call them an OS.

[yogi]

Reflect for a moment on what you just described. I'll expand on it even more to make my point clearer

There is the Linux kernel developed, maintained, and curated by Greg Kroah-Hartman of the Linux Foundation.
There is the GNU system when combined with the Linux kernel becomes an operating system developed, maintained, and curated by the GNU Project team. I will discount the existence of BSD and the dozens of alternatives to GNU in that all of them are considered operating systems of one sort or another.
There is the Unix shell, KDE Plasma 5, MATE, Cinnamon, Unity, LXDE, Elementary OS, Xfce, and dozens (if not hundreds) more user interfaces developed, maintained, and curated by anybody who thinks they can.
There is Grub, the bootloader for Linux, which technically is part of the GNU project but is developed, maintained, and curated by ... does anybody really know?

Over at Microsoft there is Windows which is developed, maintained, and curated by ... Microsoft.

The third party programs to which you refer are intended to run on the operating system and are separate and apart from it. My observation about how Linux and Windows are developed has nothing to do with the apps you might run after the product has been released. In the land of Linux cooperation and coordination between all those elements is assumed but not enforceable. Each component is separate and the maintainer is not obligated to anybody but their own self-interests. At Microsoft all those elements are under one roof and managed as a single product.

[Kellemora]

Windows is like a prison cell with a window, you can look out and see the world, but that's about all you can do.

Linux is like the world and everything in it, you are not locked in a cell and are free to choose how to use it, and how you want it to look, and how you want it to work for you and in what manner.

At one time, Windows was on a roll as far as dominating the server market, and were way ahead of everyone else, including UNIX. But the inability to handle SQL properly started pushing them further and further back.
Eventually UNIX became the dominant choice for servers, and then Linux came along which could run on smaller computers and stole the show from Windows. As more and more companies moved from large bulky computers to small computer arrays, Linux was about the only thing that could handle this work efficiently and fast. However, Windows still held it's own on the desktop workstations and stand alone personal computers. So much so, they dominated the desktop market, and still do. But if you look around, more and more people are using Schmartz-Fonz instead of desktop or laptop computers. Very few of these run anything made by Windows.