• vane@lemmy.world
    link
    fedilink
    English
    arrow-up
    28
    ·
    9 hours ago

    If it was microsoft they would ban github and gitlab account and not give cve.

    • Possibly linux@lemmy.zipOP
      link
      fedilink
      English
      arrow-up
      10
      ·
      7 hours ago

      I’m not a big Google fan but I will give credit where credit is due

      They do put their money where their mouth is

      • vane@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 hours ago

        I hate google but they still pay good money to opensource and take responsibility by organizing google summer of code.

  • irmadlad@lemmy.world
    link
    fedilink
    English
    arrow-up
    62
    ·
    15 hours ago

    A separate vulnerability in Linux allows users with limited rights to escalate to root. Tracked as CVE-2026-43499, it lurked in the OS for 15 years. Researchers from Nebula Security said they discovered it using Vega, Nebula’s AI-assisted vulnerability scanner. Matt Lucas, a researcher and founder of RedEye Security, explained

    This will become more and more common as we use AI to find vulnerabilities faster (hopefully) than bad actors can use AI to find vulnerabilities.

        • Reannlegge@lemmy.ca
          link
          fedilink
          English
          arrow-up
          6
          ·
          6 hours ago

          If they leave it out someone else will find it, the days of leaving things out deliberately past.

      • mlg@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        edit-2
        7 hours ago

        20 years of hoarding CVEs down the drain.

        Now they’ll never be able to gg ez their way into any country and will have to actually use their bribery budget to get more implants lol.

    • lambalicious@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      6
      ·
      12 hours ago

      as we use AI to find vulnerabilities faster (hopefully) than bad actors can use AI to find vulnerabilities.

      Oh small, simple child: who do you think has the better access to AI in the first place?

      • Fedizen@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        edit-2
        10 hours ago

        This is a reminder that US scientists during the cold war thought fish were russian subs because they didn’t have biologists on staff

        Judging by the way they’ve treated big companies in the past the NSA is staffed by a bunch of people who use backroom deals with US tech companies to collect their data mostly.

        I actually think a large plurality of them spend most their time tracking/stalking their wives and like people they argued with the day before.

      • irmadlad@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        10 hours ago

        small, simple child:

        Didn’t downvote you but…

        LOL! The level condescension sure is right on point Lemmy.That genuinely got a chuckle. In some ways I enjoy being that simple child. Full of wonderment at this universe around him.

      • pienz@feddit.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        12 hours ago

        The companies who are training AI… On Linux servers?

        Wait no, obviously smaller actors you’re referring to with your mysterious comment.

        Or maybe all the follow on tech companies that are the largest customers using AI aaand who also mostly use Linux

        No no I’ve got it wrong, US government entities want a backdoor so restrict AI releasing, then during that window exploit non-US companies using Linux

  • DarkCloud@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    9 hours ago

    Linux’s “security through obscurity” was never going to last.

    Edit: it’s a common concept in hacking. Shorthand for a type of security through improbability.

    • Natanox@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      3 hours ago

      I don’t know where you got the notion from that Linux as a whole uses this concept, but it’s nonsense. There’s exactly one place where this definition fits, which is the GRUB bootloader encryption (which merely shifts the target for the Evil Maid attack from the initramfs to GRUB). But this is already adressed with Verified Boot.

      Nothing else, let it be LUKS, PAM, SELinux, AppArmor or whatever has any business with STO.

      • DarkCloud@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 hour ago

        From the fact it used to have to smallest user base of the big three. Less users = less probability of a nefarious person.

        It’s really not that difficult a concept. I’m surprised people here are asking what it is.

    • Ooops@feddit.org
      link
      fedilink
      English
      arrow-up
      50
      ·
      edit-2
      13 hours ago

      There was never an actual notion of “security through obscurity”. LInux runs the complete Internet and most coporate server infrastructure. That’s where the actual money is.

      People hallucinating that Linux is something obscure simply have no clue and confused their home desktop for real computing. Windows desktops are constantly targeted not because they are -unlike Linux- so wide-spread but because they are already insanely insecure. They are the low hanging fruit where you can cobble together some cheap shit and will still find million of PCs vulnerable. If you want to find a Linux comparison it’s definitely not server or desktops but cheap IoT devices not having seen an update (or any security to speak of) for many years.

      For reference: We are talking about guests in a virtual pc escaping it’s container. That’s not something obcure. That’s basically all cloud hoster’s whole business model, thus the reason Google pays a lot of money for finding such exploits.

      • egregiousRac@piefed.social
        link
        fedilink
        English
        arrow-up
        14
        ·
        10 hours ago

        Windows desktops are targeted because any place you have a user, you have a vulnerability. The vast majority of Linux installs are servers with extremely limited user activity, which narrows the attack vectors significantly.

    • atzanteol@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 hours ago

      The self-hosted crowd thinks reverse proxies protect you from the Internet. Don’t expect too much of them.

      • nibbler@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 hours ago

        The selfhosted guys are correct with that. Of course its not a magic pill, but it can help to minimize the attack surface immensely with little effort.

    • Clearwater@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      14 hours ago

      Security through what now?

      Well, I guess it is obscure… Though only because the number of people who have a full grasp on how the code works is highly limited.