And M$'s "contribution" was maintainance to the kernel drivers for its
Hyper-V virtualization hypervisor, which consist of tens of thousands of
lines of code. Outside of that, M$ was never a particularly significant
contributor to the kernel.
Furthermore M$ didn't do this by choice, they *had* to submit their code
because it contained open source GPL components.
--
Linux -- the Ultimate Windows Service Pack

Linux is the scientific community’s operating system of choice.
CERN’s Large Hadron Collider is controlled by Linux.
NASA and SpaceX ground stations use Linux.
DNA-sequencing lab technicians use Linux.
Really, for applications that require absolute stability,
which most scientific experiments are, Linux is the obvious choice.
http://tinyurl.com/d9ta82o

On Thursday 19 September 2013 12:54, Bit Twister conveyed the following
to alt.os.linux.ubuntu...
It was already 16 million last year, so it'll probably be around 17
million this year. But that amount covers the entire kernel as a
project, not the kernel as it will be installed on your system.

There is the kernel itself. There is the virtual filesystem layer.
There are the filesystem drivers. There is the architecture-specific
code - and Linux supports just about every processor architecture on the
planet. There is the hardware device driver code. Not everyone has all
hardware devices in existence in their computer, and some hardware
architectures do not even support certain hardware peripherals. Then
there are also the optional "hardening" patches like AppArmor and
SELinux.

Yes, SELinux is developed by the NSA - so that GNU/Linux would become
suitable for use on government/military computers - but that code is
audited, and all it does is add checkpoints for mandatory access
control.

Like I said, if a backdoor were to be planted in the Linux kernel, then
it would have to be in the platform-independent core kernel code. And
that part is strictly under control of a number of people, not in the
very least Linus himself.
Microsoft's only contributions to Linux were with regard to having
support for running Linux inside a virtual machine on top of Microsoft's
Hyper-V hypervisor, and possibly with regard to Samba, although I don't
think they've been submitting code for that.

They are probably still contributing code, but far less so, and so their
code contributions were far smaller this year, and so they are no longer
in the top-10 list of code contributors for the past year.

In the past, Microsoft submitted code which was buggy and which they
weren't maintaining, and Linus threatened to kick their code out of the
kernel if they weren't going to submit patches to fix their bugs. After
all, there is no point in having buggy and unmaintained code in the
kernel. Linus won't stand for that.
Especially since the code submissions for SELinux aren't all that big,
and are being audited, like every code submission from a third party.
There are literally thousands of people working on Linux, and by that I
do mean the kernel, because that's what Linux is. The rest of the code
comes from GNU, and a few userland submissions which are important in
early userspace - i.e. udev, systemd - from RedHat. And the number of
GNU developers runs up into the hundreds of thousands. But that's
userspace, and userspace can't exploit anything if the kernel doesn't
have the hooks for that in the form of a serious backdoor or a serious
security leak.
The GIT development system - which was itself also written by Linus
Torvalds as a FLOSS replacement for BitKeeper, which they used earlier -
does not allow tampering. All code submissions are logged, and all code
is checksummed before and after each code submission. If anyone were to
mess with the source code, it would show in the logs.
That is correct, and so far they haven't budged. And guess what:
Microsoft has its own Linux Lab [sic]. Daniel Robbins, the founder of
the Gentoo distribution, left his position as leader of the Gentoo
project behind to go and work there. I don't think he's still working
there now, but he has started a new distribution, Funtoo, based upon the
Gentoo unstable code, so it's more "bleeding edge" than Gentoo itself,
but it uses the same repositories and package management system.
Probably on kernelnewbies.org.
Of course. And Linus is very pedantic too. If it doesn't meet his
standards, or even if he doesn't like the way the code was written, then
it won't go into the kernel.
That is correct. I've done coding too in my time - nothing fancy, not
in the C language, and certainly not any kernel stuff - but when I see
funny stuff, I'll notice it.
Correct.
Linux even has a stack protector in the upstream kernel, and as far as I
know, gcc - which isn't part of Linux as a project because it comes from
GNU - now mainly uses position-independent code for most userland stuff.

Most 64-bit distributions are built that way now, and it /may/ also be
the default on 32-bit now. There was a time when there were objections
against that because position-independent code would slow down 32-bit
systems (but not 64-bit). Don't ask me why.
Like I said higher up already.
I've read about that too, and I think it was the NSA itself. The news
was published just around the same time that the shit hit the fan about
Microsoft and other organizations/companies - like VUPEN - selling zero
day exploits to the NSA.

On Thu, 19 Sep 2013 10:54:58 +0000 (UTC)
More to the point is what software will do that vast job for us. I
think it's likely that it isn't such a big job for computer to compare
known-safe code to code-of-suspicion.

Heh, diff should do, no?

Cybe R. Wizard

I'd have to agree...in a perfect world. That's why I'm baffled by the
number of things that worked in distro release 12.0 and no longer work
in distro release 12.4. In a perfect world, things that didn't change
wouldn't break. And things that changed would be examined and fixed.
And somebody would be running regression tests to verify compatibility
and that all the required interchangeable dependency pieces got included.

You can't deny that there are holes in that system.
And yes, I said distro. The bare kernel is useless to the end
single user desktop.
And the kernel isn't the only vulnerability.

I keep reading about how linux is impervious at the kernel level
and any malware could infect only the user space. On a single user
desktop system, there ain't no difference. If your single user
desktop system is compromised,
the actual nature of the compromise is of no consequence.
See, the kernel is safe...so what?
More than one person is looking at the official, controlled, code.
What about all the code that gets inserted out in the wild?
Safe kernel is good, but it ain't the only place a system can get
compromised. Malware rarely comes from the officially released stuff,
in ANY OS. I classify a backdoor as malware.
In a perfect world, yes. And I'm NOT saying that you shouldn't do code
reviews.
But if they found ALL the funny code, bugs wouldn't exist...ever...
Experts are blinded by their own expertise. They think they know
everything. They cover the bases on what they know. But the world
isn't perfect. Things don't always unfold the way you'd expect.
A fresh view from someone who ain't the expert can expose potential
problems that the experts would never have come up with.

Back in the day, I'd take off my manager hat, don my engineer hat and
walk across the building to learn about other projects.
I'd ask questions like, "what happens to your implementation under THESE
conditions?" Wouldn't take more than about three questions for a hole
to show up.
Some engineers would say, "thanks, you saved me a bunch of grief."
Most responded, "you're not the expert, that won't ever happen, go away."

And six months later, when they built it and it didn't work, I was still
the bad guy.
People are rarely grateful when you try to save them from themselves.
That's another area that baffles me. Many of the windows vulnerabilities
have been reported as the result of stack overflow.
Stack overflow has been a known issue for decades.
Sounds pretty simple. If the stack is full, don't let anybody push
anything on it. Why are there still stack overflow problems?
I agree that it's something you should do. But, for a single user
desktop system like Ubuntu, as a single user, if my system don't work,
I don't really care which ring has the problem.

If you're building a server farm, all these things are extremely important.
As a single user ubuntu desktop system, clicking on something I shouldn't
is WAY more likely to cause me grief than some kernel oversight.
A perfectly functioning kernel is no help if my keyboard is locked up
and 10 porn windows are opening every second.

I'm NOT saying anything bad about linux. I'm merely pointing out
that the myth surrounding it may be overstated.

Of the two threads I've read today, you're two for two.
First punch into the downward spiral for this thread thrown
by your very own self.
And the second...
And the third...

I don't know whether Aragorn's count measures that as one or three,
but the trend is clear.

Correct.
I don't know if I agree with that....that the only thing to go on is the
word of MS and the NSA.

Those that find exploits, either pro-actively to close them, or hackers
that actually use the exploits, would have most likely been able to find
or verify at least some evidence and be able to produce some valid proof
of concept paper, if not demonstrate it outright.

The presence of a registry key with NSA in the name is not "proof".

According to the experts, here, very little has changed under the hood
with Windows since NT was released, and all changes have been superficial
at best. This would mean that the security experts, hackers, and general
MS-haters have had 15 years to try to prove it, and as of yet, have no
evidence.

I'm not saying that there's absolutely no back-door, I'm just saying
there is no credible evidence to support such a claim.

At this point, I have no worries about it.

Absence of evidence is not evidence of anything.

On Friday 20 September 2013 01:52, Mark Warner conveyed the following to
alt.os.linux.ubuntu...
Edward Snowden's documents, which he sent both to The Washington Post
and The Guardian (and probably a few other newspapers), prove that
Microsoft sells zero-day exploits to the NSA long before it decides to
write a patch for those exploits and issue it to its users.

http://tinyurl.com/m947j6t

I'd say that your brain has several quadrillion undetectable jammed
neurons in it.

Except we have detected it. You are dirt dumb.

Your cable company has a better chance at observing you from 'the
other side'.

So, on *nix based systems some kind of account then, everything has to
run under some kind of account doesn't it?
The root user is a user, if not a user then what?
But a compromised account *is* a compromised system isn't it?
But all processes need to run under some account ... don't they?
How can any process be run on a running system if not under an account?
<snip>
This is different though isn't it. You are talking about infection after
installation, as I see it the kind of thing we are talking about is the
ability to access the system in a covert way that is present, available
and enabled 'out of the box' and moreover not accessible or configurable
by any user, including root, although how this might be achieved is
still unclear to me.
Ubu 12.04 64 bit comes with a firewall which I have enabled. I can see
what ports are open and what is listening on them. If my firewall is
hardcoded *not* to show port xxxxx then maybe I can't see it ... just
started looking at wireshark.

lipska