Solved Linux security issues

Solved issue

James888

Member
Joined
Jun 13, 2023
Messages
40
Reaction score
17
Credits
487
Background: I have a security clearance (inactive for now) and as part of that security clearance, I receive free online security classes and newsletters from the NSA or military, and I pay attention to those classes. So when I see questionable things, it makes me suspicious (and as one my online classes puts it, "You can never be too paranoid when it comes to security"). So put on your paranoid caps along with me and let's go for a ride down security lane...

Today I received a notification for 16 system updates on Mx Linux! The problem I see with that is all of the updates are prefixed with "firmware-", for example firmware-atheros, firmware-linux, and firmware-brcm80211. I recognize Atheros for the wireless card I have but what does "firmware-linux" imply? My motherboard firmware? I don't want Mx Linux updating my motherboard firmware. And what the heck is firmware-brcm80211 for?

All of these updates should be documented somewhere before I download them, but I cannot find any documentation on the Mx Linux website for these updates. That is a yellow flag to me but I'm not going to the forum for Mx Linux to ask about it because my personal experience with Mx Linux so far is hostility towards me. So could someone find out for me where and what these updates are for?

Issue with this update: Incorrect terminology. According to the Debian website

What is firmware? Firmware refers to embedded software which controls electronic devices. Well-defined boundaries between firmware and software do not exist, as both terms cover some of the same code​

That is a half-truth, which to me is a yellow flag because technically firmware refers only to embedded software, and software is defined as "a set of instructions, data used to operate or execute specific tasks on a computer". It is logically impossible for a well-defined boundary between firmware and software to not exist because by definition, firmware is very clearly defined as a subset of software, and not the other way around.

Firmware is defined as embedded software, meaning a non-volatile chip on a physical device (mouse, graphics card, etc) is programmed, so from what I can see what they should have named these updates is "driver-*", since a driver is yet another subset of software written for helping the OS kernel interface with hardware. It is not firmware. Incorrect terminology is another yellow flag to me.

What all Linux distributions need to do (please) is:
  1. Stop getting their terminology incorrect so your intentions can be transparent.
  2. Avoid obfuscating terms so your intentions can be transparent.
  3. Document all updates online with a list of the updates, a reason for the updates, and names of who wrote the software. This is for accountability purposes, since it can be a way to track corporate shills who would love nothing more than to undermine Linux (and such corporate espionage or undermining of competition has been documented before).
 


since mx linux is based on debian (i am writing from mx 21), you can use apt to get info about the packages. from apt show firmware-linux:

APT-Sources: http://mirrors.rit.edu/mxlinux/mx-packages/mx/repo bullseye/non-free amd64 Packages
Description: Binary firmware for various drivers in the Linux kernel (metapackage)
This package depends on both free and non-free firmware which may be used with drivers in the Linux kernel.
so you can see (among other things) a description of the package and where it is sourced from depending on what repos or mirrors you have set up. you could check the changelog with
apt changelog firmware-linux though i am not sure if that will show the new changes to the pending upgrade. you can check all files installed by a package with
dpkg -L firmware-linux
 
And what the heck is firmware-brcm80211 for?
Broadcom wifi

firmware-linux
Software to control hardware on your motherboard

firmware-atheros
Software to control Atheros products

But then if you had looked them up yourself, you would have known that...
That is why I know brcm80211 is an IC and Atheros is a product name, both of which belong to the wifi controller built by Qualcomm, which makes both names misnomers. They should have named it "driver-Atheros-wireless" and "driver-Atheros-ethernet".

And "Linux" is not the name of my motherboard. I know because I looked it up :D
 
Stop thinking Microsoft
if you run windows, then you need to install propriotry drivers from the motherboard manufacturers, With Linux most of the motherboard drivers are a part of the kernel [unless you have had to install extra non-free drivers for a specific part]
Using MX then most of your updates will have come from the Debian repositories and are perfectly safe, other updates will come from the MX repository, and will have been approved by the MX developers. IF you are worried about security then dont install any applications not in the distribution /base repositories

LINUX IS NOT WINDOWS
 
Stop thinking Microsoft
What's that?
if you run windows, then you need to install propriotry drivers from the motherboard manufacturers, With Linux most of the motherboard drivers are a part of the kernel [unless you have had to install extra non-free drivers for a specific part]
All drivers, proprietary or open source, are part of the kernel.

On Windows, proprietary drivers cannot be considered a "need" when it is forced upon us by Microsoft.

Open source drivers can work just as well on Windows as on Linux, but Microsoft won't allow it, allegedly for "security" (or is that FUD?) reasons, which is one of the many reasons I chose to abandon Microsoft Windows.
Using MX then most of your updates will have come from the Debian repositories and are perfectly safe, other updates will come from the MX repository, and will have been approved by the MX developers. IF you are worried about security then dont install any applications not in the distribution /base repositories
I didn't know there was such as thing as "perfectly safe". That's not what they teach in cybersecurity classes and I'm just following the protocol for security.

Files with misnomers is a yellow flag.
LINUX IS NOT WINDOWS
Thank God :)
 
That's not what they teach in cybersecurity classes
and they are correct, nothing even in life is safe, you have to have the ability to make your own choices, but you also have to be ready to take on acceptable minimalised risk, If not then you may as well give up everything and wrap yourself in cotton wool.
 
and they are correct, nothing even in life is safe, you have to have the ability to make your own choices, but you also have to be ready to take on acceptable minimalised risk, If not then you may as well give up everything and wrap yourself in cotton wool.
You are also correct. The problem is knowing how to minimize risks or when to recognize when the risk is minimal. "Trust me this is safe" is not one of those ways. Asking the right questions always helps though, hence the reason I tried to ask the right questions.

The answer z7vl7abxc gave me was a good answer, especially for a Linux noobie like me. It doesn't address the issue of incorrect terminology but that isn't an issue that can be answered on forums like this, it can only be documented, which is better than saying nothing about security issues.
 
If not then you may as well give up everything and wrap yourself in cotton wool.

I'd say something like... Hmm... (I'll go for brevity with this one.)

"Always apply your updates but never trust your computer to be completely secure and act accordingly."

I wonder if I can turn that into an article...
 
And "Linux" is not the name of my motherboard. I know because I looked it up :D
I said, to control hardware on your motherboard....
 
I said, to control hardware on your motherboard....
Linux is not hardware, it is an OS, so it should have been called "driver-motherboard", except that actually has no specific meaning. That's why I say calling it "firmware-Linux" is a very, very vague description of what it does, and I haven't seen any proof of what it does yet. What things are a part of the motherboard that require drivers?
  1. PCIe?
  2. RAM?
  3. Fan?
  4. Bios? (I hope not since it should be tamper proof)
  5. USB ports? (already have drivers for that)
  6. Graphics cards? (already have driver for that)
  7. Bridge chips?
  8. What?
I tried looking it up to see what it might be and the official description was still very, very vague (see https://wiki.gentoo.org/wiki/Linux_firmware for example). When I see things like this on Windows, I am immediately skeptical of what it might really be doing. I trust Linux way more than I trust Windows, but my trust is not absolute, as that would not be a prudent thing to do, so what is this improperly named file supposed to do? Security conscious minds want to know.
 
I'd say something like... Hmm... (I'll go for brevity with this one.)

"Always apply your updates but never trust your computer to be completely secure and act accordingly."

I wonder if I can turn that into an article...
In Security clearance classes they teach that "You can never be too paranoid when it comes to security" :oops:. I believe in that philosophy; it's a good philosophy. Security is always something that should be gone over with a very fine-tooth comb and always taken seriously. I don't think this forum is the place for that kind of detail or expertise, so I don't expect much of a discussion about it here, I'm just posting my objective observations so (hopefully) the right person who knows security will see it and take action (Ed Snowden perhaps? :D). I want to see all the Linux ducks in a row here, although I don't know if that will ever happen.

No matter, Linux is still way better than Windows and that's what I care about most.
 
"You can never be too paranoid when it comes to security"

Absolutely. We take a measured risk to accomplish our goals.

I too had my clearance, though I haven't needed it in many years. Don't get me started on the OPM hack. I'm still mad.

My assumption is that my computer is compromised in some way, or easily compromised and that any information I store on it is at risk. I can have some level of security against the curious and lazy, but a few hours with a rubber hose and a pipe wrench will get you all of my passwords.
 
Absolutely. We take a measured risk to accomplish our goals.

I too had my clearance, though I haven't needed it in many years. Don't get me started on the OPM hack. I'm still mad.

My assumption is that my computer is compromised in some way, or easily compromised and that any information I store on it is at risk. I can have some level of security against the curious and lazy, but a few hours with a rubber hose and a pipe wrench will get you all of my passwords.
Yes, we more often than not have no choice but to take measured risks, but that doesn't give us license to ignore the risks, it just means we must ALWAYS ACTIVELY TRY TO MINIMIZE risks, and that is my goal here. I will never stop talking about the risks I am taking when I have updates and I don't know what they are or what they do. When someone is constantly downloading something to my computer, I constantly want to know what it is I am downloading and why they are uploading it to my computer. Always.

So what is firmware-linux and what does it actually do?
 
it just means we must ALWAYS ACTIVELY TRY TO MINIMIZE risks, and that is my goal here.

Oh, by all means you can do exactly that. It may mean a great deal of time reading 'release notes' and pages and pages of CVE documentation, but you can focus on security if you want. Linux is awesome like that. You may have to hunt for documentation, but in most cases someone will have written it down.
 
What things are a part of the motherboard that require drivers?
  1. PCIe?
  2. RAM?
  3. Fan?
  4. Bios? (I hope not since it should be tamper proof)
  5. USB ports? (already have drivers for that)
  6. Graphics cards? (already have driver for that)
  7. Bridge chips?
  8. What?
Without drivers none but the BIOS would work - & you missed out the processor micro code...... ;)
 
Without drivers none but the BIOS would work - & you missed out the processor micro code...... ;)
Irrelevant because that doesn't answer the question of what does firmware-linux do, and where is it documented what it does?
 
That is interesting, but scary. It's interesting because they say they are downloading flash into RAM for execution, which makes sense because flash is very slow -- but -- specifically which ROM/flash are they loading into RAM? BIOS would be vulnerable to exploitation if it were loaded into RAM -- bridge chips not so much. I need to know if that is what my version of Linux is doing with my BIOS, because that would be a very bad thing and I would refuse the update for it. I would lose a significant amount of confidence in my OS if this is true.

Furthermore, that kind of software is not a generic "firmware-Linux", it should be "firmware-motherboard-AMD_A520" or "firmware-motherboard-GIGABYTE_ X670E" or something like that. Every motherboard uses different software to run the different chipsets of the motherboard, and if the gluelogic for every motherboard is not the same the update cannot be the same.

Still, I would trust an insecure version of Linux way more than I would trust Windows in its current state (It would be easy to imagine Microsoft doing the same thing and just not telling anyone they are doing it), I just wouldn't be as happy (or smug) as I would be otherwise. Please tell me I'm wrong (and back it up with some evidence). I mean I still haven't found very specific official documentation that says which flash/ROM on my motherboard is being meddled with firmware-linux.

NOTE: I should point out that this is about transparency, which is an extremely important part of security, and "firmware-linux" is not at all transparent that I can see so far.
 
Background: I have a security clearance (inactive for now) and as part of that security clearance, I receive free online security classes and newsletters from the NSA or military, and I pay attention to those classes. [...]

I originally wrote a very detailed and long post, then changed my mind. This one is long enough. In the meantime, additional posts appeared and provided links to descriptions of what "firmware" means in the Linux community. I noted comments in the linked web pages that some of that firmware may not be open source, which would prevent @James888 from reviewing the code to know what the exact changes are. :-(

Terminology is imperfect and there can be confusion. It evolves and morphs, and it gets replaced with new terms that become popular. It is evolutionary. Each group may have their own specialized terminology.

I appreciate James' concerns about misuse of terminology by the Linux community, but I doubt that he will be able to effect change in how the Linux community uses or misuses terms like "firmware". With sincere respect, it might have been a more effective original post if James had written it as tutorial, demonstrating how the terms are used and their meanings in different contexts so that we can all better understand how to interpret what we are reading. James could also show how they are misused, thus planting the seeds for that evolutionary change.

The past couple months, I have been researching some Linux chain of trust questions, centered around distro installations and updates, (naturally). I encourage James to do the same.

The people (volunteers?) at MX Linux may not be willing to write documentation describing the detailed information that he wants, but perhaps James can determine that the "firmware" updates he is installing are identical to what MX Linux people think they should be. It may be worth James' time to determine where the MX Linux people originally sourced those files and how they establish that James received authenticated copies. It is not the same as what he wants, but perhaps it is sufficient.

James knows that his NSA and military security training should be applied appropriately in the context of the perceived threats, risks, etc. NSA-level security is not appropriate to protect the secrets in a 2nd grader's diary, for example.

By the way, could the updates have come through Debian or AntiX rather than MX Linux? I still have more to learn in this area.
 

Members online


Top