Patching Really Is Necessary

There are certain things in the tech world that go from Myth A to Myth B. The “ghz” myth is one of these things – a CPU’s clockspeed is measured in ghz and people used to use this as the go-to benchmark for determining performance and they’d ignore everything else. Now people go around saying that “ghz” doesn’t matter at all, which is equally stupid.

I see this with patching. Patching used to be the go-to practice for keeping an application secure. A program that was quick to patch was more secure and that was a way to measure security. Now people pretend that patching doesn’t matter – that if you use techniques like ASLR/DEP and you sandbox your applications you don’t need to worry. I see this all over.

This is incorrect. Patching is an invaluable layer in any security setup and I think the latest Chrome exploit shows why.

Google Chrome makes use of ASLR (very strong ASLR), DEP, and SEHOP. It has a fairly finely grained sandbox for each process on Windows. It’s a nice mixture of policy and technology.

And yet it’s still hackable. No matter how much policy you have it will have flaws. No matter how many memory techniques you implement there will be backdoors. Do those methods make things way more secure? Absolutely – there’s never been a single exploit in the wild that bypasses Chrome’s sandbox, even their relatively weak Flash sandbox.

But if you’re looking for security in depth you’d better patch because if you’re running Chrome 14 there’s been a thousand holes since then and it’s simply a matter of chaining the right ones together.

And this applies to everything. In Linux I’m running Chrome, which implements an incredibly secure sandbox, which is highly reinforced by the patches I make to my kernel. But if I’m running a super old unpatched version of Chrome all an attacker has to do is google for some exploits and chain it all together.

The cost of attacking a user is drastically lower when the exploit code is already available and there’s documentation on the vulnerability. By patching you force the attacker to find a new vulnerability, and in the case of a program like Chrome you actually end up forcing them to come up with a dozen vulnerabilities.

There is one simple reason why the entire threat landscape would have to change if Linux were suddenly the most popular OS. It’s not some magic memory technique or sandbox, it’s patching. All of my applications are always up to date on Linux, on Windows they aren’t. And hackers take huge advantage of that.

So do yourself a favor. Keep your system up to date.

Why Linux Does Need To Defrag (Sometimes)

It’s very common that you’ll hear “Linux doesn’t fragment.” This is kinda true, Linux definitely doesn’t fragment too much. Not as much as NTFS and not even close to as much as FAT.

NTFS has made big improvements and EXT4 is definitely great, but there are absolutely  cases where you may need to defrag linux.

Thankfully there is a tool for this. e4defrag, and here’s a little “how to defrag linux” tutorial.

e4defrag

e4defrag is a tool that should be included in your distro, and is definitely included in Ubuntu 12.04. It is a very easy to use tool that will defrag your partition. And, as a plus, it’s made by the ext4 developers, so you’re in good hands.

When To Use It

Typically you really don’t need to defrag, people aren’t totally off base when they say this. But if you’ve been deleting a ton of files and then adding a ton of files and really filling up large amounts of space on your drive you might want to defrag.

How To Use It

It’s really simple to use.

You can defrag all partitions by simply typing:

sudo e4defrag /dev/*

Or you can single one out like

‘sudo e4defrag /dev/sda6’

or

‘sudo e4defrag /dev/sda*’

I think it’s nice that there finally exists a mainstream defrag tool that’s so easy to use. It may not be necessary for the average user but it’s nice that it’s there.