lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Aug 2007 04:19:13 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: monikerd <monikerd@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Remote hole in OpenBSD 4.1

Sorry, I don't know who gadievron@...oo.com is, but it wasn't me. I'd 
suggest emailing Rocky, he likes big guys. :)

Thanks,

 	Gadi.

On Mon, 6 Aug 2007, monikerd wrote:

> Gadi Evron wrote:
>> I formerly had a great deal of respect, bordering on admiration, for Theo
>> deRaadt's refusals to compromise his open source principles, even in the
>> face of stiff opposition. Although he has occasionally gone over-the-top,
>> recommended some frankly very dubious changes to OpenBSD, and is regularly
>> arrogant (which is even more annoying because he's so often right!), he's
>> always remained consistent in his devotion to the cause of GNU/Free Software.
>>
>> Notice "formerly": my confidence in deRaadt has been soundly shaken by his
>> latest round of unfounded aspersions cast against Intel's Core 2 line of
>> CPUs. Instead of getting the facts with careful analysis and study, deRaadt
>> has jumped the gun by trying to preempt proper research with posts to the
>> openbsd-misc mailing list. This in itself wouldn't be so bad, but his only
>> proper citation is a 404 page, and his only other source is an old summary
>> of unverified errata from a hobbyist website.
>>
>> The lack of fact-checking and complete absence of any credible sources for
>> his allegations is suspicious in itself, but he compounds it into a complete
>> boner by making an equally unsupported claim that the supposed (in fact
>> non-existent) CPU problems are security flaws:
>>
>> As I said before, hiding in this list are 20-30 bugs that cannot be worked
>> around by operating systems, and will be potentially exploitable. I would
>> bet a lot of money that at least 2-3 of them are.
>>
>> Without real references to backup his exaggerated concerns, deRaadt's post
>> crosses the line into outright libel and scare-mongering. It's obvious when
>> you know what to look for: the subtle use of neurolinguistic priming in
>> emotive leading phrases such as "some errata like AI65, AI79, AI43, AI39,
>> AI90, AI99 scare the hell out of us", "Open source operating systems are
>> largely left in the cold", "hiding in this list", and so forth. This does
>> not lead me to share Theo's purported fears; instead it leads me to believe
>> that he's trying to unduly influence Intel's reputation with lies.
>>
>> I have an idea of why. It's the same reason deRaadt feels comfortable in
>> saying that he'd "bet a lot of money" on Intel's Core 2 processors having
>> multiple (not one, but several) security flaws originating from these
>> errata. Namely, one of Intel's largest competitors has supplied the OpenBSD
>> project with a substantial amount of monetary support since 2004, presumably
>> because they can't compete even in the open source market without propping
>> it up with a flow of money. They cannot maintain their position on the
>> processor front, so they're resorting to buying out open source software
>> developers. It's regrettably cheap to do so, even if they have deRaadt's
>> prestige, because their business models stifle income and so a monolith such
>> as AMD can trivially tempt them with greater incentives. In fact deRaadt is
>> an easier target for "donations" because he makes it clear that he has no
>> business model for OpenBSD.
>>
>> Intel, by contrast, have no discernable incentive to deceive or play down
>> security flaws in their products; the consecutive f00f and FDIV bugs of the
>> past have taught Intel that their best course of action is to face up to
>> their errors and offer speedy fixes.
>>
>> DeRaadt's claim that Intel must "be come [sic] more transparent" is most
>> unfounded, especially when one considers who stands to benefit from this
>> anti-Intel arrangement; the connections between the AMD-ATI leviathan and
>> deRaadt-driven projects are not hard to find. AMD make a point of
>> emphasising OpenBSD's place in the "AMD64 ecosystem", and, as already
>> mentioned, lends its deep pockets to deRaadt's grasp. And the connections go
>> both ways too: deRaadt has a blatant chip on his shoulder regarding Intel.
>>
>> Ultimately, it hasn't been enough for deRaadt to level unsubstantiated
>> libels at Intel, or to elicit spurious security fears about its solidly
>> tested products. He's added an extra layer of hypocrisy on top by attacking
>> Intel for being opaque and complaining about made-up fatal flaws in their
>> Core 2 system. I would go as far as to posit that it is in fact deRaadt's
>> system for running the OpenBSD project which has a fatal flaw. This escapade
>> proves that deRaadt -- and by extension the OpenBSD project -- is simply too
>> vulnerable to external influence from corporations with a vested interest
>> and lots of lucre.
>>
>>
>>
>> ____________________________________________________________________________________Ready for the edge of your seat?
>> Check out tonight's top picks on Yahoo! TV.
>> http://tv.yahoo.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
> Nice try, but (Wrong list). Too little to late.
>
> firstly you employ the trick of "accuse them first" when you get to
> "neurolinguistic priming"
> your text is full of it. Basically that's all your email is.
>
> Theo's posts were quite some time ago, and then neither of the links
> were 404.
>
> Also your topic is misleading.
>
> Your mail cites even fewer references. Does not contribute anything new.
>
> You are basically saying you disagree. well ladida. That's your right.
> Didn't need to use that
> many ascii or fancy words for that.
>
> If a major cpu does not perform to specifications, this is a big deal,
> seeing as you only now
> have come to hear about it, signifies how much it has been downplayed.
>
> Theo's methods and arguments, are often flawed in several ways, and he's
> sure been
> known to overreact. However usually the underlying theme is pretty accurate.
> And in this case he's saying. FCOL you are degrading my operating
> system's quality
> on these chips and not even releasing the information I need, to fix it.
>
> "no discernable incentive to deceive" --> are you kidding here or just stupid?
> - It has stock holders
> - what would it cost to recall the chips? When there is no replacement yet?
>
>
> Now I like Intel, I realize what adverse effects releasing all the details could be
> concerning IP (yes these guys are kinda careful with that, stockholders again ..)
> reputation, balance sheets, ...
>
>
> I'm pretty sure this conversation has already taken place.We'll see how it plays out.
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists