lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 06 Aug 2007 01:10:12 +0200
From: monikerd <monikerd@...il.com>
To: ge@...uxbox.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Remote hole in OpenBSD 4.1

Gadi Evron wrote:
> I formerly had a great deal of respect, bordering on admiration, for Theo 
> deRaadt's refusals to compromise his open source principles, even in the 
> face of stiff opposition. Although he has occasionally gone over-the-top, 
> recommended some frankly very dubious changes to OpenBSD, and is regularly 
> arrogant (which is even more annoying because he's so often right!), he's 
> always remained consistent in his devotion to the cause of GNU/Free Software.
>
> Notice "formerly": my confidence in deRaadt has been soundly shaken by his 
> latest round of unfounded aspersions cast against Intel's Core 2 line of 
> CPUs. Instead of getting the facts with careful analysis and study, deRaadt 
> has jumped the gun by trying to preempt proper research with posts to the 
> openbsd-misc mailing list. This in itself wouldn't be so bad, but his only 
> proper citation is a 404 page, and his only other source is an old summary 
> of unverified errata from a hobbyist website.
>
> The lack of fact-checking and complete absence of any credible sources for 
> his allegations is suspicious in itself, but he compounds it into a complete 
> boner by making an equally unsupported claim that the supposed (in fact 
> non-existent) CPU problems are security flaws:
>
> As I said before, hiding in this list are 20-30 bugs that cannot be worked 
> around by operating systems, and will be potentially exploitable. I would 
> bet a lot of money that at least 2-3 of them are.
>
> Without real references to backup his exaggerated concerns, deRaadt's post 
> crosses the line into outright libel and scare-mongering. It's obvious when 
> you know what to look for: the subtle use of neurolinguistic priming in 
> emotive leading phrases such as "some errata like AI65, AI79, AI43, AI39, 
> AI90, AI99 scare the hell out of us", "Open source operating systems are 
> largely left in the cold", "hiding in this list", and so forth. This does 
> not lead me to share Theo's purported fears; instead it leads me to believe 
> that he's trying to unduly influence Intel's reputation with lies.
>
> I have an idea of why. It's the same reason deRaadt feels comfortable in 
> saying that he'd "bet a lot of money" on Intel's Core 2 processors having 
> multiple (not one, but several) security flaws originating from these 
> errata. Namely, one of Intel's largest competitors has supplied the OpenBSD 
> project with a substantial amount of monetary support since 2004, presumably 
> because they can't compete even in the open source market without propping 
> it up with a flow of money. They cannot maintain their position on the 
> processor front, so they're resorting to buying out open source software 
> developers. It's regrettably cheap to do so, even if they have deRaadt's 
> prestige, because their business models stifle income and so a monolith such 
> as AMD can trivially tempt them with greater incentives. In fact deRaadt is 
> an easier target for "donations" because he makes it clear that he has no 
> business model for OpenBSD.
>
> Intel, by contrast, have no discernable incentive to deceive or play down 
> security flaws in their products; the consecutive f00f and FDIV bugs of the 
> past have taught Intel that their best course of action is to face up to 
> their errors and offer speedy fixes.
>
> DeRaadt's claim that Intel must "be come [sic] more transparent" is most 
> unfounded, especially when one considers who stands to benefit from this 
> anti-Intel arrangement; the connections between the AMD-ATI leviathan and 
> deRaadt-driven projects are not hard to find. AMD make a point of 
> emphasising OpenBSD's place in the "AMD64 ecosystem", and, as already 
> mentioned, lends its deep pockets to deRaadt's grasp. And the connections go 
> both ways too: deRaadt has a blatant chip on his shoulder regarding Intel.
>
> Ultimately, it hasn't been enough for deRaadt to level unsubstantiated 
> libels at Intel, or to elicit spurious security fears about its solidly 
> tested products. He's added an extra layer of hypocrisy on top by attacking 
> Intel for being opaque and complaining about made-up fatal flaws in their 
> Core 2 system. I would go as far as to posit that it is in fact deRaadt's 
> system for running the OpenBSD project which has a fatal flaw. This escapade 
> proves that deRaadt -- and by extension the OpenBSD project -- is simply too 
> vulnerable to external influence from corporations with a vested interest 
> and lots of lucre.
>
>
>        
> ____________________________________________________________________________________Ready for the edge of your seat? 
> Check out tonight's top picks on Yahoo! TV. 
> http://tv.yahoo.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>   
Nice try, but (Wrong list). Too little to late.

firstly you employ the trick of "accuse them first" when you get to
"neurolinguistic priming"
your text is full of it. Basically that's all your email is.

Theo's posts were quite some time ago, and then neither of the links
were 404.

Also your topic is misleading.

Your mail cites even fewer references. Does not contribute anything new.

You are basically saying you disagree. well ladida. That's your right.
Didn't need to use that
many ascii or fancy words for that.

If a major cpu does not perform to specifications, this is a big deal,
seeing as you only now
have come to hear about it, signifies how much it has been downplayed.

Theo's methods and arguments, are often flawed in several ways, and he's
sure been
known to overreact. However usually the underlying theme is pretty accurate.
And in this case he's saying. FCOL you are degrading my operating
system's quality
on these chips and not even releasing the information I need, to fix it.

"no discernable incentive to deceive" --> are you kidding here or just stupid?
- It has stock holders
- what would it cost to recall the chips? When there is no replacement yet?


Now I like Intel, I realize what adverse effects releasing all the details could be
concerning IP (yes these guys are kinda careful with that, stockholders again ..)
reputation, balance sheets, ...


I'm pretty sure this conversation has already taken place.We'll see how it plays out.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists