| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 07 Aug 2007 23:33:23 -0400 From: "Joey Mengele" <joey.mengele@...hmail.com> To: <monikerd@...il.com>,<ge@...uxbox.org> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Remote hole in OpenBSD 4.1 LOLOLOL STOP NAMEDROPPING YOU GAY BASHING KIKE J On Mon, 06 Aug 2007 05:19:13 -0400 Gadi Evron <ge@...uxbox.org> wrote: >Sorry, I don't know who gadievron@...oo.com is, but it wasn't me. >I'd >suggest emailing Rocky, he likes big guys. :) > >Thanks, > > Gadi. > >On Mon, 6 Aug 2007, monikerd wrote: > >> Gadi Evron wrote: >>> I formerly had a great deal of respect, bordering on >admiration, for Theo >>> deRaadt's refusals to compromise his open source principles, >even in the >>> face of stiff opposition. Although he has occasionally gone >over-the-top, >>> recommended some frankly very dubious changes to OpenBSD, and >is regularly >>> arrogant (which is even more annoying because he's so often >right!), he's >>> always remained consistent in his devotion to the cause of >GNU/Free Software. >>> >>> Notice "formerly": my confidence in deRaadt has been soundly >shaken by his >>> latest round of unfounded aspersions cast against Intel's Core >2 line of >>> CPUs. Instead of getting the facts with careful analysis and >study, deRaadt >>> has jumped the gun by trying to preempt proper research with >posts to the >>> openbsd-misc mailing list. This in itself wouldn't be so bad, >but his only >>> proper citation is a 404 page, and his only other source is an >old summary >>> of unverified errata from a hobbyist website. >>> >>> The lack of fact-checking and complete absence of any credible >sources for >>> his allegations is suspicious in itself, but he compounds it >into a complete >>> boner by making an equally unsupported claim that the supposed >(in fact >>> non-existent) CPU problems are security flaws: >>> >>> As I said before, hiding in this list are 20-30 bugs that >cannot be worked >>> around by operating systems, and will be potentially >exploitable. I would >>> bet a lot of money that at least 2-3 of them are. >>> >>> Without real references to backup his exaggerated concerns, >deRaadt's post >>> crosses the line into outright libel and scare-mongering. It's >obvious when >>> you know what to look for: the subtle use of neurolinguistic >priming in >>> emotive leading phrases such as "some errata like AI65, AI79, >AI43, AI39, >>> AI90, AI99 scare the hell out of us", "Open source operating >systems are >>> largely left in the cold", "hiding in this list", and so forth. >This does >>> not lead me to share Theo's purported fears; instead it leads >me to believe >>> that he's trying to unduly influence Intel's reputation with >lies. >>> >>> I have an idea of why. It's the same reason deRaadt feels >comfortable in >>> saying that he'd "bet a lot of money" on Intel's Core 2 >processors having >>> multiple (not one, but several) security flaws originating from >these >>> errata. Namely, one of Intel's largest competitors has supplied >the OpenBSD >>> project with a substantial amount of monetary support since >2004, presumably >>> because they can't compete even in the open source market >without propping >>> it up with a flow of money. They cannot maintain their position >on the >>> processor front, so they're resorting to buying out open source >software >>> developers. It's regrettably cheap to do so, even if they have >deRaadt's >>> prestige, because their business models stifle income and so a >monolith such >>> as AMD can trivially tempt them with greater incentives. In >fact deRaadt is >>> an easier target for "donations" because he makes it clear that >he has no >>> business model for OpenBSD. >>> >>> Intel, by contrast, have no discernable incentive to deceive or >play down >>> security flaws in their products; the consecutive f00f and FDIV >bugs of the >>> past have taught Intel that their best course of action is to >face up to >>> their errors and offer speedy fixes. >>> >>> DeRaadt's claim that Intel must "be come [sic] more >transparent" is most >>> unfounded, especially when one considers who stands to benefit >from this >>> anti-Intel arrangement; the connections between the AMD-ATI >leviathan and >>> deRaadt-driven projects are not hard to find. AMD make a point >of >>> emphasising OpenBSD's place in the "AMD64 ecosystem", and, as >already >>> mentioned, lends its deep pockets to deRaadt's grasp. And the >connections go >>> both ways too: deRaadt has a blatant chip on his shoulder >regarding Intel. >>> >>> Ultimately, it hasn't been enough for deRaadt to level >unsubstantiated >>> libels at Intel, or to elicit spurious security fears about its >solidly >>> tested products. He's added an extra layer of hypocrisy on top >by attacking >>> Intel for being opaque and complaining about made-up fatal >flaws in their >>> Core 2 system. I would go as far as to posit that it is in fact >deRaadt's >>> system for running the OpenBSD project which has a fatal flaw. >This escapade >>> proves that deRaadt -- and by extension the OpenBSD project -- >is simply too >>> vulnerable to external influence from corporations with a >vested interest >>> and lots of lucre. >>> >>> >>> >>> >___________________________________________________________________ >_________________Ready for the edge of your seat? >>> Check out tonight's top picks on Yahoo! TV. >>> http://tv.yahoo.com/ >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >> Nice try, but (Wrong list). Too little to late. >> >> firstly you employ the trick of "accuse them first" when you get >to >> "neurolinguistic priming" >> your text is full of it. Basically that's all your email is. >> >> Theo's posts were quite some time ago, and then neither of the >links >> were 404. >> >> Also your topic is misleading. >> >> Your mail cites even fewer references. Does not contribute >anything new. >> >> You are basically saying you disagree. well ladida. That's your >right. >> Didn't need to use that >> many ascii or fancy words for that. >> >> If a major cpu does not perform to specifications, this is a big >deal, >> seeing as you only now >> have come to hear about it, signifies how much it has been >downplayed. >> >> Theo's methods and arguments, are often flawed in several ways, >and he's >> sure been >> known to overreact. However usually the underlying theme is >pretty accurate. >> And in this case he's saying. FCOL you are degrading my >operating >> system's quality >> on these chips and not even releasing the information I need, to >fix it. >> >> "no discernable incentive to deceive" --> are you kidding here >or just stupid? >> - It has stock holders >> - what would it cost to recall the chips? When there is no >replacement yet? >> >> >> Now I like Intel, I realize what adverse effects releasing all >the details could be >> concerning IP (yes these guys are kinda careful with that, >stockholders again ..) >> reputation, balance sheets, ... >> >> >> I'm pretty sure this conversation has already taken place.We'll >see how it plays out. >> >> >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -- Click to publish your book fast with high quality presses. http://tagline.hushmail.com/fc/Ioyw6h4dAxJttsoPDFjmdNC1ELQthVrG71IBJJERtXE2ra4aWWpwqU/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists