lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 16 Jul 2008 17:47:35 -0400
From: spender@...ecurity.net (Brad Spengler)
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk, dailydave@...ts.immunitysec.com
Subject: Re: Linux's unofficial security-through-coverup
	policy

Valdis,

I hope you don't expect me to take you or your reply seriously.  You're 
the village idiot of the full-disclosure list; you talk a lot and 
provide a lot of great entertainment for many of us at the beginning of 
our workday, but don't really contribute anything useful.

> So tell me Brad - if Roland fixed a bug, *and didn't even realize it was
> a security-exploitable* issue, how do you propose we proceed?

If you had actually bothered to read any of the links I included in my 
mail (I included them for a reason, not just to take up space), you 
wouldn't have asked this question.

<removed stuff that would be answered if you actually read before 
replying>

> But you know what?  *IT* *DOESN'T* *ACTUALLY* *MATTER* *IN* *THE* *REAL* *WORLD*.
> Just yesterday, I was talking on IRC to a rather clued individual, who was
> still running 2.6.18 or so - because he had mission-critical custom patches
> that hadn't been migrated to 2.6.25 yet.

Judging your intellectual ability by the quality of your posts, Valdis, 
I'm sure you associate yourself with some real winners.  And given your 
perception of yourself as a 'clued' individual, I'm sure this guy was of 
of equally exceptional calibre.  I'd say that this individual's choice 
to use a kernel tree which introduces nearly 50MB of source code changes 
every 3 months on a mission critical system probably wasn't the brightest.

Asking the developers to stop intentionally omitting security 
information they're aware of is not too much to ask.  They have a 
written policy that they've been acting in direct opposition to.  Since 
they've made it clear they don't understand "full-disclosure" in the way 
the rest of the world understands it, and their real policy matches that 
of what's considered "non-disclosure," we're asking them to change their 
written policy so that everyone is clear on what their position on 
security issues are.

If you read any of the links, you'd also see what the 2.4 maintainer has 
to say about obfuscation of security issues:

  I don't like obfuscation at all WRT security issues, it does far more
  harm than good because it reduces the probability to get them picked
  and fixed by users, maintainers, distro packagers, etc...
  (http://lkml.org/lkml/2008/6/10/452)

-Brad

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ