lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210427145347.00003846@tesio.it>
Date:   Tue, 27 Apr 2021 14:53:47 +0200
From:   Giacomo Tesio <giacomo@...io.it>
To:     Kangjie Lu <kjlu@....edu>
Cc:     open list <linux-kernel@...r.kernel.org>,
        Qiushi Wu <wu000273@....edu>, Aditya Pakki <pakki001@....edu>
Subject: Re: An open letter to the Linux community

"Damn kids, they're all alike"
http://phrack.org/issues/7/3.html


Dear Kangjie Lu, Qiushi Wu, and Aditya Pakki,

Since nobody is doing so, I want to thank you for your hacks.


All the livor and drama that followed your research proves that
the Linux Foundation failed to learn the lessons of Heartbleed.

At the end of the day, this is a valuable discovery for all of us.


You are the kids laughing loud that "the emperor has no clothes".
More precisely, that the emperor STILL has no clothes.
Ten year later.

The corporations behind the Linux kernel didn't take it well
(you wasted their time and money! you outsmarted them! how dare!),
but the hypocrisy in your commits is not the one you revealed.


Pretending that such kind of attack didn't succeded before, 
pretending that the problem is you, is way worse.


I've read that 

> The Linux Foundation's Technical Advisory Board submitted a letter 
> on Friday to your University outlining the specific actions which
> need to happen in order for your group, and your University, to 
> be able to work to regain the trust of the Linux kernel community.

But any programmer with a grain of salt, knows that they are just
tring to distract everybody from their own operational failures.

They blame you and your University just to avoid to be held accountable.

It's neither you nor your University that need to regain trust.
It's not you that proved to not deserve it.

Your crime is that of curiosity.


How sad it is to see a project born "just for fun", turned into this!


But since I care more about cyber-security than about OSS marketing,
I thank you for what you did. I hope that more of such kind of hacks
and experiments will happen in the future, both in the Linux Kernel
and in many other projects.

All without ANYBODY aware of them, because otherwise they would 
prevent such epic failures to be discovered and publicly exposed,
again and again.


What you did was not just ethical, but noble and brave.


Thanks.


Giacomo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ