NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2008-q3

Re: [Dailydave] [Full-disclosure] Linux's unofficial security-through-coverup policy

From: Brad Spengler (spendergrsecurity.net)
Date: Wed Jul 16 2008 - 16:47:35 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis,

I hope you don't expect me to take you or your reply seriously. You're
the village idiot of the full-disclosure list; you talk a lot and
provide a lot of great entertainment for many of us at the beginning of
our workday, but don't really contribute anything useful.

> So tell me Brad - if Roland fixed a bug, *and didn't even realize it was
> a security-exploitable* issue, how do you propose we proceed?

If you had actually bothered to read any of the links I included in my
mail (I included them for a reason, not just to take up space), you
wouldn't have asked this question.

> But you know what? *IT* *DOESN'T* *ACTUALLY* *MATTER* *IN* *THE* *REAL* *WORLD*.
> Just yesterday, I was talking on IRC to a rather clued individual, who was
> still running 2.6.18 or so - because he had mission-critical custom patches
> that hadn't been migrated to 2.6.25 yet.

Judging your intellectual ability by the quality of your posts, Valdis,
I'm sure you associate yourself with some real winners. And given your
perception of yourself as a 'clued' individual, I'm sure this guy was of
of equally exceptional calibre. I'd say that this individual's choice
to use a kernel tree which introduces nearly 50MB of source code changes
every 3 months on a mission critical system probably wasn't the brightest.

Asking the developers to stop intentionally omitting security
information they're aware of is not too much to ask. They have a
written policy that they've been acting in direct opposition to. Since
they've made it clear they don't understand "full-disclosure" in the way
the rest of the world understands it, and their real policy matches that
of what's considered "non-disclosure," we're asking them to change their
written policy so that everyone is clear on what their position on
security issues are.

If you read any of the links, you'd also see what the 2.4 maintainer has
to say about obfuscation of security issues:

  I don't like obfuscation at all WRT security issues, it does far more
  harm than good because it reduces the probability to get them picked
  and fixed by users, maintainers, distro packagers, etc...
  (http://lkml.org/lkml/2008/6/10/452)

-Brad

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIfmx2mHm2SUJF1GoRAl8kAJ0ftlje9uChpxJEI11dOnP/gKGEPACeNF/7
11bFpYnOqMEnwQe+ebONqi4=
=m5q/
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]