OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Dailydave] Security people are leaches. [sic]

From: yersinia (yersinia.spirosgmail.com)
Date: Tue Jul 28 2009 - 06:44:38 CDT

FWIW, also "insane"

http://kerneltrap.org/mailarchive/linux-kernel/2007/10/1/326479/thread#mid-326479

BTW, personally i agreed on the motivations exposed from Linus in the two
thread. But is necessary to look in depth on the discussion.

Regards

On Tue, Jul 28, 2009 at 1:09 AM, <pageexecfreemail.hu> wrote:
> really. or at least according to one Linus Torvalds, who also happens to
be the
> primary reason for not one, but two! of this year's pwnie nominations for
lamest
> vendor response and most epic FAIL. apparently the fundamental issue he
cannot
> understand is that if they don't know what bugs are security issues, maybe
they
> should find people who do. or maybe bother reading those static checker
reports
> that point them out. just a thought.
>
> also one cannot help but smile at the irony of divineint (put in charge of
security
> at RH, no less ;) asking for more proper disclosure. how times change ;).
>
> also i guess exploit writers would heartily disagree with the notion that
there's
> no difference between bugs and security bugs :P. anyway, without further
ado, here's
> the latest masterpiece:
>
>
> On Sun, 19 Jul 2009, Eugene Teo wrote:
>>
>> If the upstream development community can start doing their part by
>> differentiating normal bug fixes to the security ones, I think most of
>> us will benefit from it.
>
> Ok, so this is a perfect example of the kind of IDIOTIC blathering that I
> hate to hear from security people.
>
> Quite frankly, people who state things like that ARE FUCKING MORONS.
>
> I'm sorry, but it's true. Learn it. Think about it. Deeply, and long.
>
> This who security exploit is a prime example of exactly why anybody who
> says something stupid like that is so stupid and so WRONG.
>
> Look at the bug that caused it. Look at the fix. Think about it. When the
> fix was committed, nobody thought it was a security bugfix.
>
> Really.
>
> If you cannot understand this FUNDAMENTAL issue, I don't know what can
> make you do so. I absolutely despise most security people, because they
> are idiots who do not understand development. They are idiots who do not
> understand basic facts. They are idiots, who think the world is some kind
> of black-and-white place where you can sort bugs into 'security' and 'not
> security'.
>
> So here's a few simple rules:
>
> - people who argue for full disclosure are wrong
>
> - people who argue for hiding things and vendor-sec are wrong
>
> - people who think that there are "bugs" and "security bugs" are
> fundamentaly wrong, and misguided, and will always do the wrong thing.
>
> The fact is, bugs are bugs. We don't know which of them are security
> issues. We all make mistakes, and we _fix_ the mistakes, and some of the
> fixes turn out to have way more subtle interactions than people even
> realized!
>
> So you can ask developers to "always think of all the possible issues",
> and you will be left with developers who won't have time or motivation to
> actually do any real work. And they'll _still_ miss some subtle issue, and
> they'll _still_ write code that has bugs.
>
> So how about people face REALITY instead of talking about idiotic
> platitudes like people should be "differentiating normal bug fixes to the
> security ones"? And it _is_ a platitude: it's something that sounds
> "obviously correct", but it's at the same time clearly ignoring the fact
> that reality is complicated.
>
> So f*ck me, shut up about idiotic things like that already!
>
> This whole bug really is a _prime_ example of how the bugfix was not at
> all clearly a security fix at all, even though it obviously was a big
> deal. And a security person who cannot understand that is not a security
> person at all - he's just a f*cking poser.
>
> This is why I detest security lists. Lots of posturing and platitudes. And
> look at who actually did the real work: a regular developer, and a regular
> maintainer, neither of whom were thinking in terms of security.
>
> Security people are leaches. The real heroes are the people who do
> development. The last thing security people should do is to ask the people
> who do the REAL WORK to do more.
>
> Linus
>
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave