Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Gadi Evron (gadievronyahoo.com)
Date: Sun Aug 05 2007 - 17:27:33 CDT
I formerly had a great deal of respect, bordering on admiration, for Theo
deRaadt's refusals to compromise his open source principles, even in the
face of stiff opposition. Although he has occasionally gone over-the-top,
recommended some frankly very dubious changes to OpenBSD, and is regularly
arrogant (which is even more annoying because he's so often right!), he's
always remained consistent in his devotion to the cause of GNU/Free Software.
Notice "formerly": my confidence in deRaadt has been soundly shaken by his
latest round of unfounded aspersions cast against Intel's Core 2 line of
CPUs. Instead of getting the facts with careful analysis and study, deRaadt
has jumped the gun by trying to preempt proper research with posts to the
openbsd-misc mailing list. This in itself wouldn't be so bad, but his only
proper citation is a 404 page, and his only other source is an old summary
of unverified errata from a hobbyist website.
The lack of fact-checking and complete absence of any credible sources for
his allegations is suspicious in itself, but he compounds it into a complete
boner by making an equally unsupported claim that the supposed (in fact
non-existent) CPU problems are security flaws:
As I said before, hiding in this list are 20-30 bugs that cannot be worked
around by operating systems, and will be potentially exploitable. I would
bet a lot of money that at least 2-3 of them are.
Without real references to backup his exaggerated concerns, deRaadt's post
crosses the line into outright libel and scare-mongering. It's obvious when
you know what to look for: the subtle use of neurolinguistic priming in
emotive leading phrases such as "some errata like AI65, AI79, AI43, AI39,
AI90, AI99 scare the hell out of us", "Open source operating systems are
largely left in the cold", "hiding in this list", and so forth. This does
not lead me to share Theo's purported fears; instead it leads me to believe
that he's trying to unduly influence Intel's reputation with lies.
I have an idea of why. It's the same reason deRaadt feels comfortable in
saying that he'd "bet a lot of money" on Intel's Core 2 processors having
multiple (not one, but several) security flaws originating from these
errata. Namely, one of Intel's largest competitors has supplied the OpenBSD
project with a substantial amount of monetary support since 2004, presumably
because they can't compete even in the open source market without propping
it up with a flow of money. They cannot maintain their position on the
processor front, so they're resorting to buying out open source software
developers. It's regrettably cheap to do so, even if they have deRaadt's
prestige, because their business models stifle income and so a monolith such
as AMD can trivially tempt them with greater incentives. In fact deRaadt is
an easier target for "donations" because he makes it clear that he has no
business model for OpenBSD.
Intel, by contrast, have no discernable incentive to deceive or play down
security flaws in their products; the consecutive f00f and FDIV bugs of the
past have taught Intel that their best course of action is to face up to
their errors and offer speedy fixes.
DeRaadt's claim that Intel must "be come [sic] more transparent" is most
unfounded, especially when one considers who stands to benefit from this
anti-Intel arrangement; the connections between the AMD-ATI leviathan and
deRaadt-driven projects are not hard to find. AMD make a point of
emphasising OpenBSD's place in the "AMD64 ecosystem", and, as already
mentioned, lends its deep pockets to deRaadt's grasp. And the connections go
both ways too: deRaadt has a blatant chip on his shoulder regarding Intel.
Ultimately, it hasn't been enough for deRaadt to level unsubstantiated
libels at Intel, or to elicit spurious security fears about its solidly
tested products. He's added an extra layer of hypocrisy on top by attacking
Intel for being opaque and complaining about made-up fatal flaws in their
Core 2 system. I would go as far as to posit that it is in fact deRaadt's
system for running the OpenBSD project which has a fatal flaw. This escapade
proves that deRaadt -- and by extension the OpenBSD project -- is simply too
vulnerable to external influence from corporations with a vested interest
and lots of lucre.
____________________________________________________________________________________Ready for the edge of your seat?
Check out tonight's top picks on Yahoo! TV.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/