| |||||||||||||
|
| |||||||||||||
Theo de Raadt on OpenSSH security flawsTheo de Raadt on OpenSSH security flawsPosted Mar 29, 2006 15:09 UTC (Wed) by ibukanov (subscriber, #3942)In reply to: Theo de Raadt on OpenSSH security flaws by jmtapio Parent article: Interview: Theo de Raadt of OpenBSD (NewsForge)
> I thought the point with the BSD license was supposed to be that it does not require corporations to give back to the community.
But then the license does not promise that the company would be notified about the securyty updates either.
My interpretation of Theo's quote is that Sun would not be informed about bugs in advance via some established procedure. Which is fair as I do not receive any advance warnings as well and rely on FedoraCore/Ubutnu to patch OpenSSH installations instead. Why any other entity that use OpenSSH should be any different?
(Log in to post comments)
Theo de Raadt on OpenSSH security flaws Posted Mar 29, 2006 15:25 UTC (Wed) by man_ls (subscriber, #15091) [Link] In the interest of responsible disclosure, developers (open or closed) should be notified as soon as you learn about a vulnerability, and the general public some time later. This is what de Raadt does not promise to do.And it is really a disturbing attitude, given that OpenBSD people are always advocating complete freedom for their source code, even if it means that competitors may take it and release a closed version. Or I should say especially when competitors take it and release a closed version, since these people claim the superiority of their license for this same reason. We must conclude that they do not think closed versions are a bad thing.
Theo de Raadt on OpenSSH security flaws Posted Mar 29, 2006 16:18 UTC (Wed) by vmole (guest, #111) [Link] Closed or not, Sun is taking other people's work and selling it, and then failing to provide any support for those people. Legal? Yes. Ethical? No. Wise? Definitely not. Of course, expecting corporations to behave either ethically or wisely is naive.
Ethical behaviour Posted Mar 29, 2006 17:06 UTC (Wed) by man_ls (subscriber, #15091) [Link] Yeah, sure. The GPL helps with keeping companies ethical, but not much.However, unethical behavior on the part of those companies does not justify unethical behavior on the part of individual developers, as seems to be the case here. Failing to do responsible disclosure (as somehow threatening not to) is not a sensible position. And this comes from a crucial security provider for almost all of us! Gives me the creeps.
Ethical behaviour Posted Apr 1, 2006 2:55 UTC (Sat) by Shanep (guest, #36879) [Link] However, unethical behavior on the part of those companies does not justify unethical behavior on the part of individual developers, as seems to be the case here. Failing to do responsible disclosure (as somehow threatening not to) is not a sensible position. And this comes from a crucial security provider for almost all of us! Gives me the creeps.Theo is NOT failing to do responsible disclosure. He is talking about Suns OWN SunSSH. NOT OpenSSH. OpenSSH will continue to provide full disclosure and Sun, just like the rest of the World, is free to view that disclosure and scrutinize their OWN SunSSH code. Theo should not have to audit Sun's own code when Sun gives him NOTHING.
Disclosure of vulnerabilities Posted Apr 1, 2006 8:54 UTC (Sat) by man_ls (subscriber, #15091) [Link] Responsible disclosure does not work that way. Suppose that A knows that B's software has a vulnerability. A notifies B in advance and, some time later, A goes public. The amount of advance time is under discussion; two weeks to a month seems reasonable. For example: you find a vulnerability in Mac OS X, you notify Microsoft and wait for a month. Apple has time to patch the system and to distribute the patch; then you can go public.Now let us suppose you find a vulnerability in OpenSSH. You notify the OpenSSH team at security@openssh.org (or whatever) and give them a month. But you know nothing of Sun's own SunSSH; however de Raadt does, and he knows that the vulnerable code is in Sun's version too. So de Raadt knows that some software (SunSSH) has a vulnerability, and should in the interest of responsible disclosure warn them in advance. However he is mad at them for not inviting him to their sleep-overs and he does not warn Sun; when the bug goes public, Sun's software is exposed with no advance warning. So you see that responsible disclosure is orthogonal from full disclosure. Both are not a matter of law, but of ethics; the latter says "let users know what is wrong with their software", the former says "let developers patch their software before the black hats get the information". A crucial security provider should know the difference.
Disclosure of vulnerabilities Posted Apr 1, 2006 12:30 UTC (Sat) by Shanep (guest, #36879) [Link] Sorry, but if want to talk about ethics, then where are Sun and IBM's ethics? Theo refusing to give them a heads up on security issues, is hardly worse than Sun and IBM, with all their money, refusing to give a cent but expecting support for free. If you get any at all, it is a damn temporary privilege.Sun and the rest need to look at the part of the BSD licence which disclaims all warranties. Sure the code is as free as it gets. But don't expect support at all, much less for free. I would love to see Theo charge a premium for responsible disclosure.
Disclosure of vulnerabilities Posted Apr 1, 2006 13:40 UTC (Sat) by man_ls (subscriber, #15091) [Link] That is precisely the point. Of course Sun is not behaving ethically. But seeing the other party is not behaving ethically is no excuse for behaving unethically yourself.
Theo de Raadt on OpenSSH security flaws Posted Apr 1, 2006 2:49 UTC (Sat) by Shanep (guest, #36879) [Link] In the interest of responsible disclosure, developers (open or closed) should be notified as soon as you learn about a vulnerability, and the general public some time later. This is what de Raadt does not promise to do.How much money does Sun have and how many staff members do they have? They give NOTHING back, yet expect something in return for NOTHING? They have the staff and resources to monitor the advisories themselves. They should not need and do not deserve a personal touch. And it is really a disturbing attitude, given that OpenBSD people are always advocating complete freedom for their source code, even if it means that competitors may take it and release a closed version. Or I should say especially when competitors take it and release a closed version, since these people claim the superiority of their license for this same reason. We must conclude that they do not think closed versions are a bad thing. It is about freedom of OpenBSD's OWN source code. That freedom is absolute when you allow people to take it for themselves and close their own copy and development off to the rest of the World. OpenBSD's version remains as free as possible.
Theo de Raadt on OpenSSH security flaws Posted Apr 1, 2006 9:51 UTC (Sat) by man_ls (subscriber, #15091) [Link] They have the staff and resources to monitor the advisories themselves. They should not need and do not deserve a personal touch.As I tried to explain above, it has nothing to do with staff and resources, but with knowing that somebody's code out there has a flaw. Even worse, the flaw comes from a reputed source (the OpenSSH project). Monitoring advisories after the vulnerability has gone public still puts your customers at risk for a period of time. That freedom is absolute when you allow people to take it for themselves and close their own copy and development off to the rest of the World.If you give the possibility to take your code and make it proprietary then you should be ready to have it happen. If you insist that this possibility is an essential freedom, not an undesirable artifact, then it must be that you think that such closed versions are not a bad thing. Other people (notably Stallman) think that closed versions are a disgrace, and so license their code (notably under the GPL) to avoid such things. De Raadt and others go out of their way to let companies make closed versions. So when it happens they should not go mad; they should instead understand that SunSSH users are also their users and not put them at risk. It is not ethical (and it looks unprofessional too).
Theo de Raadt on OpenSSH security flaws Posted Apr 1, 2006 12:11 UTC (Sat) by Shanep (guest, #36879) [Link] De Raadt and others go out of their way to let companies make closed versions. So when it happens they should not go mad;Theo is mad that an expectation from Sun and IBM that the OpenSSH project is responsible for fixing software which Sun and IBM are providing their paying customers. IBM has refused to fix problems for their customers because they say it is the responsibility of the OpenSSH project. Well it is NOT OpenSSH's responsibility. IBM wants the benefits of the BSD licence without the responsibilities that go with it. I would be mad too. they should instead understand that SunSSH users are also their users and not put them at risk. It is not ethical (and it looks unprofessional too). The stance of the OpenBSD project is that they write code for themselves and allow other people to use that code. I agree that ethically they should provide fixes for users of their own code. However I don't agree that they should have a responsibility to Sun as Sun being OpenBSD's user. Because Sun was a user of OpenSSH for the instant that they took it, but then gave that up at the point where they started making their own changes. Just like people who compile custom OpenBSD kernels, putting things in, taking stuff out and making mods and then expecting the OpenBSD project to be able to help them. Sun has chosen to branch OpenSSH into their own codebase. Now they, Sun, are responsible from not only an ethical standpoint to their (Sun's) customers, but possibly also from a legal standpoint. Theo should not have to watch SunSSH development to see what is vulnerable and what is not, as time goes on and the codebases continue to make distance from each other. Sun is a big company and like any big company releasing software, they need to deal with the security too. They take the benefit from the BSD licence, they need to deal with it.
Responsibility? Posted Apr 1, 2006 15:34 UTC (Sat) by man_ls (subscriber, #15091) [Link] IBM wants the benefits of the BSD licence without the responsibilities that go with it.What responsibilities are you talking about? The BSD license says that you can do whatever you want with the code, no strings attached. It does not say you have to invite developers to your events. However I don't agree that they should have a responsibility to Sun as Sun being OpenBSD's user.You should really pay more attention to what is being said. In the phrase you quoted I didn't speak about Sun; I said that SunSSH users are OpenSSH users too. If SunSSH has a vulnerability, users will think it is not very secure. When they learn that it is a fork of OpenSSH, then they are likely to figure out that OpenSSH is not as secure as they thought. You know, all this talk makes me want to use an OpenSSH fork under the GPL. This is all too childish.
Responsibility? Posted Apr 1, 2006 23:03 UTC (Sat) by Shanep (guest, #36879) [Link] What responsibilities are you talking about? The BSD license says that you can do whatever you want with the code, no strings attached. It does not say you have to invite developers to your events.I'm talking about IBM's responsibilities to their own customers. IBM want to take the full benefit from the BSD licence, but when it comes time to assist their own customers with problems, they tell those customers that it is the OpenSSH projects responsibility. This is clearly NOT the case, given the BSD licence disclaims warranties. You should really pay more attention to what is being said. No, I wrote OpenBSD when I should have written OpenSSH. In the phrase you quoted I didn't speak about Sun; I said that SunSSH users are OpenSSH users too. If SunSSH has a vulnerability, users will think it is not very secure. When they learn that it is a fork of OpenSSH, then they are likely to figure out that OpenSSH is not as secure as they thought. I don't agree that SunSSH users are OpenSSH users. Sun have taken the code and changed it into their own. The fact remains, that SunSSH users are Sun users. You know, all this talk makes me want to use an OpenSSH fork under the GPL. This is all too childish. Yes, I'd like to see you do that. And yes, there have been lots of childish comments here under this story.
Mixing responsibilities Posted Apr 2, 2006 11:06 UTC (Sun) by man_ls (subscriber, #15091) [Link] I'm talking about IBM's responsibilities to their own customers.You are not. You were talking specifically about the responsibilities that go with the BSD license. In fact, you said: "IBM wants the benefits of the BSD licence without the responsibilities that go with it." And now you say it is IBM's responsibilities to their own customers. If you keep changing the subjet it is difficult to have a meaningful conversation. This is clearly NOT the case, given the BSD licence disclaims warranties.The BSD license talks about warranties, not about whining in public. IBM can say whatever they want to their customers and still comply with the license, in letter if not in spirit. I don't know the specifics so it's hard to tell about the spirit; but the BSD license clearly says nothing about contributing with upstream or inviting developers to your gigs. I don't agree that SunSSH users are OpenSSH users.Well, we disagree. But following this line of reasoning, we should have to say that OpenBSD users are not Apache users (since the httpd version they run is effectively forked), are not FreeBSD users (they forked long ago), are not BSD users and not Unix users in the end. It is misleading to say the least.
But that is not the main point. SunSSH comes from OpenSSH, and is supposed to draw from its strengths. If de Raadt leaves those users vulnerable by releasing an update before Sun has been warned, Sun will have the perfect excuse for blaming the OpenSSH team.
Mixing responsibilities Posted Apr 2, 2006 15:17 UTC (Sun) by Shanep (guest, #36879) [Link] I'm talking about IBM's responsibilities to their own customers.You are not. Yes I AM and WAS. You were talking specifically about the responsibilities that go with the BSD license. No, to be exact, I was being specific about IBM adhering to the licence terms, where they have been said to be failing to do so in regards to their customers. IBM has a responsibility to pass the CORRECT terms of the licence on with the software, in this case to their own customers. Even when there may be times when IBM speak verbally to their customers, this does not mean that they can ADD responsibilities to the OpenSSH project, in this case they are covering something which the OpenSSH project have specifically disclaimed in their official licence. IBM takes software which they can use mostly how they see fit, but which is clearly stated in the licence that NO WARRANTY is given by the authors of the code which makes up OpenSSH. When there are terms stipulated in the licence like this, "ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED" and this, "SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION" and this, "IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES", IBM cannot then state to their customers that the OpenSSH project are RESPONSIBLE for providing fixes to OpenSSH and it actually be a true statement. In fact, you said: "IBM wants the benefits of the BSD licence without the responsibilities that go with it." And now you say it is IBM's responsibilities to their own customers. If you keep changing the subjet it is difficult to have a meaningful conversation. Yes that's right, why do you not understand what they means? I am not changing the subject, I am merely pointing out intimately related specifics. To glue this together for you, the responsibility IBM has, is to pass on the truth as to the licence terms, to their customers, that the OpenSSH project are NOT responsible, as clearly stipulated in the licence of the OpenSSH code which IBM has chosen to pass on to their customers. Out of that truth, customers would then no doubt want to know what IBM's responsibility is for providing that software. If IBM are not willing to accept responsibility for the code they pass on or derivative code, then they need to inform their customers of that also and point their customers to any licence or further terms which they may have applied to the code they ship. Obviously IBM cannot add terms which add responsibilities to the OpenSSH project, without the OpenSSH project agreeing to that. Yet IBM tells their customers that the OpenSSH project is responsible for providing fixes. That is not true and IBM cannot speak on the behalf of the OpenSSH project beyond simply informing users of the ACTUAL licence terms which OpenSSH has laid down themselves. The BSD license talks about warranties, not about whining in public. IBM can say whatever they want to their customers and still comply with the license, in letter if not in spirit. No, legally IBM can NOT speak on behalf of the OpenSSH project to the extent that IBM says that the OpenSSH project have ADDITIONAL responsibilities on top of the official written OpenSSH licence which disclaims exactly what IBM claims the project are responsible for. I don't know the specifics so it's hard to tell about the spirit; but the BSD license clearly says nothing about contributing with upstream or inviting developers to your gigs. Yeah, so what? In that respect Theo is just venting about something which I think the World ought to know. He and I never claimed otherwise about that and the BSD licence. Well, we disagree. But following this line of reasoning, we should have to say that OpenBSD users are not Apache users (since the httpd version they run is effectively forked), Yes, that makes perfect sense to me. I would not hope for the Apache project to fix OpenBSD's version of Apache, since OpenBSD have changed a fair deal. Last count I heard it was 40,000 lines difference. But even if it were ONE line, if those changes are not accepted into the official tree and is maintained by a 3rd party, then it is a derivative work. are not FreeBSD users (they forked long ago), No they didn't, you don't know what you are talking about. OpenBSD forked from NetBSD 1.0 and later took parts from 4.4BSD Lite 2. NetBSD 1.0 came from 4.3BSD Lite. FreeBSD came from 386BSD 0.1 and of course has taken parts from other BSD versions. Practically speaking, the "FreeBSD in OpenBSD" comes from minor discrete incidences of shared or ported code. Then there is the fact that they share from portions of various versions of old heritage BSD code (converging on 4.3BSD Lite). Are OpenBSD users FreeBSD users? No. Are OpenBSD, NetBSD and FreeBSD users BSD users? Yes, if you are talking about their heritage. OpenBSD most certainly did NOT fork from FreeBSD. are not BSD users Hey careful now, don't mix heritage up with responsibilities (convey licence terms) clearly detailed in licences. "BSD" is not specific enough to mean anything other than something very general. Saying "BSD" and leaving it at that, is largely meaningless if you are talking about licences. I would expect you to a LEAST provide details as to who provides that software DERIVED from "BSD" and possibly a version name and/or number. Are OpenBSD users "BSD" users? Yes, if you are talking about code heritage or loosely about system style if comparing to SysV for example. and not Unix users in the end. Well this depends on what the relevance of "UNIX" is to the person asking or stating it. Are they taking it as its literal current day meaning? Or once again, are they using it in a loose heritage form? Are OpenBSD users, users of UNIX? Well, that depends on the user, but if the only UNIX- like system they use is OpenBSD, then NO, I beleive they are not a UNIX user in the official meaning. UNIX is a definition and trademark for which I beleive both do not officially apply to OpenBSD. It is misleading to say the least. What is misleading, is ignoring licence terms and selectively choosing the relevance of various terms or names, ranging from loose meanings evolved by public IT culture, to absolute literal meanings. IBM goes beyond being misleading, right into out and out lie. But that is not the main point. SunSSH comes from OpenSSH, and is supposed to draw from its strengths. If de Raadt leaves those users vulnerable by releasing an update before Sun has been warned, Sun will have the perfect excuse for blaming the OpenSSH team. SunSSH is a derived work, built from a BSD licence code-base which has disclaimed warranties, such that I have shown above. Plenty of other companies provide their own software, just like Sun are providing their own SunSSH, while dealing with the security issues themselves because the buck stops with them. IF Sun does not receive responsible disclosure from Theo or the OpenSSH project, it will be because time and time again, Sun have been a bunch of arse-holes. Sun customers suffer under similar circumstances because of Sun.
Mixing responsibilities Posted Apr 3, 2006 0:42 UTC (Mon) by man_ls (subscriber, #15091) [Link] Dude, relax. Your gripe with IBM has cannibalized this thread which dealt with Sun and responsible disclosure. I don't know what IBM said or how or when, without which information this discussion is turning into a one-sided flamefest. They obviously did something very wrong in your eyes, and I'm ready to accept it; but it is not easy to see the relationship with the topic under discussion. De Raadt only mentions them in passing. Finally, mixing IBM's responsibilities to their users with IBM's responsibilities under the OpenSSH license is not helping.I'm sorry I mistook NetBSD for FreeBSD; in my defense there are a lot of branches and from the outside it is not so easy to tell them apart. Finally, even if IBM and Sun are the devil incarnate, this does not justify leaving a lot of users in the cold.
Mixing responsibilities Posted Apr 3, 2006 9:08 UTC (Mon) by Shanep (guest, #36879) [Link] Dude, relax.I am not trying to direct anger towards you, by the way. You could be my best friend, playing devils advocate or not and I'd still be putting my position forward in the same manner. Conversations escalate as they go back and forth, which brings new content into potential conflict on both sides. Your gripe with IBM has cannibalized this thread which dealt with Sun and responsible disclosure. I don't know what IBM said or how or when, without which information this discussion is turning into a one-sided flamefest. I have tried to remain civil and I think I mostly have. Don't confuse content with flaming. I assume when you say one sided flamefest, you are refering to flames coming from me? I have merely tried to put forward reason and evidence. You have tried to shoot it down, even with a few snide remarks. I felt flames but tried not to give them back. They obviously did something very wrong in your eyes, and I'm ready to accept it; but it is not easy to see the relationship with the topic under discussion. De Raadt only mentions them in passing. Finally, mixing IBM's responsibilities to their users with IBM's responsibilities under the OpenSSH license is not helping. IBM claims OpenSSH is responsible for something OpenSSH clearly disclaims in a legal licence. IBM, in some cases like Sun, want their cake and to eat it too. IBM are in the wrong. Sun are not legally in the wrong, but they have not played nicely, so I hardly see why Theo should play nicely "for the sake of Sun's customers" when were talking about a derived work for which Sun does NOT want to assist the OpenSSH team into helping Sun and their customers. A work which Sun passes off as their own. If Sun want to exploit the licence to it's fullest potential and ignore good-will, then more power to Theo for doing the same. Finally, even if IBM and Sun are the devil incarnate, this does not justify leaving a lot of users in the cold. Theo and the OpenSSH project have not left a lot of users in the cold. Sun users are free to replace SunSSH with OpenSSH. The users of IBM and Sun should look at the completely disgraceful slap in the face and lack of good will which their vendor has shown to a software team which has been selflessly providing some important software under some very free terms. Sun inviting and paying for an OpenSSH developer to attend interoperability events, is in the best interests Sun's customers also. I don't feel bad if Theo acts "unethically" towards Sun, because Sun's users choose to be customers of an unethical company. The politics which go back and forth as a result of Sun being unethical or choosing to not uphold good-will, results in an impact on Sun's users (they live with SunSSH without the benfit of responsible disclosure, or they have to replace it with OpenSSH). Sun and IBM give OpenBSD an uphill battle, needlessly. A company acts unethically and their users suffer as a result. If I was treated like crap over and over again, all because I was trying to uphold the greater good, I'd come to a breaking point to.
Sun and IBM Posted Apr 3, 2006 9:52 UTC (Mon) by man_ls (subscriber, #15091) [Link] I am not trying to direct anger towards you, by the way.Same here. Cold expression of facts can easily be regarded as aggressivity on the net. That's why smileys were invented :) I assume when you say one sided flamefest, you are refering to flames coming from me?Actually, I meant from you to IBM. I have merely tried to put forward reason and evidence.I have seen no evidence actually, just your subjective impressions. A link or two would be nice. I don't feel bad if Theo acts "unethically" towards Sun, because Sun's users choose to be customers of an unethical company.Back to square one. See, this is not a very professional attitude. (And yeah, Sun may not have been professional in this instance, but this is where one's professionality should show.) Sorry if I have misunderstood the situation, but from the outside it looks like that.
Sun and IBM Posted Apr 3, 2006 12:41 UTC (Mon) by Shanep (guest, #36879) [Link] I have seen no evidence actually, just your subjective impressions.The evidence I'm refering to are the parts of the OpenSSH licence which disclaim warranties. I don't feel the terms of the licence leave much room for subjectivity. A link or two would be nice. The details of the OpenSSH licence.
|
|
||||||||||||