Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Clever: when your lies are uncovered (see above post re: "full-disclosure"), you sneak out
while claiming the moral high ground.
If you're looking for a troll, you need only look in the mirror.
"Stable" kernel 126.96.36.199
Posted Jun 12, 2008 19:03 UTC (Thu) by nix (subscriber, #2304)
This thread really is a confluence of the pointlessly combative, isn't it?
There's not an instant's consideration given to the possibility that any
disliked event might *not* be due to malice, `lies', `suppression'...
Posted Jun 12, 2008 20:49 UTC (Thu) by spender (subscriber, #23067)
One of us is privy to certain insider information, and one of us is not. I'm quite sure you
don't know what goes on in the private kernel security mailing lists (I'll include vendorsec
in on this as well). After a certain period of time, there's no reason to keep the
discussions of these lists private unless the members are embarrassed of the information that
would be found.
Go ask Linus if he didn't intentionally decide to cover up that ptrace bug mentioned in this
thread. I have proof that he did, and that as a result of the coverup no CVE was assigned and
the fix was not backported to distro kernels.
Go ask the members of the vendorsec list if they haven't been covering up a DoS on the Itanium
architecture reported by Intel over a year ago, for which two fixes were provided. The flaw
is in hardware so all kernels are vulnerable, and the worst part in this situation is that the
vendorsec members collectively agreed not to provide either of the two software fixes for the
You claim there's been no proof, but yet I've already pointed out in my previous exploit a
clear coverup of what was at least known to the committer to be a local DoS (I demonstrated
that it was trivial arbitrary code execution), but the commit message said only "fix
sys_tee()" and no CVE was created.
So many of those you blindly trust are involved in coverups like these. They erroneously
think they can get away with it because they don't think anyone's watching the watchers. So
people like Chris Wright will claim in public that there are no coverups, but he knows as we
know that he's taken part in it out of the public eye.
So I seriously encourage you or anyone else to go ask the people I've mentioned about the
specific events I've mentioned. Send this to LKML if you wish. I'll give them the
opportunity to give their side of the events in question. It should be clear to from the
details I've already released here that this is not a frivolous accusation, and that I'm aware
of things they hoped the public would never be aware of. If they choose not to, or continue
to lie about what happens behind the scenes, I'll release what information I have. I think
they'll be surprised by what is known among certain individuals about what they're doing.
I'm probably making enemies from all sides by even mentioning the details above, but in the
end a more honest security leadership will only help users of Linux. I'd also like to
reiterate the importance of making the discussions of the private kernel security lists public
after an agreed upon acceptable amount of time, so that this culture of coverups cannot be
allowed to grow any more.
Posted Jun 12, 2008 22:02 UTC (Thu) by nix (subscriber, #2304)
OK, you're resorting to argument from authority. There's absolutely no
point talking to you at all, is there?
(And no, I'm not going to go around randomly accusing kernel hackers of
coverups and conspiracies. You're the one arguing that point and referring
to secret evidence to 'support' your claim, not me.)
(I'd agree that the various private security lists should have delayed
public archives. Transparency is good, and the only reason to keep those
lists private is to prevent the bad guys from responding before the
distros do, so after they've responded there's no point keeping the
traffic secret anymore.)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds