LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Not so fast

Not so fast

Posted Jun 17, 2008 23:32 UTC (Tue) by drag (subscriber, #31333)
In reply to: Not so fast by PaXTeam
Parent article: Stable kernel 2.6.25.7 released 

Always with the strawmen. Strawmen here, strawmen there. What is this? 

Lets learn pointless internet debate techniques 101? 

"If you call something a strawman, then you don't have to respond to it in a meaningful way.
If you don't have to respond to it in a meaningful way then they can't reply to you about it.
If they can't respond, then you get the last word.. that means you win!!"

"See also: Avoiding the dreaded 'tldr' that spells ultimate failure for any argument. Did he
not reply because your intellect humiliated him? Or was it because he got to bored and decided
to get drunk with his friends instead? Use the 'strawman' reply to keep replies down to a
minimum and allow you to skillfully divert the argument to something you can easily be right
about."


Hint:

When knocking down strawmen, it takes a bit more effort then just to say 'that's a strawman!'
and ignore it. In fact saying 'strawmen' is like crying wolf and is a very weak technique. I
can't even make heads or tails of what you exactly mean or what parts of the OP's comments you
find irrelevant.

=====================

I mean, seriously. 

The problems are:

If you announce to the world that something is a security bug then every script kiddies and
their mom will know about it.

If you are careful about keeping quiet it then distributors may miss a important security fix
they need to provide to their end users.

followed by:

If you sound like a arrogant dick on a public forum people will classify you as a arrogant
dick no matter how right you are. Rightfully so. (not so much, you, PaX as other people)

Being forceful with facts and well considered opinions is not the same thing as being
insulting, even if people take it the wrong way. Being insulting is always insulting and it
may get people's attention once or twice, but after that they'll just ignore you out of spite.

This is the reality of the situations and a balance or solution must be found. There is no
absolute, no perfect way to approach this problem and the best solution _will_ be different on
many occasions.

followed by:

Arguing the same things over and over again is pointless. Do not cast pearls before swine.
Your time, your effort, is much more precious then to waste on some pointless internet fart
fest.

That's all.

(Log in to post comments)

Not so fast

Posted Jun 18, 2008 0:58 UTC (Wed) by PaXTeam (subscriber, #24616) [Link] 

i didn't elaborate on man_ls's strawmen because he missed the point entirely, so i didn't see
it important besides mentioning the fact (he was arguing disclosure policy like you do,
instead of that of consistency). now i just mentioned one, see somewhere above. satisfied? ;)

> If you announce to the world that something is a security bug then every
> script kiddies and their mom will know about it.

> If you are careful about keeping quiet it then distributors may miss a
> important security fix they need to provide to their end users.

you too didn't get the point. i don't care about the disclosure policy per se, i care about
being consistent, or shall i say, truthful about it. if Documentation/SecurityBugs says 'full
disclosure' then the people on that list had better practice it. if they don't, they should
say so in Documentation/SecurityBugs. above you're trying to argue about the disclosure
policy, feel free to take it to where it belongs, but it's not the subject of this discussion.
as for the rest of your post, does that really belong here?

Not so fast

Posted Jun 18, 2008 12:49 UTC (Wed) by nix (subscriber, #2304) [Link] 

So very many people are failing to get the point: might it be that you're not expressing
yourself very well?

(Either that or you're saying this to divert attention from questions you can't answer. Well,
I suppose there is the alternative that virtually everyone else on this forum can't understand
English. I know which I think is more likely.)

Not so fast

Posted Jun 18, 2008 13:06 UTC (Wed) by PaXTeam (subscriber, #24616) [Link] 

> So very many people are failing to get the point: might it be that
> you're not expressing yourself very well?

not many, only first time posters who simply didn't read what i said before.

> Either that or you're saying this to divert attention from questions you
> can't answer.

which questions would they be (and you probably meant "don't want to", as you can't seriously
expect me to answer questions that i, well, "can't" ;)? if i missed anything, feel free to
point them out to me.

Not so fast

Posted Jun 18, 2008 13:44 UTC (Wed) by spender (subscriber, #23067) [Link] 

Some get it, but some do not (the ones trying to misinterpret all the provided evidence to
support their view).  Unfortunately for them, the way things are is often not as how we
imagine or would like them to be.

If even Willy is saying that Linus intentionally omits security information at times in his
commits, which he is fully aware of at the time of the commit, why are you still quibbling
with us?  I was surprised myself Willy was so honest about this (I appreciate it), and it
meshes with the private evidence I have.

In general, from the evidence I have, the people in charge of handling security put forth a
lot of effort and in most cases handle things properly.  This is especially true of bugs that
are submitted to them from the outside, where security-relevance is either explicitly
mentioned or suggested.

But in some cases (the specific examples already provided and others I'm currently compiling),
things aren't handled properly.  It seems so far that these involve bugs that haven't been
labeled as security-relevant by individuals/companies in the public realm.  Many of these bugs
seem to be DoS-related.  On their private lists will exist PoC code to trigger them, so their
security-relevance is well known to the members of the private lists, and yet often it's these
that get handled improperly.

Like we had been arguing, this isn't a conspiracy.  They don't coordinate on the lists on how
to cover up the security bugs for the day.  But there does seem to be some adherence among
some to an "unwritten rule", that if they aren't being publicly held accountable for
something, the rules can be relaxed.  The problem is they end up hurting themselves (and all
of us) this way, since when things aren't mentioned properly publicly through the changelogs,
it often never gets proper classification (see the SELinux remote DoS at the bottom of the
page).

As to why you continue to argue, this might help explain the uncomfortableness you're feeling:
http://en.wikipedia.org/wiki/Cognitive_dissonance

-Brad

Not so fast

Posted Jun 18, 2008 16:52 UTC (Wed) by nix (subscriber, #2304) [Link] 

I agree with everything you've said in that comment.

I just don't think it's 'dishonest'. Everyone involved is quite open about what's going on, so
how it could be considered dishonest is quite beyond me (and it's not as if we see holes with
actual significant impact being not fixed: please, 'root can get complete control of the
system' is likely to impact a number of systems given in single digits, given that on
virtually every system out there root *already* has complete control: and 'hold back for a few
days until the major distros have updated' also seems reasonable. CPU bugs with security
impact are an entirely different kettle of silicon, and I have no idea what the right thing is
to do there, especially if the bug is one that can't be fixed with a microcode update:
someone's going to get hurt sooner or later no matter what you do).

Not so fast

Posted Jun 18, 2008 17:59 UTC (Wed) by PaXTeam (subscriber, #24616) [Link] 

> Everyone involved is quite open about what's going on, so
> how it could be considered dishonest is quite beyond me 

where did you see 'everyone involved' being open? not here. not a single person who
participated in the withholding of known security impact info posted to this thread or
admitted doing so.

>and it's not as if we see holes with actual significant impact being not fixed:

strawman warning ;)! we did *not* talk about bugs not getting fixed. we talked about bugs not
getting properly described in the commits. where did you pull this one from? but now that you
did, i'll actually ask you a question: if a commit doesn't contain security info (such as the
ptrace self-attach fix), how are people running their own kernels supposed to know to pick
such commits up (think of distibutors, not only individuals)? they can't therefore all *their*
users are unnecessarily exposed to risk.

Not so fast

Posted Jun 19, 2008 9:45 UTC (Thu) by nix (subscriber, #2304) [Link] 

Er, I was pointing out that it would be significant if we saw things getting covered up and
not fixed. We don't.

(Are you *so* confrontational that you assume that when I'm agreeing with you, I'm actually
trying to argue against you, so my point is thus a 'straw man'? If this is actually what's
happening, you're functionally incapable of reading English as far as I'm concerned.)

Not so fast

Posted Jun 19, 2008 10:31 UTC (Thu) by PaXTeam (subscriber, #24616) [Link] 

> Er, I was pointing out that it would be significant if we saw things
> getting covered up and not fixed. We don't.

er, i was pointing out that it was *not* what we had been talking about all along. we talked
about things getting fixed but *not* communicated properly, in particular, the security impact
of fixes was sometimes omitted even when it was full well known. that *is* dishonest, no
matter how much you argue the opposite:

> I just don't think it's 'dishonest'.

that is *not* 'I'm agreeing with you', no matter how you spin it later.

but i said all this a 100 times already by now yet *you* keep diverging into irrelevant
possibilities that we have never raised. you tell me who has a reading comprehension propblem.
also it has been your strategy to change the subject of discussion slightly in order to be
able attack it then. that meets the dictionary definition of a strawman. i know you never
liked it when i exposed every one of your attempts, but that should not be reason to resort to
ad hominem in lieu of rational arguments (you probably figured out by now that i'm not a
native speaker, right?). as you so aptly said:

> This thread is giving me so *very* many examples of how not to communicate...

Not so fast

Posted Jun 19, 2008 21:47 UTC (Thu) by nix (subscriber, #2304) [Link] 

The dictionary definition of a straw man argument is arguing !A and then 
concluding !B, where A is not a precondition of B.

What I'm doing is considering slight variations on what you're discussing 
in order to figure out if *they* have any merit (since your claim of some 
peculiar form of non-malicious dishonesty is incoherent I haven't wasted 
any time considering that case at all).

My apologies for *daring* to consider tangential cases at all. I wasn't 
aware I wasn't allowed to discuss such things.

(Your claims of 'exposure' reek of paranoia. In fact pretty much 
everything you've posted reeks of paranoia.)

Not so fast

Posted Jun 20, 2008 1:37 UTC (Fri) by zakalwe2 (guest, #50472) [Link] 

>>since your claim of some peculiar form of non-malicious dishonesty is incoherent

No honey, your ass doesn't look big in that at all.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds