LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

misquoting

misquoting

Posted Apr 23, 2009 12:32 UTC (Thu) by pjm (subscriber, #2080)
In reply to: "Protected" -- for how long? by spender
Parent article: The details on loading rootkits via /dev/mem

tialaramex may not have been very articulate, and may have ben more curt than courteous, but I think was trying to make a helpful point (which I hope you won't yourself completely ignore, if I can explain it better).

There is quite a distance from Linus’ words that you now quote (expressing a belief that explicit changelog entries lead to more attacks by relatively casual attackers such as curious university students) to “if we don't tell the bad guys about the bugs, they'll never find them”.

It is helpful to look into the costs and benefits of various approaches to drawing attention to security flaws. It is helpful to point to this as one data point towards establishing to what extent the current approach to changelog entries is effective in reducing attacks. (Of course one data point isn't enough to show that it doesn't reduce attacks, but does give some information.)

Whereas misrepresenting someone's position in such a way as to give the false impression of having disproven their position (“straw man tactics”) is not helpful, and is both harmful to establishing the right answer to the question under consideration, and is also objectionable to the person being misquoted (as tialaramex tried to demonstrate with a fairly extreme example of misquoting).

I understand that you may not have intended to apply a straw-man approach, but the effect is the same. So the point is, be careful in representation or attributing quotation to someone.

I hope you find this not a worthless reply, when explained more carefully.

(Log in to post comments)

misquoting

Posted Apr 23, 2009 23:21 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

if you took this much time to explain what seemingly you failed to understand yourself, you might as well have done some further reading on the subject and saved some time here. i'll draw your attention to http://marc.info/?l=linux-kernel&m=121617056910384&... and its parent post http://marc.info/?l=linux-kernel&m=121616990509661&.... read them and understand where Linus drew the line: covering up the security impact of bugs for good. no ifs and buts, it's there in plain and clear text. what spender quoted may not have been the most descriptive to the subject matter but anyone who followed last summer's flamewar knows what it was about and how it concluded. in short, do your own research before educating someone on misrepresentation.

misquoting

Posted Apr 24, 2009 13:09 UTC (Fri) by pjm (subscriber, #2080) [Link]

I'm puzzled by your reply. Are you sure you're responding to something I've said? Do you feel it negates something I've said?

misquoting

Posted Apr 24, 2009 14:27 UTC (Fri) by pjm (subscriber, #2080) [Link]

For example, do you think that it wasn't a misrepresentation of Linus' position, or do you think it merely not important enough to take issue with? If the latter, then there's nothing more I can say on the issue.

misquoting

Posted Apr 25, 2009 1:29 UTC (Sat) by PaXTeam (subscriber, #24616) [Link]

> For example, do you think that it wasn't a misrepresentation of Linus' position

exactly. i even gave you the links to the thread where you can read about it yourself. have you?

misquoting

Posted Apr 25, 2009 12:36 UTC (Sat) by pjm (subscriber, #2080) [Link]

Oh good, now I know a bit more about where our differences are. The next thing to know is whether it's because we disagree about what Linus' position is, or whether we agree on the position but disagree about whether or not the words in quotation marks are a sufficiently close approximation to that position.

(I'll continue to spend some more time and space on this partly just for my own curiosity, and partly because there's a slim chance that exploring this might actually lead to a slightly better understanding of Linus' position; and maybe you'd like to understand why I or tialaramex have posted as we have.)

First of all, the easy case: has Linus literally said the words “if we don't tell the bad guys about the bugs, they'll never find them” ? I'd guess the answer is no, as this doesn't occur in the messages that you or Brad refer to, and a google search doesn't find it [other than here on this thread in LWN], and google does seem to find most other linux-kernel discussion; but maybe he said it in a different forum I'm not aware of that isn't indexed by google. If so, then that would clear things up straight away.

(Btw, I understand and even appreciate you asking to check with your correspondant that they have read the posts linked to: I know it's frustrating to discuss with someone who isn't actually giving thought to what you're saying. So yes, I had read the two posts you linked to, and also the posts that Brad referenced above and some of the surrounding posts, and I remember some of the discussion from when it last came up; though obviously I wouldn't be as closely familiar with the discussion as you and Brad, so thanks for having taken the time to post links to the relevant posts.)

Otherwise, do you believe that Linus either believes or has said that withholding information from commit messages will mean that no bad guy will know about any bug, or that no bug in Linux will be exploited in the wild ? (As distinct from believing merely that withholding information from commit messages will reduce how many bugs bad guys find out about, or reduce how many bugs will be exploited in the wild.)

Otherwise, do you think that there's no significant difference between saying "... then they'll never find them" and saying "... then fewer bad guys will ever find them" ?

There are some other possible reasons for our differing, but the above questions will do for now, if you too would like to continue to look into this. (I'll understand if you choose not to spend any more time on it.)

misquoting

Posted Apr 25, 2009 19:14 UTC (Sat) by PaXTeam (subscriber, #24616) [Link]

the easy case: think 'paraphrase' (as far as i know, that is. what went on in private discussions is unknown of course, but the public posts speak for themselves, see more on this below).

for what to read: it's not only about the few posts we linked to, it's the entire flamewar on lkml and some 5 threads here on LWN, hundreds of posts altogether. i understand if you're less than inclined to read them though, but then don't expect me to repeat all what was said back then either (much to the delight of many readers i guess ;).

as for your other questions: i assume you're not involved in computer security which would expain why you missed the real meaning behind spender's quote. in short, it was slyly disparaging as Linus' publicly stated position and actual actions are so much disconnected from reality (it's not a matter of my or anyone's belief, it's of public record, so much so that it earned him this nomination last summer: http://pwnie-awards.org/2008/nominees.html#lamestvendor).

let me leave you with some food for thought: imagine someone with the ability to write exploits against kernel bugs. imagine further he can also determine just by looking at a given patch whether it fixed a (potentially) exploitable bug (potentially, since one cannot be sure until one actually tries it, kernel bugs usually aren't the easiest kind to exploit). now imagine that you give this person a list of patches without telling him what they do. do you actually believe that this will prevent him from picking out the ones fixing exploitable bugs? because that's exactly what Linus et al. have tried to argue in their desperate attempt at explaining why coverup is good. last but not least: imagine that a file system driver has a bug that can corrupt on-disk data. do you think the proper approach is to not tell the world about it? history says otherwise. now imagine you have a kernel memory corruption bug that can do the same by virtue of corrupting filesystem (meta)data (let's forget about the potential for privilege elevation). do you think it's prudent to not tell the world about it and vehemently argue why it is even a good thing? history says yes. now consider that a memory corruption bug is typically much easier to abuse for trashing random memory (including the filesystem stuff i mentioned) than it is to properly and reliably exploit for privilege elevation. as i said, just some food for thought...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds