Linux 2.6.30 exploit posted
Posted Jul 19, 2009 5:34 UTC (Sun) by mingo
In reply to: Linux 2.6.30 exploit posted
Parent article: Linux 2.6.30 exploit posted
So he deserves not only to be thanked for finding the bug, but he should be thanked for being honest about it. There is money to be made in 0-day exploits and he could of profited from it financially before going public, if he ever decided to go public.
The timing suggests that he noticed the fix to the NULL dereference, not the bug. He could have found the original bug in Febrary and could have gone public about it but he (like others who reviewed that code) didn't notice the (obvious in hindsight) bug.
What he did was to demonstrate that a thought-to-be-unexploitable NULL dereference kernel crash can be exploited due to a cascade of failures in other components: compiler [to a lesser degree] and SELinux [to a larger degree].
This was useful, as .31 could have been released with the fix but there was no -stable back-port tag for the fix to make it into .30. Also, perhaps more importantly in terms of practical impact, the two cascading failures in SELinux and GCC were also worth fixing and could avoid (or at least reduce the probability of) future exploits.
(This still leaves open the theoretical possibility of him having known about the original networking bug (introduced in February) and having exploited it - only going public with the exploit once the NULL dereference fix went upstream. I don't think this happened.)
So the disclosure was useful, but, to be fair to the original poster, also not fully friendly. It maximized his own gain out of it, regardless of the consequences. Posting a zero-day exploit in the middle of the summer holiday season might be seen reckless and irresponsible by someone who happened to be on vacation in that time-frame.
Regarding the suggestion of a personality disorder by the original poster, the observation sounds plausible - but indeed irrelevant as you point out. The field of finding exploits is unforgiving: you spend days, weeks, months and years reading the worst possible code people can throw out, with just a few instances of something real big being found.
In that time you don't actually modify the code you read in any public way, you don't interact with people and you don't socialize with those developers. You don't even relate to the code in any personal way - you try to find certain patterns of badness. While developers have happy users (we hope ;-) exploit finders have few if any positive feedback.
This, almost by definition, distorts the personality and creates a false sense of superiority: if only I were allowed to hack this code, I'd clearly do such a better job. And they call this Linus a genius while he allows such obvious crap. Morons!.
So yes, the somewhat childish attitude and messaging, the hatred, the self-promoting PR, the exaggeration, the sense of superiority and the narcissism are all pretty normal in that field of activity. Compounded with some inevitable level of paranoia most likely as well, and perhaps, if there's weak morals, there might also be the constant financial lure of the criminal side mixed with the fear of not risking to go too far to become a felon.
Plus such patterns draw external attacks (mixed with the emotional, defensive attitude from developers when one out of ten thousand commits per kernel cycle turns out to be seriously buggy - bringing the worst behavior out of them: initially ridiculing or downplaying the exploit writer) which creates a self-reinforcing cycle of violence that deforms the psyche.
Without sounding patronizing, IMHO those are forces strong enough to bend steel, let alone the human psyche. I think that such expoit-finding work should be done in an organized, in (perhaps government) sponsored setups, with proper safeguards and humane work conditions. It's useful to society at large and it's a petty that it's currently done in such an unstructured, random way, burning through and bending good and smart people fast.
to post comments)