| |||||||||||||
A nasty local kernel vulnerabilityA nasty local kernel vulnerabilityPosted Feb 26, 2013 18:49 UTC (Tue) by khim (subscriber, #9252)In reply to: A nasty local kernel vulnerability by drag Parent article: A nasty local kernel vulnerability
It would of been worse if PaxTeam didn't say anything. No. It would be better. Much better. In a sense PaXTeam and Spender spent so much time teaching people that they are the boys who constantly cry the wolf that any advice from them immediately justifies the thing they are objecting against. Hopefully people will pay attention to what he is saying. They do - just not in the way you expect. Typical reaction is "ah, I see — only these worrywarts are panicking… which means at this stage it's problem for Pentagon and/or FBI, but for us, mere mortals, it's not something to worry about".
(Log in to post comments)
A nasty local kernel vulnerability Posted Feb 26, 2013 19:04 UTC (Tue) by hummassa (subscriber, #307) [Link]
> Typical reaction is "ah, I see — only these worrywarts are panicking… which means at this stage it's problem for Pentagon and/or FBI, but for us, mere mortals, it's not something to worry about".
That, and getting all red in the face when shit hits the fan, eh? The problem with thinking someone is "the boy the cries wolf" (independently of the truthiness) is that eventually the wolf comes (it always does).
Ah, and the obvious "ad hominem fallacy" thing. Meaning that anyone who succumbs to the "typical reaction" is just plain wrong...
A nasty local kernel vulnerability Posted Feb 26, 2013 19:38 UTC (Tue) by khim (subscriber, #9252) [Link] The problem with thinking someone is "the boy the cries wolf" (independently of the truthiness) is that eventually the wolf comes (it always does). Sure, but how much harm does it make? People have learned to live with all the trojans, viruses and other, more benign, crapware on their systems. They know they lose some money from the crashes and periodic reinstalls but as long as this amount if less then the amount you need to spend to keep your system bullet-proof it's wise investment. That's what people like PaXTeam and Spender can't understand at all: most people accept the fact that their computers are vulnerable as matter of fact, not something to cry about. After all their homes are vulnerable (few of us live in castles with three redundant layers of walls), their cars are vulnerable (just sprinkle the car with some millet where there are lots of birds and watch how $$$ body is destroyed), etc. Some level of security is desirable, of course (we have locks in our homes and cars), but it's all relative. For Joe Average the question is not "can someone attack me", but "how much it'll likely to cost me if I'll not go and spend days patching this vulnerability". Answers from PaXTeam and Spender are absolutely unhelpful and thus the default "risk is obviously still quite low" answer is assumed. That, and getting all red in the face when shit hits the fan, eh? Well, nobody likes pickpockets and people become angry when they are robbed by them but it does not mean they will use locked down safe to carry their couple of $10 bills next time.
A nasty local kernel vulnerability Posted Feb 26, 2013 21:39 UTC (Tue) by aggelos (subscriber, #41752) [Link]
Two points:
a) Your analogy to the physical world is inapplicable as the potential for exploitation at a massive scale changes the economics considerably.
b) The Average Joe has no clue about the severity of a vulnerability or about the sophistication of the current generation of attacks. It would be good news if your Average (I assume, Professional) Joe did an actual cost/benefit analysis but, at least in my experience, they generally have neither the expertise nor the professionalism to do that.
A nasty local kernel vulnerability Posted Feb 27, 2013 7:30 UTC (Wed) by paulj (subscriber, #341) [Link]
An individual with 1 computer cannot be exploited at a massive scale. Indeed, even if exploitation of many individuals - at a massive scale - occurs, the risk to any 1 individual may still be minimal.
The economics changed for the attackers, allowing them greater scale. However, it hasn't really changed the economics for each individual or even businesses, in the main. What khim wrote stands for them.
A nasty local kernel vulnerability Posted Feb 27, 2013 10:27 UTC (Wed) by khim (subscriber, #9252) [Link] The economics changed for the attackers, allowing them greater scale. However, it hasn't really changed the economics for each individual or even businesses, in the main. It's even worse then that. This discussion was started when it was known that "economies of scale" was broken (automatic exploit didn't work). Now the question becomes extremely technical: yes, we know that you need some offsets for any custom build of kernel, but is it something attacker can automatically guess from System.map or is it something attacker need to painstakingly dig from memory using esoteric debugging techniques? The natural assumption is that you need to use esoteric debugging techniques, but if the situation is different in some cases you'll never hear from PaX && Brad directly about that which turns their messages to classic "cry wolf" messages.
A nasty local kernel vulnerability Posted Feb 27, 2013 10:47 UTC (Wed) by paulj (subscriber, #341) [Link]
If I understand the earlier discussion correctly, the PoC exploit doesn't automatically determine the offsets, but other code exists to do that. All you that needs to be done is combine the two - PaXTeam and Spender just havn't done so (perhaps deliberately). In which case, the attack can work perfectly well at scale.
As per your comment earlier, it's still not a massive problem for many specific entities, even if it's still a significant problem for the general internet eco-system (giving bad people control of things to use as staging posts for further bad stuff, etc.).
A nasty local kernel vulnerability Posted Feb 27, 2013 11:12 UTC (Wed) by khim (subscriber, #9252) [Link] If I understand the earlier discussion correctly, the PoC exploit doesn't automatically determine the offsets, but other code exists to do that. Yes, that's true, but can you glean this information from summarily unhelpful looks like you shouldn't be giving out advices (i thought you'd learned that in the past already ;). reading the actual exploit (never mind the posted output) would help explain why it didn't work on the 3.8 kernel message? Yes, message is 100% correct, but as we now know thread opener already knew just why exploit does not work — but he probably had no idea if there are exist code which can automatically find offsets or not. And instead of giving him the useful information the only thing message contained is sneers. As per your comment earlier, it's still not a massive problem for many specific entities, even if it's still a significant problem for the general internet eco-system (giving bad people control of things to use as staging posts for further bad stuff, etc.). Right, but can you ever find this information (the only information interesting for average LWN reader) in PaX && Brad opuses? Nope. But you'll find plenty of riddles and endless hubris in them. Not a good way to attract people's attention, really.
A nasty local kernel vulnerability Posted Feb 27, 2013 12:57 UTC (Wed) by spender (subscriber, #23067) [Link]
Hi khim,
While you were busy attacking your straw man (if you think our position involves massive security spending or constant patching, you clearly know nothing about us), I was posting exploitation notes in another forum where such information is actually valued instead of squandered on the likes of you. All the information you could want is available -- if you cared about security (which it does not seem that you do) you would be using additional sources to obtain it.
Would you prefer that I publish a weaponized exploit for the vulnerability or something? I can only imagine the kinds of complaints that would generate here and elsewhere. You appear to be whining about it not existing and insinuating that that's because it's impossible. The exploitation notes should clear up that this is trivial on vanilla Linux, not that facts appear to matter to you.
http://www.reddit.com/r/netsec/comments/198g7i/cve_201317...
I much prefer other forums where idiotic comments are downvoted to obscurity where they belong. It makes it much easier for people to see useful content.
-Brad
A nasty local kernel vulnerability Posted Feb 27, 2013 13:12 UTC (Wed) by mpr22 (subscriber, #60784) [Link] It seems to me that the overlap between "community capable of using downvote-to-obscurity systems responsibly" and "communities with any genuine need for a downvote-to-obscurity system in the first place" is likely to be extremely small. Downvote-to-obscurity systems don't directly cause groupthink, but they certainly facilitate its development.
A nasty local kernel vulnerability Posted Feb 27, 2013 14:17 UTC (Wed) by khim (subscriber, #9252) [Link] While you were busy attacking your straw man (if you think our position involves massive security spending or constant patching, you clearly know nothing about us), I was posting exploitation notes in another forum where such information is actually valued instead of squandered on the likes of you. Let me translate from English to English: while people here tried to understand what effect this exploit can have you've only posted snide remarks here and expressly refused to help because audience here does not worship you enough. It's your choice, of course, but then you should not be surprised by the reaction. I mean: you've spent a lot of time and efforts to make sure people on LWN will perceive you as "this asshole who never says anything concrete and just plays some great guru who has right to ridicule everyone else without a substantial reason" — and now you are surprised that people treat you as such asshole? Few people who do know what you actually do are trying to fix this perception but of course they can't do anything: direct words "from horse's mouth" are more potent by far then third-party narrations. Would you prefer that I publish a weaponized exploit for the vulnerability or something? Nope. Sane explanation of what goes on will be enough. Here is the example of sane explanation. Here is the example of snakeoil salesmen pitch (mixed with the deep technical details which are of no interest to most users). People who are sold on grsecurity already don't need it and people who are not sold will start to ignore it after few repeats of "you were owned before the distro even pushed an update" with no observed consequences (that's the "wolf" cry I've talked about).
A nasty local kernel vulnerability Posted Feb 27, 2013 15:19 UTC (Wed) by malor (subscriber, #2973) [Link]
As far as I'm concerned, you're both towering assholes, and all this verbiage is accomplishing precisely nothing.
You'd both do well do stop waving your electronic genitalia.
A nasty local kernel vulnerability Posted Feb 27, 2013 15:46 UTC (Wed) by PaXTeam (subscriber, #24616) [Link]
> while people here tried to understand what effect this exploit can have
first, they did not (provide evidence that they did. no, running the exploit is not evidence of that.) second, as i explained so many times, you don't care about exploits, you care about exploitable bugs, regardless of an exploit that you may very well never get your hands on (but your attackers may/will). please stop spreading this bullshit attitude, this is exactly one of the biggest problems with people who are in charge of security somewhere but are incompetent to the point that without a weaponized exploit or worse, getting completely owned they would never consider fixing the problems.
> you've only posted snide remarks here and expressly refused to help
that help was already in the article, including the linked ones too: there is an exploitable kernel bug, no ifs and buts about it. go fix it yourself if you can, wait for your distro otherwise. no other piece of information is needed if you only care about defense! and forgive me if i refuse to play on the attacker side and help people write weaponized exploits. pretty please? ;)
> I mean: you've spent a lot of time and efforts to make sure people on
do you have evidence that we don't provide 'anything concrete'? spoonfeeding weaponized exploit info doesn't count of course (albeit spender has been quilty of even that but then i don't expect you know, it's so much easier to throw out random shit without evidence, aint't it ;). and yes, we do ridicule idiots such as yourself, but you see biased samples don't statistics make (may i refer you to the same wikipedia article that i suggested nix to read as well? ;).
> and now you are surprised that people treat you as such asshole?
and that statistics is based on what evidence exactly? oh wait, the usual 'i made it up because that is what fits my distorted reality'. second, what does it matter (seemingly to you, but not us) what anyone thinks of us? does that change anything? not us apparently. then why do you care? do *you* change when others think of you as an asshole? yeah, i didn't think so either ;). third time i'm reminded of Einstein. the guy knew something.
Enough? Posted Feb 27, 2013 16:18 UTC (Wed) by corbet (editor, #1) [Link] I get the sense that the few people still following this thread have a fairly good idea of what the participants think of each other at this point. So maybe we could stop here? Seriously, personal attacks don't help the conversation, let's try to do rather less of that, OK?
A nasty local kernel vulnerability Posted Feb 27, 2013 11:00 UTC (Wed) by aggelos (subscriber, #41752) [Link] An individual with 1 computer cannot be exploited at a massive scale. Indeed, even if exploitation of many individuals - at a massive scale - occurs, the risk to any 1 individual may still be minimal. The economics changed for the attackers, allowing them greater scale. However, it hasn't really changed the economics for each individual or even businesses, in the main. What khim wrote stands for them.Sigh. Being able to attack at a massive scale (and being able to easily monetize exploited systems) makes writing an exploit way more attractive to a group of skilled people with no qualms about how to make money (nevermind the power trip factor). That means that any individual's chance of getting owned is significantly higher than if mass exploitation wasn't possible. Therefore mass exploitation changes the economics of a cost/benefit analysis. QED.
A nasty local kernel vulnerability Posted Feb 27, 2013 1:34 UTC (Wed) by hummassa (subscriber, #307) [Link]
> Sure, but how much harm does it make?
67 billion a year in the US only, according to the FBI in 2006.
You are correct in stating that you don't have to have perfect security. But it's like the bear/shotgun joke goes: you don't have to outrun the bear, you have to shoot your mate in the knee so you can outrun *him*. When PaX && Brad "cry wolf", they are actually showing you that your mate can outrun you, so you're bear snack!
Bonus: mixing two animal-world metaphors... :-D
A nasty local kernel vulnerability Posted Feb 27, 2013 10:21 UTC (Wed) by khim (subscriber, #9252) [Link] When PaX && Brad "cry wolf", they are actually showing you that your mate can outrun you, so you're bear snack! Nope. They "actually showing" that your boots have scuffs — but then refuse to say if your boots are lightly affected or are ready to fall apart at the seams. You can stop to try to mend them (which places you closer to the bear but gives you hope that you'll be able to run faster in the future) or you can ignore them and hope boots will hold till the next town. 67 billion a year in the US only, according to the FBI in 2006. Which is less then 1% of GDP and in the same ballpack as $83 billion from patent trolls. IOW: yes, it's a problem, but it's not the problem and it's certainly not something you need to spend all your resources on.
A nasty local kernel vulnerability Posted Feb 26, 2013 21:44 UTC (Tue) by PaXTeam (subscriber, #24616) [Link]
uhm, do you have stats on how many times we cried wolf (assuming you mean we said something was a security bug where it wasn't)? we're not 100% correct of course but much closer to it than to 0% so it's a far cry (pun intended) from crying wolf ;).
as for the typical reaction, where's your data from? the data i have say that people who care about security are avid readers of spender's changelog to the point that the just released ubuntu fix for this very problem misattributed the bug to spender instead of Mathias. the people who don't care (mostly because they don't even know they could or should) simply expect their more or less regular system updates to fix problems that they or others have experienced. details don't matter for them, regardless of what we or anyone else have to say about them, that information doesn't even reach them so we can't talk about reaction as there's nothing to react to in the first place.
A nasty local kernel vulnerability Posted Feb 27, 2013 10:45 UTC (Wed) by khim (subscriber, #9252) [Link] uhm, do you have stats on how many times we cried wolf (assuming you mean we said something was a security bug where it wasn't)? we're not 100% correct of course but much closer to it than to 0% so it's a far cry (pun intended) from crying wolf ;). And this answer shows what's wrong with you messages succinctly. You assume people want to know about all security bugs for some reason. But why should they care? Do you dig all the information about all the internal incidents on the power stations which power you computer or all the problems with pumping station or all the problems with all the farmers who grow food you eat? I doubt it: you only want to know about incidents which can actually affect you! And Joe Average is the same: security bugs which have little chance of affecting him directly are of no interest to him! From that POV you "cry wolf" all the time and you are much, much, MUCH closer to 0% then to 100%, sorry. the data i have say that people who care about security are avid readers of spender's changelog to the point that the just released ubuntu fix for this very problem misattributed the bug to spender instead of Mathias. Of course! That's their work! It's similar to nuclear power plant workers: they study information about incidents on other plants diligently, indeed. But general public? No, it's not what they want to know and it's not what they are supposed to know. When you bait these people and ridicule them because they don't diligently study all your patches you just show your hypocrisy, nothing more, nothing less. details don't matter for them, regardless of what we or anyone else have to say about them, that information doesn't even reach them so we can't talk about reaction as there's nothing to react to in the first place. Sure. Detail don't matter for them but if they'll know that situation is so dire that nuclear station near them can blow up at any moment they should care and they will care. That's about what people expect from discussions on LWN — and that's what you expressly refuse to discuss. You show some snippets of information and then laugh on people who can try to understand if they actually should care about it or if they should expect their more or less regular system updates to fix problems. After few such repeats people learn that it's more-or-less impossible to receive useful information from you and they know that after bazillion of your "wolf" cries wolf didn't come thus they assume you again talk something they can safely ignore.
A nasty local kernel vulnerability Posted Feb 27, 2013 15:24 UTC (Wed) by PaXTeam (subscriber, #24616) [Link]
> And this answer shows what's wrong with you messages succinctly.
sure, if you're talking about your own ;). you see, you didn't answer a single question of mine. do you have stats or not? you don't. do you have examples where we cried wolf? you don't. facts speak, strawmen don't.
> You assume people want to know about all security bugs for some reason.
quote me back on that or you just made this up. seriously, do find a quote from me where i said anything even remotely close to that. you won't because you can't because i never said anything like that (never mind that right in the very post you responded to i said myself that there're people who care to whatever extent and there're people who don't care). making reality fitting your distorted world doesn't work without backing up with (preferably less distorted ;) evidence. so go find some (this goes for all your other posts too, but i'll address some of them there).
> And Joe Average is the same: security bugs which have little chance of
you're wrong, did you even read my post you responded to? it's not only that the average user (most people) don't care about bugs that don't affect them, they don't care about *anything* whatsoever because they don't even *know* that such things can exist (and the few who the mass media manages to reach with this information still don't *understand* so they're not in the position to be able to care)!
> From that POV you "cry wolf" all the time and you are much, much, MUCH closer to 0% then to 100%, sorry.
here we go again, without any shred of evidence of what exactly we did that you think was crying wolf? a single example pretty please (although i'd still prefer that stat of yours ;)? and i mean examples that exist on the internet, not in your head only.
> When you bait these people [...]
evidence please or you made this up.
> [...]ridicule them because they don't diligently study all your patches
yes, we critize people who should care about security but don't. you also critize everyone who doesn't think your way, what's your point then?
> you just show your hypocrisy, nothing more, nothing less.
i suggest you look up that word, it doesn't mean what you think it does (hint: it'd apply to us if we expected others to care about security whereas we wouldn't care at the same time, i think even you admitted that that's not the case ;).
> That's about what people expect from discussions on LWN
provide evidence or you made this up. be careful 'cos i have my own quotes directly from lwn posts where people explicitly asked the exact opposite of what you're suggesting here ;).
> and that's what you expressly refuse to discuss.
what i discuss is not up to you to decide mon ami, it's up to me. you don't have to like my choices any more than i or anyone else has to like yours or anyone else's. welcome to the real world. with that said, i think i provided about 1000x more useful information about security bugs over time here and elsewhere than you ever will (your whining doesn't count ;).
> You show some snippets of information
did you even read what i posted? it was *public* information, linked straight from the article. you know there's some irony in that you're showing the exact symptomps of the twitterbrain that you so critized in the past yourself ;).
> and then laugh on people
evidence or you made this up too. if anything, i was worried about them destroying their systems by being so careless when they ran an exploit they didn't understand (the loaded gun example, see somewhere above).
> who can try to understand if they actually should care about it or if
khim, if you don't understand a topic, can you please stay out of discussing it, never mind giving out advices to the laymen? i wrote about this before in this very thread but let me repeat it: your kernel is *not* exploitable because someone posts a working exploit to the public! your kernel is vulnerable because it has an exploitable bug! can you digest that? do you understand that testing your system this way would only give you a false sense of security? yeah, i don't expect you do. so please take it on faith that you should not care because you see an exploit in the wild, you should care because there is an exploitable bug in your system, don't wait with the upgrade till an exploit appears.
> After few such repeats
more evidence wants to be seen.
> people learn that it's more-or-less impossible to receive useful
first, i didn't know i was supposed to provide such a service. second, when spender or me did provide such information in the past, we were criticized for *that*. i don't think you can have it both ways ;).
> and they know that after bazillion of your "wolf" cries wolf didn't come
this is again the same lie you keep repeating and based all your rants on. so prove it or admit you made this up.
A nasty local kernel vulnerability Posted Feb 27, 2013 20:46 UTC (Wed) by khim (subscriber, #9252) [Link] i suggest you look up that word, it doesn't mean what you think it does (hint: it'd apply to us if we expected others to care about security whereas we wouldn't care at the same time, i think even you admitted that that's not the case ;). It's absolutely the case. Do you know or care who and how produces electric power for your home? Do you know or care abut who and how pumps water? Do you know and care about all the food sources (and all the chemicals used in this process) ? Or do you pick one narrow form of security (IT-related stuff) and assume all other forms of security are somehow less important? Why do you think it's more important and why do you think other should care about GMO less then they care about out-of-bounds access in the Linux kernel?
A nasty local kernel vulnerability Posted Feb 27, 2013 21:12 UTC (Wed) by PaXTeam (subscriber, #24616) [Link]
this is LWN, the topic is a linux kernel vulnerability, *of course* everyone (except perhaps you) talks about security as it relates to computers. you want to discuss other kinds of security? find a more suitable forum for it ;). then and there i will tell you what i think and know about those other areas, but it's off topic here afaik. alternatively, if you can get Jonathan to agree that it's not, we can discuss it here. in short, the logical mistake you made is that if i write about something, it also means that i don't care about anything else i didn't write about. that's an obvious fallacy.
A nasty local kernel vulnerability Posted Feb 27, 2013 21:55 UTC (Wed) by khim (subscriber, #9252) [Link] And now for some meat. him, if you don't understand a topic, can you please stay out of discussing it, never mind giving out advices to the laymen? Well, that's exactly your problem: as someone who's working on security solutions (although not on Linux-kernel related security solutions) I do understand the topic. At least I understand it well enough to expose your "snake oil salesmen" pitch. i wrote about this before in this very thread but let me repeat it: your kernel is *not* exploitable because someone posts a working exploit to the public! your kernel is vulnerable because it has an exploitable bug! can you digest that? Of course I can! It's truth, nothing except truth, the only problem: it's useless truth! In the absence of "black hats" even bazillion security holes in your system don't matter: there are noone to exploit them. Easy enough to digest. Also easy to understand that this is unrealistic case: we do know that "black hats" dwell out there. Ok, what about another case: all-knowledgeable adversary. In this case, obviously, upgrade is also entirely useless: you replace one vulnerable kernel with another also vulnerable kernel (all kernels till now had a security bugs and there are nothing to suggest that anyone here have 100% security-bug-free Linux kernel). Ah-ha. So now we see that the only case where all these security patches and disruptions ever make sense lies in the world where we do have an adversary but where said adversary does not posses an omniscience. Which basically means that "what knowledge potential attackers have about exploit" is the most important, central question for the layman. It may be pretty murky at times (the only case where answer is 100% clear is when you can say something like "I've personally added this exploit to dozen of rootkit sets which are sold on blackmarket" — and for some reason people don't like to say so even if that's exactly what they did), but it's vital. Now, situation like this one ("I don't know if this exploit is in rootkits by now or not, but all the ingredients are publicly known thus we can expect it can be exploited soon") is not that much better, but it's still better: you know that probably only expensive rootkit can exploit this vulnerability on custom kernels while cheap ones will only target few popular distributions. If someone wants to rush to upgrade or not because there are pretty easy to use vulnerability depends on the exact circumstances, but to say "please take it on faith that you should not care because you see an exploit in the wild, you should care because there is an exploitable bug in your system, don't wait with the upgrade till an exploit appears" is exactly to "cry wolf" needlessly. Not all security bugs are equally dangerous (although there are bias: bugs which are obviously high-priority are easy to exploit but from time to time people invent clever ways to exploit bugs which look hard to exploit at first glance) and you do know that most likely both old kernel and upgraded one have exploitable security holes. Thus you need to know what makes this particular bug easy (or hard) to exploit and — more importantly for the layman — how easy (or hard) is it to exploit in reality. So now back to the question: do you understand that testing your system this way would only give you a false sense of security? I understand that now, but it's not at all obvious from the source of the presented exploit. You either need to dig deeper (to try to understand how exploit works and then study the relevant kernel sources) or you need more context (if someone who wrote exploit says that "it's pretty easy to add support for custom kernels — 10 minutes, may be couple of hours if System.map is not present" then it's one thing, if it's "we needed to run this kernel for hours under an emulator to find this offsets" then it's quite different thing). And I'm ready to admit: you have explained the situation here, that's true — but it was done after some snide remarks which don't enlighten the situation at all. These were entirely unnecessary.
A nasty local kernel vulnerability Posted Feb 26, 2013 21:58 UTC (Tue) by nix (subscriber, #2304) [Link]
I have to agree with PaXTeam here (yes, it can happen). When did they cry wolf about actual exploits? One can disagree with PaXTeam and spender regarding their attitude, their interaction with the kernel community, the hopelessness of their task as long as they specialize principally in making people hate them, all sorts of things -- but if they say there is a security hole somewhere, they are more or less guaranteed to be right. As I've said before, that's the tragedy here: their frankly terrible interpersonal skills doom them to being Cassandras, crying the truth but universally ignored.
A nasty local kernel vulnerability Posted Feb 27, 2013 10:48 UTC (Wed) by khim (subscriber, #9252) [Link] if they say there is a security hole somewhere, they are more or less guaranteed to be right Sure, but is it serious enough to drop everything and start shutting down some services or is it minor enough to schedule kernel update early next quarter? These are the things most readers of LWN wonder about. Some may be more technical and may care about juicy details of the bug — but these are in the minority.
|
|||||||||||||