User: Password:
|
|
Subscribe / Log in / New account

Handling kernel security problems

Handling kernel security problems

Posted Jul 17, 2008 20:33 UTC (Thu) by zooko (guest, #2589)
Parent article: Handling kernel security problems

You know Jon, the more I think about it the more it bothers me that you intimated that PaXTeam
and company may be acting out of self-interest.  The reason it bothers me is that the shoe
fits better on the other foot.

Granted that PaxTeam and company might have a certain amount of incentive to play up Linux
security vulnerabilities, in order to increase their reputations at security researchers, but
Linux core devs have an even greater incentive to play down security vulnerabilities in order
to protect their reputations as kernel hackers.  Likewise, companies which rely on Linux as
part of their revenue stream have a very strong incentive to play down, hide, or obscure
Linux's security problems.

I like to assume that everyone involved is honest and of good-will.  This is a good starting
point.  However, we have to admit that people are influenced by psychological motivations
other than their sheer desire to contribute to the greater good.  If you are writing up the
release notes for the latest Linux kernel, it might sting your pride a little bit to write
something like "The following seventeen remote root exploits have been fixed since the
previous release.".  (For example, the way the OpenBSD folks post prominently, at the top of
their home page, the count of how many remote exploits they've shipped. -- http://openbsd.org
.)  If you are selling Linux to customers, then it might sting your revenue stream.  But by
the same token, it might be good for you to force yourself to write that down and show it to
your users or customers.


(Log in to post comments)

Self interest

Posted Jul 17, 2008 20:46 UTC (Thu) by corbet (editor, #1) [Link]

You know, we're all acting out of self interest. If the motivation is purely a more secure kernel and more information about when it's not secure, that's still self interest.

As for what was in the article, I said that a suitably cynical mind could see their actions as furthering the interest of their project. That is demonstrably true: that idea was raised in the discussion. To mention that is, I think, is along the same lines as covering the accusations that Linux developers are deliberately hiding security problems (out of their self interest, no doubt). Those charges, too, can be seen as insulting. Should I have covered one side and not the other?

That said, maybe I should have left that sentence out. It lacks relevance to the real issues at hand. This kind of article is quite hard to write (gnarly technical stuff is much easier); I don't always get it perfectly right.

Self interest

Posted Jul 17, 2008 21:02 UTC (Thu) by PaXTeam (guest, #24616) [Link]

> As for what was in the article, I said that a suitably cynical mind
> could see their actions as furthering the interest of their project.
> That is demonstrably true: that idea was raised in the discussion.

Ted raised it once and when i asked him for what he really meant, i got no response (i bet you
too won't tell me what on earth i was supposed to gain from all this). on the other hand, i
did explain, far too many times for my taste, how kernel devs covered up security bugs. i
don't see how that's insulting when they even admitted it themselves. most of the discussion
was all about their trying to justify that fact, not disputing it. see the difference?

Self interest

Posted Jul 17, 2008 22:53 UTC (Thu) by nix (subscriber, #2304) [Link]

No. You called them 'cover ups'. 'Cover up' in English implies not just 
intent but *malicious* intent, and you have proven no such thing, despite 
repeated assertions to the contrary.

Self interest

Posted Jul 17, 2008 23:47 UTC (Thu) by spender (subscriber, #23067) [Link]

1 a: a device or stratagem for masking or concealing <his garrulousness is a cover┬ľup for
insecurity> b: a usually concerted effort to keep an illegal or unethical act or situation
from being made public

1.	any action, stratagem, or other means of concealing or preventing investigation or
exposure.

to keep (something unpleasant) secret or hidden 

an attempt to prevent the public from discovering information about a serious crime or mistake

to stop people discovering the truth about something bad

Where did your definition come from?  I doubt you pay the $295/year for a subscription to OED
and that its definition differs in the way you hope.

No maliciousness mentioned there in any definition I can find.  Didn't we already tell you
weeks ago you don't know the meaning of the words you use?  Language is not private (go read
some Wittgenstein).  You can't just decide a certain word means something differently than the
rest of the world recognizes it.  When you do that, you gibber (read Clive Bell).  Here you
come up with your own meaning for the word, and then attack the PaX team because their claims
meet up to their definition and the definition of everyone else in the world, but not to your
contrived definition.  Especially when we've already made clear several times in what way we
mean coverup (which as you can see above, matches the accepted definition, as well as common
usage of the term), your continued comments regarding it are just irresponsible and reckless.

-Brad

Self interest

Posted Jul 18, 2008 21:36 UTC (Fri) by man_ls (guest, #15091) [Link]

On the contrary, nix has a splendid command of the English language. In this particular case he is spot-on, as has been sufficiently proved.

Self interest

Posted Jul 18, 2008 21:51 UTC (Fri) by nix (subscriber, #2304) [Link]

I'm trying to train myself out of responding to them. Security people tend 
to fall into two categories, charming and horrible, without many in the 
middle. tytso and Wietse Venema are examples of the charming type...

Of course people can be quite different in person than on the net. I hope 
this is true here too.

Self interest

Posted Jul 20, 2008 22:17 UTC (Sun) by PaXTeam (guest, #24616) [Link]

while you two are celebrating i-don't-know what, let me remind the readers of this thread what
these two geniuses said in the recent past.

nix in http://lwn.net/Articles/286336/:
   In fact your interpretation makes no sense at all: why would people
   spend time coordinating to hide security holes when knowingly doing
   that could have no consequence other than to harm the reputation of
   the system they're working on? Doing that would be ridiculous. Ergo,
   they aren't doing that: there is no magically coordinated decision to
   fix security holes while hiding them by the single means of describing
   them differently in commit logs, no conspiracy, no bad intent.

man_ls in http://lwn.net/Articles/286629/:
   Yes: do not hide bugs and do not hide security implications. "Do not
   hide" is the relevant part here.

contrast that with what Linus and others said and think about who's played the fool here all
this time ;).

Self interest

Posted Jul 20, 2008 22:49 UTC (Sun) by man_ls (guest, #15091) [Link]

We were celebrating that, no matter who's right, you can have a civilized discussion on the net where all parties implied learn something. Sadly this becomes very difficult as soon as some party enters the discussion calling names and behaving like teenagers.

The way to adulthood usually is that first you learn how to behave and to respect your fellows, and then you can discuss whatever you like. Please do so; we don't need another De Raadt.

Self interest

Posted Jul 20, 2008 23:27 UTC (Sun) by PaXTeam (guest, #24616) [Link]

the thing is, right from the start you did not have a civilized discussion, i believe you see
that yourselves now in hindsight. the lesson for you is that next time before you question the
messengers, you should look at the message and do some background research yourselves before
you engage them. in other words, ad hominem attacks are not conductive to your civilized
discussion no matter how much you talk about adulthood and respect to your fellows later.

Self interest

Posted Jul 21, 2008 6:15 UTC (Mon) by nix (subscriber, #2304) [Link]

Most of your evidence was on private mailing lists: there's no way we 
could do that. (The word 'evidence isn't even really appropriate here.)

Thus all we really have to go on is the word and character of the 
participants. Let's see, you or Linus. Boy, I wonder, *that's* a hard 
choice. After all you've been acting in a way so sure to make people 
believe every word you say.

(Yes, the way you say things *does* matter. I dislike it too sometimes, 
but it's human nature.)

Self interest

Posted Jul 21, 2008 7:16 UTC (Mon) by PaXTeam (guest, #24616) [Link]

> Most of your evidence was on private mailing lists: there's no way we
> could do that. (The word 'evidence isn't even really appropriate here.)

actually, pretty much nothing was. we explicitly showed you commits and corresponding
bugzilla/etc entries where the discrepancy should have at least raised a curious "yeah,
really, what's up with that?" and resulted in your asking further questions to the devs
themselves. and your reaction to that? let's see http://lwn.net/Articles/286405/ :

   Mostly I'm not interested enough to bother people over it.

and *then* you still continued to attack the characters of people for *weeks* and even *now*
you keep arguing that truth is decided by who says it, not by the supporting facts. that's as
absurd and irrational as it can get.

> Thus all we really have to go on is the word and character of the
> participants.

really, you *have* to? as if there were no alternative. you're just trying to explain your
behaviour instead of apologizing for it (ah yes, that's part of adulthood too, you know,
although you'll probably not find it in the dictionary that you seem to be so attached to).

as a final note i'd like to make an observation in that the most or even all voracious ad
hominem attacks came from anonymous posters such as yourselves. something to remind yourself
next time you divide the 'security people' into black and white categories as somewhere above
(i'm not into security by the way, just a web programmer).

Self interest

Posted Jul 21, 2008 7:46 UTC (Mon) by nix (subscriber, #2304) [Link]

I'm not saying that truth is determined by who says it, nor have I ever. 
What I'm saying is that *when a lot of evidence is invisible* (as was the 
case with yours despite your protestations), people *will* use the 
characters of the arguers in determining the probable truth or falsity of 
their statements.

Fallacy or not, *this is the way people think*, and if you want to have 
anyone believe anything you say in future, remembering this might be wise.

Right now I wouldn't believe you if you said the sky was blue, unless 
confirmed by independently available evidence. Your every action 
screams 'bias' (because all we have available is your words, and your 
words are every bit as rife with ad hominem attacks as they were when this 
mess started).

Self interest

Posted Jul 21, 2008 12:36 UTC (Mon) by zooko (guest, #2589) [Link]

From my perspective, it seems like it would be nice for someone to do the work of identifying
security bugs specifically and explaining, for each one, what sort of situations expose the
user to danger, how to work-around it, and what patch(es) fix it.

We've already heard that GregKH and Linus aren't going to do that.

Perhaps there's an opportunity for some other motivated, skilled person to offer that service?

Such a service would help some users manage their risks better, and it would provide a
valuable "feedback loop" to the kernel developers by documenting the issues.

Self interest

Posted Jul 21, 2008 12:46 UTC (Mon) by PaXTeam (guest, #24616) [Link]

yes, it would be the next step after the already known security issues are acknowleged at
least. since such research requires full staff, the Linux vendors are in the best position to
fund such a service.

Self interest

Posted Jul 21, 2008 13:44 UTC (Mon) by nix (subscriber, #2304) [Link]

Excellent idea. However, if the distro vendors did this, they'd probably 
do it for their stable enterprise kernels, as those are the kernels their 
paying customers use (and also kernels that change slowly enough that this 
sort of fine tooth-combing is possible).

I wish this sort of thing was possible to fund with the raging high-speed 
chaos that is upstream kernels but I have a feeling that it isn't :/ 
still, hopefully if this were done *some* of the holes that were found in 
distro kernels might still be applicable upstream.

(disclaimer: I have no input into funding decisions anywhere at all nor 
ever have had. This is purest speculation.)

Self interest

Posted Jul 21, 2008 12:01 UTC (Mon) by man_ls (guest, #15091) [Link]

Actually, in hindsight we (nix and others) were mostly right in our assumptions: kernel devs are not actively hiding security issues, but they are not actively researching them either, and they are not very good at that kind of research. The "kernel security policy" you waived in our collective faces is no such kernel security policy, but a policy for a certain mailing list. And so on.

Unsurprisingly you did not learn anything from the discussion and had to go to lkml, where you were told essentially the same thing. Now our grumpy editor has dedicated a full article to the same issues from where (unsurprisingly) you came out as unenlighted as before.

As to "questioning the messengers" it is always a healthy exercise and it would not be wise to stop doing it. If you are not up to such questioning then maybe your case is not that clear. I will not go into your accussations of ad hominem since they are completely unfounded.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds