Dailydave mailing list archives

Re: Security people are leaches. [sic]


From: Aaron <apconole () yahoo com>
Date: Tue, 28 Jul 2009 05:34:13 -0700 (PDT)

How can you ever know which bug is a security bug, and which isn't? More importantly, how many bugs
do people talk about as theoretically exploitable for some information vs. the ones which are practically exploitable.
There may be a better way of classification (for example, when something is an oops/segfault/null dereference and is
fixed, then say that) but since linux is Free (as in beer) and Open the onus is on you, the user, to figure out which
fixes are pertinent to what you're doing and which are ancillary.

Lets say there's a new bug introduced in the kernel. One that presents with the symptom of disclosing a user's password
when the kernel is given some invalid argument to printk while processing the shadow file. However, when processing
the etc/hosts file, it just discloses the contents of that file. Is that a security bug? You could argue yes; you could 
argue no.
At the end of the day, someone has to do the work to figure out that it either does or doesn't have security 
implications.

Linus' point is: A non-security person fixed it, submitted it to a non-security maintainer, and they committed it. They 
viewed
it as some improper code. To go ahead and research and delve to figure out every path that could ever get impacted and
therefore determine that it has security implications goes way beyond the scope of the patch writer and maintainer's 
jobs. If
a security person wants to figure out that something has a security impact, they should. But to put additional burden on
a software developer to make your job easier is bull.



________________________________
From: "pageexec () freemail hu" <pageexec () freemail hu>
To: dailydave <dailydave () lists immunitysec com>
Sent: Monday, July 27, 2009 7:09:40 PM
Subject: [Dailydave] Security people are leaches. [sic]

really. or at least according to one Linus Torvalds, who also happens to be the
primary reason for not one, but two! of this year's pwnie nominations for lamest
vendor response and most epic FAIL. apparently the fundamental issue he cannot
understand is that if they don't know what bugs are security issues, maybe they
should find people who do. or maybe bother reading those static checker reports
that point them out. just a thought.

also one cannot help but smile at the irony of divineint (put in charge of security
at RH, no less ;) asking for more proper disclosure. how times change ;).

also i guess exploit writers would heartily disagree with the notion that there's
no difference between bugs and security bugs :P. anyway, without further ado, here's
the latest masterpiece:


On Sun, 19 Jul 2009, Eugene Teo wrote:

If the upstream development community can start doing their part by
differentiating normal bug fixes to the security ones, I think most of
us will benefit from it.

Ok, so this is a perfect example of the kind of IDIOTIC blathering that I
hate to hear from security people.

Quite frankly, people who state things like that ARE FUCKING MORONS.

I'm sorry, but it's true. Learn it. Think about it. Deeply, and long.

This who security exploit is a prime example of exactly why anybody who
says something stupid like that is so stupid and so WRONG.

Look at the bug that caused it. Look at the fix. Think about it. When the
fix was committed, nobody thought it was a security bugfix.

Really.

If you cannot understand this FUNDAMENTAL issue, I don't know what can
make you do so. I absolutely despise most security people, because they
are idiots who do not understand development. They are idiots who do not
understand basic facts. They are idiots, who think the world is some kind
of black-and-white place where you can sort bugs into 'security' and 'not
security'.

So here's a few simple rules:

 - people who argue for full disclosure are wrong

 - people who argue for hiding things and vendor-sec are wrong

 - people who think that there are "bugs" and "security bugs" are
  fundamentaly wrong, and misguided, and will always do the wrong thing.

The fact is, bugs are bugs. We don't know which of them are security
issues. We all make mistakes, and we _fix_ the mistakes, and some of the
fixes turn out to have way more subtle interactions than people even
realized!

So you can ask developers to "always think of all the possible issues",
and you will be left with developers who won't have time or motivation to
actually do any real work. And they'll _still_ miss some subtle issue, and
they'll _still_ write code that has bugs.

So how about people face REALITY instead of talking about idiotic
platitudes like people should be "differentiating normal bug fixes to the
security ones"? And it _is_ a platitude: it's something that sounds
"obviously correct", but it's at the same time clearly ignoring the fact
that reality is complicated.

So f*ck me, shut up about idiotic things like that already!

This whole bug really is a _prime_ example of how the bugfix was not at
all clearly a security fix at all, even though it obviously was a big
deal. And a security person who cannot understand that is not a security
person at all - he's just a f*cking poser.

This is why I detest security lists. Lots of posturing and platitudes. And
look at who actually did the real work: a regular developer, and a regular
maintainer, neither of whom were thinking in terms of security.

Security people are leaches. The real heroes are the people who do
development. The last thing security people should do is to ask the people
who do the REAL WORK to do more.

                       Linus

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave



      
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread: