Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1)

[Gadi Evron <ge () linuxbox org>]

On Sun, 12 Nov 2006, Steve Grubb wrote:
> On Saturday 11 November 2006 16:46, L.M.H wrote:
> > OK, enough FUD already.
>
> First let's say that FUD is the wrong word to use here. You are the one 
> spreading FUD. Dave is not causing panic or a sense of "oh shit". He is 

That is true, I read Dave's post and he was not attacking LMH. LMH got
pissed over Dave's original belitting of these bugs as having no security
impact. I think it's mainly a mis-understanding. LMH is a cool guy and
Dave reads to be a cool guy.

> merely point out the obvious...you have to either have privileges to perform 
> mount or physical access to the machine. If all these are is DoS and you have 
> physical access, why not just yank the power cord? Until an exploit is 
> written, these are just DoS crashes.

DoS only? No public exploit? We heard that before. Sorry for being rude on
this point, but we did.

> > There's something that strikes me, why a bug 'with no security
> > implications' is marked as private to Red Hat employees?
>
> Because that is the responsible thing to do. If a bug is not assessed that 
> could be a security issue, it should be private until a determination has 

So, it's private, and yet...

> been made one way or another. This also brings up the point that you are 
> posting bugs I found to the MoKB as if you found them and not giving me 
> credit. This also goes for the squash double free (which the kernel catches) 

Were you the one to find the bugs working with LMH, or did you find them
on your own and kept them private to redhat only? Please clarify..

<snip>

> If you have physical access to a machine, you can put your favorite distro in 
> the CD-Rom tray and install anything you want on the system. So, no I do not 
> believe this falls into security fixes because there are easier ways to 
> compromise a box if you are root or have physical access.

USB drives and corporate employees disagree.

It's a vulnerability, far from us to also prove how it works or what it
will be useful for, it needs fixing. That said, you ARE right these seem
LESS critical.
In my humble opinion, as an open-source related company, you may do well
to try and see if you can work with the researchers rather than attack
them. Learn from Microsoft's mistake.

That is not to say you mean to attack researchers, it comes as an honest
observation on how this misunderstanding can be avoided and not further
esclated.

> -Steve

        Gadi.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave