Dailydave mailing list archives
Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1)
From: Gadi Evron <ge () linuxbox org>
Date: Sun, 12 Nov 2006 10:20:13 -0600 (CST)
On Sun, 12 Nov 2006, Steve Grubb wrote:
On Saturday 11 November 2006 16:46, L.M.H wrote:OK, enough FUD already.First let's say that FUD is the wrong word to use here. You are the one spreading FUD. Dave is not causing panic or a sense of "oh shit". He is
That is true, I read Dave's post and he was not attacking LMH. LMH got pissed over Dave's original belitting of these bugs as having no security impact. I think it's mainly a mis-understanding. LMH is a cool guy and Dave reads to be a cool guy.
merely point out the obvious...you have to either have privileges to perform mount or physical access to the machine. If all these are is DoS and you have physical access, why not just yank the power cord? Until an exploit is written, these are just DoS crashes.
DoS only? No public exploit? We heard that before. Sorry for being rude on this point, but we did.
There's something that strikes me, why a bug 'with no security implications' is marked as private to Red Hat employees?Because that is the responsible thing to do. If a bug is not assessed that could be a security issue, it should be private until a determination has
So, it's private, and yet...
been made one way or another. This also brings up the point that you are posting bugs I found to the MoKB as if you found them and not giving me credit. This also goes for the squash double free (which the kernel catches)
Were you the one to find the bugs working with LMH, or did you find them on your own and kept them private to redhat only? Please clarify.. <snip>
If you have physical access to a machine, you can put your favorite distro in the CD-Rom tray and install anything you want on the system. So, no I do not believe this falls into security fixes because there are easier ways to compromise a box if you are root or have physical access.
USB drives and corporate employees disagree. It's a vulnerability, far from us to also prove how it works or what it will be useful for, it needs fixing. That said, you ARE right these seem LESS critical. In my humble opinion, as an open-source related company, you may do well to try and see if you can work with the researchers rather than attack them. Learn from Microsoft's mistake. That is not to say you mean to attack researchers, it comes as an honest observation on how this misunderstanding can be avoided and not further esclated.
-Steve
Gadi. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) PERFECT . MATERIAL (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Gadi Evron (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 13)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 17)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) L . M . H (Nov 17)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Gadi Evron (Nov 12)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) PERFECT . MATERIAL (Nov 11)
- Re: Kernel 'developer' makes fuzzy FUD (RH Episodes: Volume 1) Steve Grubb (Nov 12)