Remote hole in OpenBSD 4.1

[Gadi Evron <gadievron () yahoo com>]

I formerly had a great deal of respect, bordering on admiration, for Theo 
deRaadt's refusals to compromise his open source principles, even in the 
face of stiff opposition. Although he has occasionally gone over-the-top, 
recommended some frankly very dubious changes to OpenBSD, and is regularly 
arrogant (which is even more annoying because he's so often right!), he's 
always remained consistent in his devotion to the cause of GNU/Free Software.

Notice "formerly": my confidence in deRaadt has been soundly shaken by his 
latest round of unfounded aspersions cast against Intel's Core 2 line of 
CPUs. Instead of getting the facts with careful analysis and study, deRaadt 
has jumped the gun by trying to preempt proper research with posts to the 
openbsd-misc mailing list. This in itself wouldn't be so bad, but his only 
proper citation is a 404 page, and his only other source is an old summary 
of unverified errata from a hobbyist website.

The lack of fact-checking and complete absence of any credible sources for 
his allegations is suspicious in itself, but he compounds it into a complete 
boner by making an equally unsupported claim that the supposed (in fact 
non-existent) CPU problems are security flaws:

As I said before, hiding in this list are 20-30 bugs that cannot be worked 
around by operating systems, and will be potentially exploitable. I would 
bet a lot of money that at least 2-3 of them are.

Without real references to backup his exaggerated concerns, deRaadt's post 
crosses the line into outright libel and scare-mongering. It's obvious when 
you know what to look for: the subtle use of neurolinguistic priming in 
emotive leading phrases such as "some errata like AI65, AI79, AI43, AI39, 
AI90, AI99 scare the hell out of us", "Open source operating systems are 
largely left in the cold", "hiding in this list", and so forth. This does 
not lead me to share Theo's purported fears; instead it leads me to believe 
that he's trying to unduly influence Intel's reputation with lies.

I have an idea of why. It's the same reason deRaadt feels comfortable in 
saying that he'd "bet a lot of money" on Intel's Core 2 processors having 
multiple (not one, but several) security flaws originating from these 
errata. Namely, one of Intel's largest competitors has supplied the OpenBSD 
project with a substantial amount of monetary support since 2004, presumably 
because they can't compete even in the open source market without propping 
it up with a flow of money. They cannot maintain their position on the 
processor front, so they're resorting to buying out open source software 
developers. It's regrettably cheap to do so, even if they have deRaadt's 
prestige, because their business models stifle income and so a monolith such 
as AMD can trivially tempt them with greater incentives. In fact deRaadt is 
an easier target for "donations" because he makes it clear that he has no 
business model for OpenBSD.

Intel, by contrast, have no discernable incentive to deceive or play down 
security flaws in their products; the consecutive f00f and FDIV bugs of the 
past have taught Intel that their best course of action is to face up to 
their errors and offer speedy fixes.

DeRaadt's claim that Intel must "be come [sic] more transparent" is most 
unfounded, especially when one considers who stands to benefit from this 
anti-Intel arrangement; the connections between the AMD-ATI leviathan and 
deRaadt-driven projects are not hard to find. AMD make a point of 
emphasising OpenBSD's place in the "AMD64 ecosystem", and, as already 
mentioned, lends its deep pockets to deRaadt's grasp. And the connections go 
both ways too: deRaadt has a blatant chip on his shoulder regarding Intel.

Ultimately, it hasn't been enough for deRaadt to level unsubstantiated 
libels at Intel, or to elicit spurious security fears about its solidly 
tested products. He's added an extra layer of hypocrisy on top by attacking 
Intel for being opaque and complaining about made-up fatal flaws in their 
Core 2 system. I would go as far as to posit that it is in fact deRaadt's 
system for running the OpenBSD project which has a fatal flaw. This escapade 
proves that deRaadt -- and by extension the OpenBSD project -- is simply too 
vulnerable to external influence from corporations with a vested interest 
and lots of lucre.


       
____________________________________________________________________________________Ready for the edge of your seat? 
Check out tonight's top picks on Yahoo! TV. 
http://tv.yahoo.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/