Full Disclosure mailing list archives
Remote hole in OpenBSD 4.1
From: Gadi Evron <gadievron () yahoo com>
Date: Sun, 5 Aug 2007 15:27:33 -0700 (PDT)
I formerly had a great deal of respect, bordering on admiration, for Theo deRaadt's refusals to compromise his open source principles, even in the face of stiff opposition. Although he has occasionally gone over-the-top, recommended some frankly very dubious changes to OpenBSD, and is regularly arrogant (which is even more annoying because he's so often right!), he's always remained consistent in his devotion to the cause of GNU/Free Software. Notice "formerly": my confidence in deRaadt has been soundly shaken by his latest round of unfounded aspersions cast against Intel's Core 2 line of CPUs. Instead of getting the facts with careful analysis and study, deRaadt has jumped the gun by trying to preempt proper research with posts to the openbsd-misc mailing list. This in itself wouldn't be so bad, but his only proper citation is a 404 page, and his only other source is an old summary of unverified errata from a hobbyist website. The lack of fact-checking and complete absence of any credible sources for his allegations is suspicious in itself, but he compounds it into a complete boner by making an equally unsupported claim that the supposed (in fact non-existent) CPU problems are security flaws: As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are. Without real references to backup his exaggerated concerns, deRaadt's post crosses the line into outright libel and scare-mongering. It's obvious when you know what to look for: the subtle use of neurolinguistic priming in emotive leading phrases such as "some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare the hell out of us", "Open source operating systems are largely left in the cold", "hiding in this list", and so forth. This does not lead me to share Theo's purported fears; instead it leads me to believe that he's trying to unduly influence Intel's reputation with lies. I have an idea of why. It's the same reason deRaadt feels comfortable in saying that he'd "bet a lot of money" on Intel's Core 2 processors having multiple (not one, but several) security flaws originating from these errata. Namely, one of Intel's largest competitors has supplied the OpenBSD project with a substantial amount of monetary support since 2004, presumably because they can't compete even in the open source market without propping it up with a flow of money. They cannot maintain their position on the processor front, so they're resorting to buying out open source software developers. It's regrettably cheap to do so, even if they have deRaadt's prestige, because their business models stifle income and so a monolith such as AMD can trivially tempt them with greater incentives. In fact deRaadt is an easier target for "donations" because he makes it clear that he has no business model for OpenBSD. Intel, by contrast, have no discernable incentive to deceive or play down security flaws in their products; the consecutive f00f and FDIV bugs of the past have taught Intel that their best course of action is to face up to their errors and offer speedy fixes. DeRaadt's claim that Intel must "be come [sic] more transparent" is most unfounded, especially when one considers who stands to benefit from this anti-Intel arrangement; the connections between the AMD-ATI leviathan and deRaadt-driven projects are not hard to find. AMD make a point of emphasising OpenBSD's place in the "AMD64 ecosystem", and, as already mentioned, lends its deep pockets to deRaadt's grasp. And the connections go both ways too: deRaadt has a blatant chip on his shoulder regarding Intel. Ultimately, it hasn't been enough for deRaadt to level unsubstantiated libels at Intel, or to elicit spurious security fears about its solidly tested products. He's added an extra layer of hypocrisy on top by attacking Intel for being opaque and complaining about made-up fatal flaws in their Core 2 system. I would go as far as to posit that it is in fact deRaadt's system for running the OpenBSD project which has a fatal flaw. This escapade proves that deRaadt -- and by extension the OpenBSD project -- is simply too vulnerable to external influence from corporations with a vested interest and lots of lucre. ____________________________________________________________________________________Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Remote hole in OpenBSD 4.1 Gadi Evron (Aug 05)
- Re: Remote hole in OpenBSD 4.1 monikerd (Aug 05)
- Re: Remote hole in OpenBSD 4.1 Gadi Evron (Aug 06)
- Re: Remote hole in OpenBSD 4.1 wac (Aug 06)
- <Possible follow-ups>
- Re: Remote hole in OpenBSD 4.1 Michael Smythe (Aug 05)
- Re: Remote hole in OpenBSD 4.1 George Capehart (Aug 05)
- Re: Remote hole in OpenBSD 4.1 Joey Mengele (Aug 07)
- Re: Remote hole in OpenBSD 4.1 monikerd (Aug 05)