Dailydave mailing list archives
Re: Security people are leaches. [sic]
From: yersinia <yersinia.spiros () gmail com>
Date: Tue, 28 Jul 2009 13:44:38 +0200
FWIW, also "insane" http://kerneltrap.org/mailarchive/linux-kernel/2007/10/1/326479/thread#mid-326479 BTW, personally i agreed on the motivations exposed from Linus in the two thread. But is necessary to look in depth on the discussion. Regards On Tue, Jul 28, 2009 at 1:09 AM, <pageexec () freemail hu> wrote:
really. or at least according to one Linus Torvalds, who also happens to
be the
primary reason for not one, but two! of this year's pwnie nominations for
lamest
vendor response and most epic FAIL. apparently the fundamental issue he
cannot
understand is that if they don't know what bugs are security issues, maybe
they
should find people who do. or maybe bother reading those static checker
reports
that point them out. just a thought. also one cannot help but smile at the irony of divineint (put in charge of
security
at RH, no less ;) asking for more proper disclosure. how times change ;). also i guess exploit writers would heartily disagree with the notion that
there's
no difference between bugs and security bugs :P. anyway, without further
ado, here's
the latest masterpiece: On Sun, 19 Jul 2009, Eugene Teo wrote:If the upstream development community can start doing their part by differentiating normal bug fixes to the security ones, I think most of us will benefit from it.Ok, so this is a perfect example of the kind of IDIOTIC blathering that I hate to hear from security people. Quite frankly, people who state things like that ARE FUCKING MORONS. I'm sorry, but it's true. Learn it. Think about it. Deeply, and long. This who security exploit is a prime example of exactly why anybody who says something stupid like that is so stupid and so WRONG. Look at the bug that caused it. Look at the fix. Think about it. When the fix was committed, nobody thought it was a security bugfix. Really. If you cannot understand this FUNDAMENTAL issue, I don't know what can make you do so. I absolutely despise most security people, because they are idiots who do not understand development. They are idiots who do not understand basic facts. They are idiots, who think the world is some kind of black-and-white place where you can sort bugs into 'security' and 'not security'. So here's a few simple rules: - people who argue for full disclosure are wrong - people who argue for hiding things and vendor-sec are wrong - people who think that there are "bugs" and "security bugs" are fundamentaly wrong, and misguided, and will always do the wrong thing. The fact is, bugs are bugs. We don't know which of them are security issues. We all make mistakes, and we _fix_ the mistakes, and some of the fixes turn out to have way more subtle interactions than people even realized! So you can ask developers to "always think of all the possible issues", and you will be left with developers who won't have time or motivation to actually do any real work. And they'll _still_ miss some subtle issue, and they'll _still_ write code that has bugs. So how about people face REALITY instead of talking about idiotic platitudes like people should be "differentiating normal bug fixes to the security ones"? And it _is_ a platitude: it's something that sounds "obviously correct", but it's at the same time clearly ignoring the fact that reality is complicated. So f*ck me, shut up about idiotic things like that already! This whole bug really is a _prime_ example of how the bugfix was not at all clearly a security fix at all, even though it obviously was a big deal. And a security person who cannot understand that is not a security person at all - he's just a f*cking poser. This is why I detest security lists. Lots of posturing and platitudes. And look at who actually did the real work: a regular developer, and a regular maintainer, neither of whom were thinking in terms of security. Security people are leaches. The real heroes are the people who do development. The last thing security people should do is to ask the people who do the REAL WORK to do more. Linus _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Security people are leaches. [sic] pageexec (Jul 27)
- Re: Security people are leaches. [sic] yersinia (Jul 28)
- Re: Security people are leaches. [sic] Peter Busser (Aug 05)
- Re: Security people are leaches. [sic] Aaron (Jul 28)
- Re: Security people are leaches. [sic] Peter Busser (Aug 05)
- Re: Security people are leaches. [sic] Adrien Kunysz (Aug 06)
- Re: Security people are leaches. [sic] pageexec (Aug 07)
- Re: Security people are leaches. [sic] Aaron (Aug 07)
- Re: Security people are leaches. [sic] RB (Aug 16)
- Re: Security people are leaches. [sic] dave (Aug 08)
- Re: Security people are leaches. [sic] Shane Macaulay (Aug 08)
- Re: Security people are leaches. [sic] Peter Busser (Aug 05)
- Re: Security people are leaches. [sic] yersinia (Jul 28)
- <Possible follow-ups>
- Re: Security people are leaches. [sic] Eugene Teo (Aug 10)