Dailydave mailing list archives
Re: Security people are leaches. [sic]
From: Peter Busser <peter () adamantix org>
Date: Sat, 1 Aug 2009 13:46:07 +0200
Hi!
Lets say there's a new bug introduced in the kernel. One that presents with the symptom of disclosing a user's password when the kernel is given some invalid argument to printk while processing the shadow file. However, when processing the etc/hosts file, it just discloses the contents of that file. Is that a security bug? You could argue yes; you could argue no. At the end of the day, someone has to do the work to figure out that it either does or doesn't have security implications.
Is the Linux kernel designed to disclose the contents of a file like /etc/hosts? If not, then it is a security bug. A secure system is one which is implemented to EXACTLY fit its specification, nothing more, nothing less. Therefore it doesn't matter whether it discloses one file or some other file or what the contents of these files are. What matters is that it provides more functionality than what the specification of the Linux kernel prescribes. That means that Linus' arguments are simply irrelevant. The biggest security issue in this case is that people take Linus' words seriously and try to bend the discussion in such a way as to fit his words. Or, in other words, these people seem to think that Linus is always right. They seem to forget that Linus is a human being and therefore makes mistakes. People seem to forget that Linus' primary interest is to motivate people to write code for the Linux kernel. And Linus, despite being a competent kernel hacker, doesn't understand security in general. People usually aren't motivated to put time in things which they aren't good at. Groetjes, Peter. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Security people are leaches. [sic] pageexec (Jul 27)
- Re: Security people are leaches. [sic] yersinia (Jul 28)
- Re: Security people are leaches. [sic] Peter Busser (Aug 05)
- Re: Security people are leaches. [sic] Aaron (Jul 28)
- Re: Security people are leaches. [sic] Peter Busser (Aug 05)
- Re: Security people are leaches. [sic] Adrien Kunysz (Aug 06)
- Re: Security people are leaches. [sic] pageexec (Aug 07)
- Re: Security people are leaches. [sic] Aaron (Aug 07)
- Re: Security people are leaches. [sic] RB (Aug 16)
- Re: Security people are leaches. [sic] dave (Aug 08)
- Re: Security people are leaches. [sic] Shane Macaulay (Aug 08)
- Re: Security people are leaches. [sic] Peter Busser (Aug 05)
- Re: Security people are leaches. [sic] yersinia (Jul 28)
- <Possible follow-ups>
- Re: Security people are leaches. [sic] Eugene Teo (Aug 10)