Re: Security people are leaches. [sic]

[Peter Busser <peter () adamantix org>]

Hi!

> Lets say there's a new bug introduced in the kernel. One that presents with the symptom of disclosing a user's 
> password
> when the kernel is given some invalid argument to printk while processing the shadow file. However, when processing
> the etc/hosts file, it just discloses the contents of that file. Is that a security bug? You could argue yes; you 
> could argue no.
> At the end of the day, someone has to do the work to figure out that it either does or doesn't have security 
> implications.

Is the Linux kernel designed to disclose the contents of a file like
/etc/hosts? If not, then it is a security bug.

A secure system is one which is implemented to EXACTLY fit its specification,
nothing more, nothing less.

Therefore it doesn't matter whether it discloses one file or some other file
or what the contents of these files are. What matters is that it provides
more functionality than what the specification of the Linux kernel prescribes.

That means that Linus' arguments are simply irrelevant. The biggest security
issue in this case is that people take Linus' words seriously and try to bend
the discussion in such a way as to fit his words. Or, in other words, these
people seem to think that Linus is always right. They seem to forget that
Linus is a human being and therefore makes mistakes.

People seem to forget that Linus' primary interest is to motivate people to
write code for the Linux kernel. And Linus, despite being a competent kernel
hacker, doesn't understand security in general. People usually aren't
motivated to put time in things which they aren't good at.

Groetjes,
Peter.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave