[nycbug-talk] security advisory

Isaac Levy ike
Thu Jan 19 10:21:34 EST 2006 

Thanks for posting this MW,

First thought towards author:
Lighten up Francis.

On Jan 19, 2006, at 8:40 AM, michael wrote:

> Does anyone here take exception to what Jason Miller has written?
> --  
>
> Michael
>
> ------------------------------------------------
> How not to respond to a security advisory
> Jason Miller, 2006-01-18
>
> A recently announced weakness in the BSD securelevel system isn't  
> going
> to be fixed in OpenBSD. While securelevel may have problems, the
> vendor's security response is unacceptable and doesn't fit with their
> stated goals.
<snip>
>
> No fix will be released for OpenBSD. To quote Theo de Raadt:
>
> "Sorry, we are going to change nothing. Securelevels are useless."
>
> http://www.securityfocus.com/columnists/380

Second thought, to the list:
What kind of expectations do OpenBSD consumers really have with  
regard to this kind of thing, (outside of the tech for this  
particular case)?

Third thought, worth approx. 02?:
If the bona-fide security and business world doesn't like the UNIX- 
rocker attitudes backing OpenBSD, why do they use it so darned much?
Perhaps the SecurityFocus author should stick to RedHat, their PR  
people keep these words behind closed doors...  I mean, really, at  
least the world knows where Theo and OpenBSD Openly stand- and aren't  
going to wait around hemming-and-hawing, while the 'vendor' never  
gets around to releasing a patch...


VERBOSE OUTPUT (I beg yall' to skip reading my blabbing here):
--

historical tech context:
Theo was involved with this exact class of problem before, 4.4BSD mmap 
() Vulnerability, circa 1998.
http://www.insecure.org/sploits/bsd.mmap.chardevice.html


ike-commentary:
After reading the article, which is quite critical of Theo's  
statement, I technically back Theo from a design and implimentation  
perspective, although I feel that in his position, his style of  
issuing hammer-blunt categorical imperatives can easily be taken  
poorly by the press; and this is a repeated problem (perhaps).

I think many us us agree Theo should perhaps discuss a bit more about  
*why* he thinks this way, but lets look at the reality of the  
situation, since we're all maybe closer to this than the Security  
Focus author:

- Theo has a lot of stuff to get done in a day
- Theo doesn't have time to debate details ad-nausieum, and seems  
he'd rather just issue blank statements that turn people off (and get  
them out of his hair, and the community)
- Theo isn't such a bad guy, he's just intolerant with people being  
unrealistic over security and tech

For the record, as much as I've used and enjoyed many BSD UNIX  
systems, I heavily use FreeBSD in production- and use a *wee* bit of  
OpenBSD for specific tasks.  (i.e. I don't really have any ties to  
OpenBSD, yet I'll back Theo on this- technically, I like the spirit  
of his tone.)

--
Also, this statement is indicative of something I haven't heard  
anyone clearly state about OpenBSD: they seem to be working on  
securing systems by reducing their edge-case awareness of end  
applications.

Problem is, this is bad from a marketing perspective.  (i.e. it's a  
few freaks like me who get exited about systems that are feature-light).

(Some folks were with me in Canada last year while I debated the  
merit of jail(8) with Henning Brauer and MSF, and I can quote Henning  
as saying "What's the use of jail, if you run crap software, it  
doesn't matter if it's in a jail or not, it's still crap (insecure)  
software."
While I agree with him whole-heartedly, (and with a snort,  
disregarding the interpretation that FreeBSD has crap userland  
software), it tells me that nobody actively developing for OpenBSD  
considers jailing mutually untrusted users as anything but an edge- 
case, which I can't argue with at all.)

ike-summary: Technologically, I'll back Theo here, securelevels are a  
band-aid, always have been- but I'll state that there are edge-cases  
(and perhaps ancient software) which rely on them in many contexts.   
Regardless, I believe the author of the SecurityFocus article simply  
missed the reasons behind Theo's tone.

--
As a related tangent, has anyone compared pictures of Joe Strummer  
and Theo DeRaadt?  See where I see?
http://www.double-whammy.com/photos/Joe_Strummer.jpg
http://www.theepochtimes.com/news_images/2005-7-6-deraadt2.jpg

Rocket-
.ike

More information about the talk mailing list