| 1 |
On Thursday 18 January 2007 05:50, Duncan wrote: |
| 2 |
> "Hemmann, Volker Armin" <volker.armin.hemmann@××××××××××××.de> posted |
| 3 |
> 200701172222.16480.volker.armin.hemmann@××××××××××××.de, excerpted below, |
| 4 |
> |
| 5 |
> on Wed, 17 Jan 2007 22:22:16 +0100: |
| 6 |
> > NVIDIA was made aware of a problem with our 1.0-8774 driver that caused |
| 7 |
> > an X Server crash on July 2006 through a posting on nvnews.net. The |
| 8 |
> > problem was not identified as a security risk. |
| 9 |
> |
| 10 |
> This is the core of the problem, right here. |
| 11 |
> |
| 12 |
> Putting it in non-technical terms, if the program is caused to crash, by |
| 13 |
> definition, it performed an action the programmer hadn't anticipated, or |
| 14 |
> it would have been tested for and dealt with. Since a non-trivial number |
| 15 |
> of these crashes are known to have security implications, and we've just |
| 16 |
> demonstrated that the programmer hadn't anticipated the issue and thus |
| 17 |
> couldn't protect against it, any such crash must be treated as a potential |
| 18 |
> security issue until proven otherwise. Since it's generally easier, for |
| 19 |
> someone who has the code anyway, to just find and fix the bug than to |
| 20 |
> demonstrate whether it's a security issue or not, that's what usually |
| 21 |
> happens, and it's never known whether it was a security issue. |
| 22 |
> |
| 23 |
|
| 24 |
douzends of programms crash every second, without any security implications. |
| 25 |
SOME are problems, but most are just a crash. |
| 26 |
|
| 27 |
> Any crash of a native machine coded binary must be assumed to have |
| 28 |
> security implications unless it is demonstrable that's not the case, and |
| 29 |
> prioritized accordingly. Since this one WAS a security issue, that could |
| 30 |
> not be demonstrated, and NVidia erred in treating it as a |
| 31 |
> non-security-issue bug. Had they acted correctly, they would have treated |
| 32 |
> it as a potential security issue, giving it according priority while |
| 33 |
> fixing it, and released the bug-fix as a potential security fix, even if |
| 34 |
> the issue had never been confirmed as a security vuln. |
| 35 |
|
| 36 |
yeah, and nvidia has also thousands of programmers and developers just for |
| 37 |
linux drivers, right? And every single of them should be a genius who sees |
| 38 |
the security problems of all bugs. |
| 39 |
|
| 40 |
> This demonstrates quite well one of the issues with binary-only code, too. |
| 41 |
> First, virtually all non-trivial code, proprietary source or FLOSS, very |
| 42 |
> reasonably comes with a disclaimer absolving the author of responsibility |
| 43 |
> if the code does something unintended. It would be insane to do |
| 44 |
> otherwise, given the difficulty of anticipating all possible situations |
| 45 |
> under which the code might be used. That's not a problem and as I said is |
| 46 |
> pretty much universal in the software industry, open source or not. |
| 47 |
> |
| 48 |
> However, while open code (viewable without NDA or the like) gives the user |
| 49 |
> the ability to verify for themselves the degree of risk, or have someone |
| 50 |
> they trust do it if they don't have the skills themselves to do it, |
| 51 |
> "black-box" proprietary code not only disclaims any responsibility for |
| 52 |
> problems, but provides no way for the user to do his own evaluation (or |
| 53 |
> arrange for a party he trusts to do so). The user is asked to agree to |
| 54 |
> absolve the author of responsibility, while no method is provided for same |
| 55 |
> user to intelligently ascertain for themselves what's in that black box |
| 56 |
> they are being asked to take responsibility for themselves! IMO, that's |
| 57 |
> INSANE, and one reason I can never agree to the EULA most proprietary |
| 58 |
> software requires one agree to. |
| 59 |
|
| 60 |
|
| 61 |
blablabla. |
| 62 |
|
| 63 |
Lots of words and political agenda. |
| 64 |
|
| 65 |
Fact is, that ALL non trivial software has bugs. Every single kind. |
| 66 |
|
| 67 |
So, does firefox had sec vulnerabilites in the past? Oh yes. Xpdf? Xorg? |
| 68 |
Yes. |
| 69 |
The kernel? |
| 70 |
Oh yes, almost monthly such vulnerabilietes are reported. |
| 71 |
|
| 72 |
How many people read the code? |
| 73 |
almost noone. |
| 74 |
All that 'the user can read the code and look and fix for himself' is nice, |
| 75 |
but wishfull thinking. Most people can't read code. And most of the people |
| 76 |
you can, don't do it or don't find the bugs themselves. |
| 77 |
|
| 78 |
You see lots of Open Source projects, where the security firms need to show |
| 79 |
them their bugs. Why? The devs should find them? Right? Or all the people |
| 80 |
reading the code before downloading and using it? |
| 81 |
|
| 82 |
|
| 83 |
> |
| 84 |
> As it happens, I don't personally have the skills to verify the quality and |
| 85 |
> security of the code. |
| 86 |
|
| 87 |
yeah, that is a surprise. Not. |
| 88 |
|
| 89 |
> However, that "someone I trust" is the FLOSS |
| 90 |
> community, including the authors willing to put their source code out |
| 91 |
> there for examination in the first place. |
| 92 |
|
| 93 |
and still there are lots of bugs in open source software. Lots of bugs leading |
| 94 |
to lots of security problems. Hm. |
| 95 |
|
| 96 |
So much text from you, but where is the 'I was wrong, sorry'? |
| 97 |
|
| 98 |
Even if nvidia should have recognized the bug as a serious problem the moment |
| 99 |
it was reported, they delivered the bugfix in 3 month, 3 days after they got |
| 100 |
informed that it was security problem. And they did not 'cover it up'. |
| 101 |
|
| 102 |
So stop spreading FUD, stop slander companies, and please, please stop using |
| 103 |
the term 'slaveryware'. Oh, and a little bit less of preaching, ok? |
| 104 |
-- |
| 105 |
gentoo-amd64@g.o mailing list |
Archives