1 |
On Thursday 18 January 2007 05:50, Duncan wrote: |
2 |
> "Hemmann, Volker Armin" <volker.armin.hemmann@××××××××××××.de> posted |
3 |
> 200701172222.16480.volker.armin.hemmann@××××××××××××.de, excerpted below, |
4 |
> |
5 |
> on Wed, 17 Jan 2007 22:22:16 +0100: |
6 |
> > NVIDIA was made aware of a problem with our 1.0-8774 driver that caused |
7 |
> > an X Server crash on July 2006 through a posting on nvnews.net. The |
8 |
> > problem was not identified as a security risk. |
9 |
> |
10 |
> This is the core of the problem, right here. |
11 |
> |
12 |
> Putting it in non-technical terms, if the program is caused to crash, by |
13 |
> definition, it performed an action the programmer hadn't anticipated, or |
14 |
> it would have been tested for and dealt with. Since a non-trivial number |
15 |
> of these crashes are known to have security implications, and we've just |
16 |
> demonstrated that the programmer hadn't anticipated the issue and thus |
17 |
> couldn't protect against it, any such crash must be treated as a potential |
18 |
> security issue until proven otherwise. Since it's generally easier, for |
19 |
> someone who has the code anyway, to just find and fix the bug than to |
20 |
> demonstrate whether it's a security issue or not, that's what usually |
21 |
> happens, and it's never known whether it was a security issue. |
22 |
> |
23 |
|
24 |
douzends of programms crash every second, without any security implications. |
25 |
SOME are problems, but most are just a crash. |
26 |
|
27 |
> Any crash of a native machine coded binary must be assumed to have |
28 |
> security implications unless it is demonstrable that's not the case, and |
29 |
> prioritized accordingly. Since this one WAS a security issue, that could |
30 |
> not be demonstrated, and NVidia erred in treating it as a |
31 |
> non-security-issue bug. Had they acted correctly, they would have treated |
32 |
> it as a potential security issue, giving it according priority while |
33 |
> fixing it, and released the bug-fix as a potential security fix, even if |
34 |
> the issue had never been confirmed as a security vuln. |
35 |
|
36 |
yeah, and nvidia has also thousands of programmers and developers just for |
37 |
linux drivers, right? And every single of them should be a genius who sees |
38 |
the security problems of all bugs. |
39 |
|
40 |
> This demonstrates quite well one of the issues with binary-only code, too. |
41 |
> First, virtually all non-trivial code, proprietary source or FLOSS, very |
42 |
> reasonably comes with a disclaimer absolving the author of responsibility |
43 |
> if the code does something unintended. It would be insane to do |
44 |
> otherwise, given the difficulty of anticipating all possible situations |
45 |
> under which the code might be used. That's not a problem and as I said is |
46 |
> pretty much universal in the software industry, open source or not. |
47 |
> |
48 |
> However, while open code (viewable without NDA or the like) gives the user |
49 |
> the ability to verify for themselves the degree of risk, or have someone |
50 |
> they trust do it if they don't have the skills themselves to do it, |
51 |
> "black-box" proprietary code not only disclaims any responsibility for |
52 |
> problems, but provides no way for the user to do his own evaluation (or |
53 |
> arrange for a party he trusts to do so). The user is asked to agree to |
54 |
> absolve the author of responsibility, while no method is provided for same |
55 |
> user to intelligently ascertain for themselves what's in that black box |
56 |
> they are being asked to take responsibility for themselves! IMO, that's |
57 |
> INSANE, and one reason I can never agree to the EULA most proprietary |
58 |
> software requires one agree to. |
59 |
|
60 |
|
61 |
blablabla. |
62 |
|
63 |
Lots of words and political agenda. |
64 |
|
65 |
Fact is, that ALL non trivial software has bugs. Every single kind. |
66 |
|
67 |
So, does firefox had sec vulnerabilites in the past? Oh yes. Xpdf? Xorg? |
68 |
Yes. |
69 |
The kernel? |
70 |
Oh yes, almost monthly such vulnerabilietes are reported. |
71 |
|
72 |
How many people read the code? |
73 |
almost noone. |
74 |
All that 'the user can read the code and look and fix for himself' is nice, |
75 |
but wishfull thinking. Most people can't read code. And most of the people |
76 |
you can, don't do it or don't find the bugs themselves. |
77 |
|
78 |
You see lots of Open Source projects, where the security firms need to show |
79 |
them their bugs. Why? The devs should find them? Right? Or all the people |
80 |
reading the code before downloading and using it? |
81 |
|
82 |
|
83 |
> |
84 |
> As it happens, I don't personally have the skills to verify the quality and |
85 |
> security of the code. |
86 |
|
87 |
yeah, that is a surprise. Not. |
88 |
|
89 |
> However, that "someone I trust" is the FLOSS |
90 |
> community, including the authors willing to put their source code out |
91 |
> there for examination in the first place. |
92 |
|
93 |
and still there are lots of bugs in open source software. Lots of bugs leading |
94 |
to lots of security problems. Hm. |
95 |
|
96 |
So much text from you, but where is the 'I was wrong, sorry'? |
97 |
|
98 |
Even if nvidia should have recognized the bug as a serious problem the moment |
99 |
it was reported, they delivered the bugfix in 3 month, 3 days after they got |
100 |
informed that it was security problem. And they did not 'cover it up'. |
101 |
|
102 |
So stop spreading FUD, stop slander companies, and please, please stop using |
103 |
the term 'slaveryware'. Oh, and a little bit less of preaching, ok? |
104 |
-- |
105 |
gentoo-amd64@g.o mailing list |