Date: Wed, 04 Sep 1996 15:00:38 -0600 From: Theo de Raadt <deraadt@theos.com> To: nate@mt.sri.com Cc: terry@lambert.org, dg@root.com, darrend@novell.com, chat@freebsd.org Subject: Re: FreeBSD vs. Linux 96 (my impressions) - Reply Message-ID: <9609042100.AA12246@theos.com>
next in thread | raw e-mail | index | archive | help
> > > An alternate approach to the problem of finding out what the security > > > fixes are would be to ask their CVS log. This is permitted, encouraged, > > > and has the side effect of removing the moral coloring from the answer > > > you receive. This is doable. The logs are 4MB now. The security stuff is well hidden between changes to everything else in the tree. Just because a message says "buf oflow" doesn't mean we determined it to be exploitable. Some of the patches are going to be difficult to merge. Diffing files is not going to help you much because a lot of those files were changes in NetBSD, some pieces from 386bsd, net2, 4.4lite, 4.4lite2.... Of course, the NetBSD logs are not available. This is going to be very painful. I suggest you just wholesale steal the whole OpenBSD userland. Hahaha. I'll laugh at myself because I know you won't laugh at my little joke. I don't know what solution I have for you. Sounds like the same problem I have regarding VM fixes from Dyson. The volume of code involved is just too heavy. > > Theo: > > I fixed a security bug in OpenBSD that exists in every other OS known to > > man, but I'm not telling you where in the system it is. But, it's a > > baaaad bug, and you should be very scared of it. Yup. You should be afraid. Don't give me an account on your cvs repository machine. > > Response: > > > > # cvs co src > > # find . -type f -print | xargs cvs log > > > Look through *every* single file in the system looking for 'security' > > fix, which may/may not be logged as such to deter any casual observer > > from seeing the bug, thus 'disclosing' the bug and making other systems > > vulnerable because of OpenBSD's 'partial disclosure' policy. Now I've seen enough of this kind of talk. I've explained numerous times before why OpenBSD does not make this information available. Let's compare situations with the person who typed this, ie., Nate: 1) I have a SunOS machine. It's patched all over the place. But I know there are holes in it. I am not going to tell you what those holes are. 2) Nate, you are essentially behind a firewall: [cvs net 124 ]# telnet !$ telnet sneezy.sri.com Trying 128.18.40.6... Connected to sneezy.sri.com. Escape character is '^]'. Connection closed by foreign host. [cvs net 125 ]# rpcinfo -p !$ rpcinfo -p sneezy.sri.com ^C (timed out) [cvs net 126 ]# showmount -e !$ showmount -e sneezy.sri.com ^C (timed out) Now why would I want to go releasing bugs that are in my system? Perhaps I should go releasing bugs that are in YOUR system. Ok, I know a bug in your system. Judging by the version, your sendmail has at least one exploitable remote root hole. Shall I continue? Who knows, Nate, perhaps I am not making this up. (Be a shame if you goaded me too far... and I asked someone else to demonstrate...) We gain nothing from telling the world what these holes are. Not that you guys ever really asked nicely, or made it easy for me to help. Hmm.. not saying I would, either. I'm very busy. We are preparing for a release. > >From his perspective, translating the information from the useful form > it is in into a textual description that can be exported to NetBSD/FreeBSD > is "a lot more (completely un-necessary) work". Damn rights. "John, can you write us up a set of detailed instructions for how to drop your VM system into our kernel?" I think John has better things to do; so do I. Early along our quest for greater security (which was spawned by an attack on my machine by someone who modified a file only the NetBSD people would have wanted modified) I did report a security problem to the FreeBSD security maintainer, about a hole to look at, I did not get a reply. Meanwhile, while merging the FreeBSD userland changes into OpenBSD I found 4 security fixes that I had not heard of before. At least one of those was done while OpenBSD was already making waves in the security community. We did not get mail about it. FreeBSD can expect the same. Now onto Terry's comments: > I have found that it requires convincing a core team member to get a > change into the tree. I hear this about all the source trees. I believe less in this model of development. Sometimes I cannot judge the code coming in. I hate that, and the developers do too. So we import things quite a bit quicker now, when it's not been completely looked over. The non-core (BTW, know who first used the word `core'?) people love the process. They feel involved. They don't feel excluded by some private core thang. > The point is that it is wrong to fault Theo for not taking on the task > of putting it in a form suitable to pass the NetBSD and FreeBSD "not > invented here" rejection filters. Terry, you couldn't be closer to the truth. Both FreeBSD and NetBSD have gone over the top to annoy me, what with NetBSD core doing their thing, and with Jordan sending private mail to one of my developers saying I should be seeing he hopes I'm seeing psychiatric help. Why would I feel any remorse hearing about your problems with incorporating my code now... So a few reasons, in no particular order: 1) I don't believe in full disclosure. 2) I have been broken into. I cannot fix that machine 100% (not yet). 3) I work on OpenBSD, not on FreeBSD. 4) Some problme reports have come from people who don't believe in disclosure of the problem, only in seeing a fix. 5) Instead of asking nicely, people have slagged me. Instead of looking at the tree changes, they have whined about my attitude. BTW, I first got into security with a fellow who worked at sri.com; we found & fixed a named/YP bug in SunOS, which came out in the next release. Now... armed with source... now we find out how bad it really is. It's worse! BTW, Terry, nasty modstat bug :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9609042100.AA12246>