[gentoo-security] Out of air (was: Let's blow the whistle)

[gentoo-security] Out of air (was: Let's blow the whistle)

[Peter Simons]

A day ago I wrote:

 > At 2004-11-11 00:00:00 CET this article hits a rather
 > popular public full-disclosure mailing list.

The problem with making predictions about by when you'll
have finished something is that you are always wrong. This
is no exception. So please don't be surprised if it won't be
_exactly_ midnight. :-)

I figured I'd better say it now to avoid receiving lots of
e-mails from people telling me that I wouldn't know what
time zone CET is.

Anyway, since there is apparently no more need to discuss
this problem with the "community" -- or at least not on this
mailing list --, I'd like to take the liberty of adding a
few short closing remarks concerning this whole issue.

By now I have stopped counting the number of people who have
called me a public stink, a troublemaker, and whatnot else.
To those who have, I'd like to suggest that you check out a
medieval concept called "hang the messenger". You are
misunderstanding something. Not the people who draw
attention to a vulnerability are causing trouble, the
_vulnerability_ is causing trouble. So instead of attacking
those who are concerned about the lack of authentication in
Gentoo's distribution process, you should, well, fix the
lack of authentication in Gentoo's distribution process. I
wouldn't have thought it was possible, but apparently some
people really need that spelled out for them.

Furthermore, several people have complained that I would be
too confrontational and that I should phrase my messages
more politely if I wanted something to happen about this.
Here is a nice analogy that IMHO puts that into perspective:
You are a car manufacturer and you receive a phone call from
someone who informs you that the breaks in your latest model
have a design flaw that may result in them failing, thus
potentially killing all passengers. And the person who
reports this is really, really rude. Does that mean you
shouldn't fix you breaks?

Oh, and if you think about blowing up on me now because I
implied that the Gentoo developers didn't care about
security: You should really work on your reading
comprehension.

The reason why I am being confrontational is that if I
hadn't been, NOTHING WOULD HAVE HAPPENED!

Oh, and if you think about blowing up on me know because
that would not be true ... then you might want to check the
date of the first time this problem was reported.

Last but not least I cannot help but notice a curious
asymmetry in the way security issues are handled by Gentoo.
It appears that the Gentoo developers are a lot more
forthcoming when it comes to pointing out and fixing
security vulnerabilities in upstream packages (a.k.a.
_other_ people's code) than they are when it comes to
admitting to and fixing problems in their own code.

Oh -- you knew this were coming, right? --, if you think
about blowing up on me know because I just implied that some
people on this mailing list have a MASSIVE ego problem ...
then go ahead. I did.

Having properly antagonized everyone, there remains nothing
left to say. So I'll let some other people speak the last
words. Really, this whole thread has been a diamond mine for
quotes to be readily used on all kinds of occasions. Here
are my personal favorites:

  | I explicitly said that signing should be implemented! I
  | only disagree with the statement that it is a strong
  | security measure or that it's lack is a great danger to
  | Gentoo users.

                    -- Marc Ballarin <Ballarin.Marc@gmx.de>
  http://article.gmane.org/gmane.linux.gentoo.security/1727


  | I wouldn't waste [my time] hypothesizing about a man in
  | the middle attack. While MOTM attacks are theoretically
  | possible on many many protocols, they are *not* a
  | serious threat [...].

                 -- Brian G. Peterson <brian@braverock.com>
  http://article.gmane.org/gmane.linux.gentoo.security/1771

Peter


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Out of air (was: Let's blow the whistle)

[Jason Stubbs]

On Wednesday 10 November 2004 10:21, Peter Simons wrote:
> The reason why I am being confrontational is that if I
> hadn't been, NOTHING WOULD HAVE HAPPENED!

To be honest, I think the whole thread has achieved nothing. It has definately 
not prompted the beginning of a new initiative in signing the tree because 
that was already underway. I very much doubt that it'll speed up the progress 
made on that initiative, because the main limiting factor is time. No matter 
what is said here, it's not going to make anybody go out and quit their jobs 
in order to get tree signing implemented quicker.

Regards,
Jason Stubbs

--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Out of air

[RNuno]

Peter Simons wrote:
> Furthermore, several people have complained that I would be
> too confrontational and that I should phrase my messages
> more politely if I wanted something to happen about this.
> Here is a nice analogy that IMHO puts that into perspective:
> You are a car manufacturer and you receive a phone call from
> someone who informs you that the breaks in your latest model
> have a design flaw that may result in them failing, thus
> potentially killing all passengers. And the person who
> reports this is really, really rude. Does that mean you
> shouldn't fix you breaks?

Still.. being polite would be at least fair.
Of course you realize that you didn't pay for Gentoo so I think
you should phrase you messages, respect the commitment and work
of the dev's. Even so you have a point on your messages.

Is not what you said is the way you say it

-- RNuno

--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: Out of air (was: Let's blow the whistle)

[Peter Simons]

Jason Stubbs writes:

 > To be honest, I think the whole thread has achieved
 > nothing.

I beg to differ. It has achieved that everyone who's
interested can now see quite clearly how the priorities of
Gentoo Linux are. I am not really judging your priorities.
It's free software. You can do whatever you want.

But I, at least, find it useful to know that spending a
couple of hours implementing an insanely simple procedure
that would prevent the insignificant number of, say, 10
people having their machines compromised -- machines with
all their personal data, e-mails, love letters, income tax
declarations, health records, etc. -- is not a priority.

Peter


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air (was: Let's blow the whistle)

[Dan Noe]

[-- Attachment #1: Type: text/plain, Size: 1183 bytes --]

On Wed, Nov 10, 2004 at 03:26:19AM +0100, Peter Simons wrote:
> Jason Stubbs writes:
> 
>  > To be honest, I think the whole thread has achieved
>  > nothing.
> 
> I beg to differ. It has achieved that everyone who's
> interested can now see quite clearly how the priorities of
> Gentoo Linux are. I am not really judging your priorities.
> It's free software. You can do whatever you want.

To echo the concerns of others, you have the right idea but
the wrong attitude.  Gentoo is a free software project,
composed of hobbyists.  Unlike Red Hat or SuSE, Gentoo remains
a hobbyist distro.  Nobody can put aside their job or life
to work fulltime on fixing these bugs, but your contributions
are important, provided they are ultimately useful.

I too think this thread has achieved nothing other than to
annoy users and developers.  A solution was already in the works,
but brash attitudes and reaction to them stalemated any further
discussion.

The discussion was not in the spirit of "Open Source."

-- 
                    /--------------- - -  -  -   -   -
                   |  Dan Noe, freelance hacker
                   |  http://isomerica.net/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-security] Re: Out of air (was: Let's blow the whistle)

[Peter Simons]

Dan,

you forgot to reply to this paragraph of my message:

 > But I, at least, find it useful to know that spending a
 > couple of hours implementing an insanely simple procedure
 > that would prevent the insignificant number of, say, 10
 > people having their machines compromised -- machines with
 > all their personal data, e-mails, love letters, income tax
 > declarations, health records, etc. -- is not a priority.

Peter


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air (was: Let's blow the whistle)

[Dan Noe]

[-- Attachment #1: Type: text/plain, Size: 1089 bytes --]

On Wed, Nov 10, 2004 at 03:49:54AM +0100, Peter Simons wrote:
> Dan,
> 
> you forgot to reply to this paragraph of my message:
> 
>  > But I, at least, find it useful to know that spending a
>  > couple of hours implementing an insanely simple procedure
>  > that would prevent the insignificant number of, say, 10
>  > people having their machines compromised -- machines with
>  > all their personal data, e-mails, love letters, income tax
>  > declarations, health records, etc. -- is not a priority.

I will reply, and I am sorry I forgot to reply before!

While I do not run business systems on it currently, I fully
trust my personal data with Gentoo.  Furthermore, I am more
inclined to trust Gentoo dev's time and complexity estimates
than your own.  I do hope this issue is resolved in a timely
manner, I don't feel your thread has contributed positively
towards an eventual resolution.

That is all.

-- 
                    /--------------- - -  -  -   -   -
                   |  Dan Noe, freelance hacker
                   |  http://isomerica.net/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-security] Re: Out of air

[Peter Simons]

RNuno  writes:

 > Still.. being polite would be at least fair.

Fixing a vulnerability that threatens your user's machines
without me having to bitch and moan for _days_ would be
fair, too, and you don't do it either. So I think we are
even.

Peter


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Anthony Gorecki]

[-- Attachment #1: Type: text/plain, Size: 633 bytes --]

On Tuesday 09 November 2004 7:07 pm, Peter Simons wrote:
> Fixing a vulnerability that threatens your user's machines
> without me having to bitch and moan for _days_ would be
> fair, too, and you don't do it either. So I think we are
> even.

This thread is degenerating into a heated debate to the likes of which I would 
expect from elementary school children. We know what needs to be done, and it 
will be done as soon as the developers are able; I agree with one of the 
previous comments: feel free to implement the code instead of complaining.

Leave it at that.


-- 
Anthony Gorecki
Ectro-Linux Foundation

[-- Attachment #2: Type: application/pgp-signature, Size: 828 bytes --]

[gentoo-security] Re: Out of air (was: Let's blow the whistle)

[Peter Simons]

Dan Noe writes:

 > Furthermore, I am more inclined to trust Gentoo dev's
 > time and complexity estimates than your own.

Within 1.5 years it would have been possible.
Trust me on that.

Peter


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air

[Marius Mauch]

[-- Attachment #1: Type: text/plain, Size: 608 bytes --]

On 10 Nov 2004 04:07:37 +0100
Peter Simons <simons@cryp.to> wrote:

> RNuno  writes:
> 
>  > Still.. being polite would be at least fair.
> 
> Fixing a vulnerability that threatens your user's machines
> without me having to bitch and moan for _days_ would be
> fair, too, and you don't do it either. So I think we are
> even.

Did you purchase a support contract? Oh wait, we don't sell those
...</sarcasm>

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Re: Out of air

[Den]

>  > developers of open source software OWES nothing to the
>  > users.
> 
> May I quote that?

feel free but anyway by now your audience is dropping by the minute.

>  > but for now: BE GONE ALREADY.
> 
> Forget it.

then don't be surprised if you end up speaking to yourself. piece of
mind is but one click away... quite easy to achieve with good filters.

so long

*click*


--
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: Out of air

[Peter Simons]

Den,

when you send carbon copies of a private e-mail exchange to
the mailing list out of the sudden, then please make sure
you don't forget to provide the proper context in your
quotes so that the readers know what it is about. Let me
help you with that:

 > Den writes:
 >
 >  > Peter Simons wrote:
 >
 >  >> Fixing a vulnerability that threatens your user's
 >  >> machines without me having to bitch and moan for _days_
 >  >> would be fair, too, and you don't do it either.
 >
 >  > developers of open source software OWES nothing to the
 >  > users.
 >
 > May I quote that?

Because otherwise it would look as if I had said something I
did not.

No need to apologize. Accidents happen.

Peter


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Out of air (was: Let's blow the whistle)

[Lucian Pintilie]

Peter Simons wrote:

>Dan Noe writes:
>
> > Furthermore, I am more inclined to trust Gentoo dev's
> > time and complexity estimates than your own.
>
>Within 1.5 years it would have been possible.
>Trust me on that.
>
>Peter
>
>  
>
Peter,

You keep talking about 1.5 years and a simple measure you know for 
correcting the problem. That doesn't put you in a good position either: 
*you* also had that time to do it, and still didn't do it. Then why are 
you shouting to the "Gentoo team"? And don't tell me they prevented you 
from solving the problem. As someone already said: you are part of the 
comunity and you have the power to contribute. If you repeatedly tried 
to submit code and nobody cared, then the reasonable way to end the 
situation is to choose another distro that best addresses your goals. 
Should that need to be accompanied by a post to a Gentoo mailing list, 
the tone should be different. And polite, too.


Lucian Pintilie

--
gentoo-security@gentoo.org mailing list

[gentoo-security] All done and settled

[Peter Simons]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lucian Pintilie writes:

 > You keep talking about 1.5 years and a simple measure you
 > know for correcting the problem. That doesn't put you in
 > a good position either [...]

Yes, you are right. And it's even worse: Not only did I
completely fail to realize this is a problem, I even got
paid as a _security consultant_ to help setting up secure
servers. And I recommended Gentoo. And took money for it.
And for all we know, these servers belong to the NSA by now.

Which means that I have totally fucked up the job my clients
trusted me to do and when the details of this problem reach
the consciousness of the "general public", there will be
questions asked and I will look like an idiot to my clients,
not like a hero who "blew the whistle". Because they
couldn't care less about technical details, they only care
about security.

Note, however, that I spoke up and raised all hell the
_minute_ I learned about this problem. Perhaps those people
who are questioning my motivations and my integrity as a
human being should consider that before judging what I am
trying to do here.

And while I am at it, I'd also like to point out that those
people who have said that this latest revival of the thread
was a pointless waste of time that only served to annoy
people and didn't help matters at all ... were right, too.

Because several _hours_ before I started the latest little
flame fest here on the list, Kurt had already sent me an
e-mail and explained what he thought would be best to do and
ask whether I would help. For some weird chance, though, my
spam filter decided that this would be a good time to
produce the first false-positive in MONTHS and sorted the
e-mail into the spam folder, not into my regular mailbox. So
I didn't see it and all the while Kurt was waiting for me to
reply to him, I was posting and posting on this list
shouting and screaming why nothing was being done.

Rather cool, isn't it?

And now check this out: No matter how much I feel this was
not my fault, no matter how much I believe it was an honest
mistake that I couldn't have prevented, it won't change the
fact that I fucked up again and uselessly wasted bandwidth,
people's time, and did not help matters at all because the
answer to all questions was readily waiting in my mailbox
already.

I admit it, I regret it, and I apologize.

Peter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iQEVAwUBQZItBUG8KP6ZCJ1yAQL6gwf/Wa4twpkg6rVi4re3Ei+FB8grpPi616Wx
zmgQCizI7YLeNVgKBJhvkOjdw4FcOVgt3qcrxK5gquUr6DKBQKUhNv9AM0iz2JPR
9fJbKglXy/bwf82uilkNyQ70vuGrIN1ixGYH4x0BqeTBjJvN797RRju4YGcz+2gp
0vmyCi9NfdZv/GOUO7viaWJGb6XNcRhZaD5gI4+Tx6wcxNIYds/zG1KTFsQJR1Y4
Xij61+RnatFZ2qpapqq6nnbLD9xmVSm1ubpV98307UM+5oY40zmxRGGqCf1bBZVr
BnRYo9wLOHzutHJ15j2y6Wf5J32x/oKV81zq6TIeRTG8WHm/TMCTww==
=izHL
-----END PGP SIGNATURE-----


--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] All done and settled

[Carsten Lohrke]

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

On Wednesday 10 November 2004 16:02, Peter Simons wrote:
> Which means that I have totally fucked up the job my clients
> trusted me to do and when the details of this problem reach
> the consciousness of the "general public", there will be
> questions asked and I will look like an idiot to my clients,
> not like a hero who "blew the whistle". Because they
> couldn't care less about technical details, they only care
> about security.

That's the difference between relying on a opensource distro and a commercial 
counterpart. In the latter case you've someone, who can be held liable, since 
you (or your customer) paid for it. Unless you provide a fix, your customer 
is absolutely right to blame you, but you're wrong, if you think you can 
shift it upon someone else. Clamouring doesn't help, do a better job next 
time. It is your economical risk.


Carsten



[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Re: Out of air (was: Let's blow the whistle)

[Nathan Pinkerton]

On Wed, 10 Nov 2004 11:24:19 +0200, Lucian Pintilie
<lpintilie@montran.ro> wrote:
> Peter,
> 
> You keep talking about 1.5 years and a simple measure you know for
> correcting the problem. That doesn't put you in a good position either:
> *you* also had that time to do it, and still didn't do it. Then why are
> you shouting to the "Gentoo team"? And don't tell me they prevented you
> from solving the problem. As someone already said: you are part of the
> comunity and you have the power to contribute. If you repeatedly tried
> to submit code and nobody cared, then the reasonable way to end the
> situation is to choose another distro that best addresses your goals.
> Should that need to be accompanied by a post to a Gentoo mailing list,
> the tone should be different. And polite, too.
> 
> 
> Lucian Pintilie

amen brotha. preach on.

--
gentoo-security@gentoo.org mailing list