Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 23 Jun 2017 21:54:57 -0400
From: Brad Spengler <spender@...ecurity.net>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: oss-security@...ts.openwall.com, pageexec@...email.hu
Subject: Re: More CONFIG_VMAP_STACK vulnerabilities, refcount_t UAF, and an
 ignored Secure Boot bypass / rootkit method

On Fri, Jun 23, 2017 at 06:04:00PM -0700, Linus Torvalds wrote:
> On Fri, Jun 23, 2017 at 5:50 PM, Brad Spengler <spender@...ecurity.net> wrote:
> >
> > BTW, we're happy to go toe-to-toe with you here in public on actual facts
> > instead of pathetic ad hominems.
> 
> Quite frankly, I'd much rather see *you* actually send in patches that
> are acceptable for inclusion, something you've never done.
> 
> As it is, other people have tried to clean up parts of the grsecurity
> patches, and tried to make them acceptable.
> 
> Wouldn't it be nice if you actually tried to make the baseline actually better?

Are you delusional?  Sorry, you don't get to weasel your way out of 
calling us clowns, that our code is garbage, with this weak reply where 
you can pretend you didn't just say those things and now would love for 
us to provide our "garbage" code directly.  Also you might be in 
confusion as to the extent to which KSPP is "cleaning up" parts of our 
code -- they're definitely introducing bugs and renaming variables.  
Other than that, they have a tendency to misrepresent the source of 
their ideas, so I can understand the cause of your confusion.  This, for 
instance: http://www.openwall.com/lists/kernel-hardening/2017/06/20/34 
was simply someone realizing we had updated the code they previously 
copy+pasted, and copy+pasted the newer version.  He is being funded to 
do this.  He even emailed me for help figuring out the code he was being
paid to copy+paste.

Wouldn't it be nice if you didn't demand free work of us in our free 
time? We publicly gave permission for any company involved in the KSPP 
to publish the private details of any supposed offers made to us, 
including any financial terms.  No such offers have ever materialized in 
public, I wonder why that is?

Until you acknowledge the KSPP is business competition dreamed up by 
Google, who made a conscious decision somewhere higher up in the company 
than Kees to compete with us instead of cooperating with us, there is no 
negotiation. You thought you'd get away with it by being able to 
continue using our own test patches against us, and now look at the mess 
you've all created.  How many dozens of incompetent people are you going 
to fund full time to avoid getting help from the people with real 
knowledge?  Linux's technical debt is only going to increase, and when 
the KSPP contributors veer into original idea territory (which they're 
soon going to have to do a lot more of), the results make Linux look as 
dumb as OpenBSD preventing NOP-sliding into ROP gadgets.

If you really wanted our help, you would know how to get it -- we've posted
about it publicly (and I'll publish it here too for the record if this
mail is allowed through despite being totally off-topic and non-technical):
1) Forget 'bugs are bugs'
2) Stop obfuscating commit messages
3) Actually put someone (or someones) in charge of security, start having
actual responsibility instead of pretending you guys are just doing the
work in your free time.  If Jon Corbet has to submit a fix himself, something
is clearly broken.
4) Have a basic level of respect
5) Fund our work so that we have the free time to help out.  As it stands,
any time spent helping takes away from our own work (which becomes the
security of Linux a decade from now, quite literally).

It's that simple, but you (collectively) seem to be unwilling to do any of
the above.

-Brad

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.