Slashdot Mirror

← Back to Stories (view on slashdot.org)

Systemd Named 'Lamest Vendor' At Pwnie Security Awards (theregister.co.uk)

Posted by EditorDavid on from the init-to-win-it dept.

Long-time Slashdot reader darkpixel2k shares a highlight from the Black Hat USA security conference. The Register reports: The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas... The gongs are divided into categories, and nominations in each section are voted on by the hacker community... The award for best server-side bug went to the NSA's Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers...

And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.

13 of 436 comments (clear)

  1. Misleading title by markdavis · · Score: 4, Informative

    >"Systemd Named 'Lamest Vendor' At Pwnie Security Awards"

    I have no great love of Systemd, but that headline is misleading. The award was the "lamest vendor RESPONSE." But, you know, it is all the rage to have intentionally misleading headlines to grab even more attention than deserved.

  2. I seem to remember Miguel de Icaza ... by HBI · · Score: 4, Informative

    Back in the days when Mono was considered a submarine way to give Microsoft control over Linux, there was such universal hate then.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  3. Why not OpenBSD? by Ungrounded+Lightning · · Score: 3, Informative

    Use FreeBSD, no systemd and technically a truer Unix than linux anyways.

    Why do you mention Free rather than Open? (Or Net, for that matter?)

    Seriously: I was looking at porting a project from Ubuntu 14.04 LTS to OpenBSD rather than later Ubuntu releases for security (and licensing) - at least in part because 14* to 16* or later means going to systemd and trying to security audit it looks like a nightmare. The obvious candidate was Open, because of its security tightness and because it's just supporting one embedded app on one particular hardware platform, so not having the whole kitchen sink of drivers and apps isn't an issue.

    Is FreeBSD just a better match for what you're doing? (Laptop?) Or is there something else I should be looking at when picking a distribution?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:Why not OpenBSD? by Anonymous Coward · · Score: 5, Informative

      Different goals of the platforms.
      FreeBSD wants to be a well-rounded general usage OS
      OpenBSD wants to be the pinnacle of security and is willing to throw everything out to achieve that goal
      NetBSD wants to be ultra-portable
      Dragonfly wants to be a high performance highly scalable and even distributed OS

    2. Re:Why not OpenBSD? by Curupira · · Score: 4, Informative

      OpenBSD is undoubtedly safer, but FreeBSD is generally considered to be updated more often and better to use as a desktop/laptop OS. In fact, there is TWO desktop-centric operating systems based on FreeBSD: TrueOS (formerly PC-BSD) and DesktopBSD. So, if your intent is to use it in a desktop/workstation, FreeBSD is probably a better fit.

    3. Re:Why not OpenBSD? by Anonymous Coward · · Score: 3, Informative

      That's the public consumption stuff.

      OpenBSD is really Theo's vehicle, which he forked out of spite after getting into a stupid spat with NetBSD core@. (This says bundles about both, incidentally.) They do worship "security" (and it often does devolve into "worship", though they do know their stuff) but to value it properly you need to understand their idea of "security", which is actually pretty narrow. Point in case: "openntpd", which is written by security nerds because the reference implementation was deemed to be doubleplus ungood, and not by time nerds. So you get a situation where the thing only doing sntp is deemed peachy fine. Except that to people who really need Proper Time, the bread and butter of ntp, this is simply not good enough, but the thing won't tell you. Fun times.

      NetBSD is a bit of a tinker toy. It's pretty portable, but some (even non-mainstream!) platforms are actually better served by, oh, OpenBSD or something. It is a bit hampered by its core@ being a bunch of nice people and by its niche status. It now has lua in the kernel.

      FreeBSD is a different kind of tinker toy with a big position as "geheimtipp" for servers, something they've done their level best to destroy since FreeBSD 5, first with the n:m scheduler (which they finally gave up on with FreeBSD 8), and now with various userland rewrites, including pkgng (which suffers from a massive case of second system effect). It was traditionally strongest on i386 and now x86_64, and much less so on other platforms (alpha was somewhat decent, though). There is a strong influx of linux refugees, and it shows.

      DragonFly BSD is Matt Dillon's fork of FreeBSD 4.11, because he disagreed with the n:m scheduler as overly ambitious (which got vindicated) and as a vehicle to do things like HAMMER with. Too bad the thing also saw fit to jump the pkgng bandwagon. Like NetBSD it suffers from being small-ish and being niche without having a clear niche-crowd to leverage.

      They all have their own flavour and they all steal from each other with gay abandon.

      So you see, the people behind it are important also, certainly if you'd like to participate and not "just use". And the best way to learn about them is to try.

      So if interested do find the time to install each of them at least once, even if only as a VM. But do install from scratch; go for a bootable system without X and packages, then build from there.

      One thing the *BSDs tend to do much better than linux is documentation. So be sure to look for that first and do plenty reading before starting your installs.

  4. Re:With all this hate... by sconeu · · Score: 4, Informative

    What about Devuan?

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  5. Re: How does Debian justify using this?! by Tenebrousedge · · Score: 4, Informative

    Rating: pants on fire.

    --
    Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
  6. Re:With all this hate... by aardvarkjoe · · Score: 4, Informative

    Most of those who oppose systemd are pining for the Good Old Days of loading the boot target using bat-handle toggle switches on the front of their IMSAI.

    We're mostly pining for the Good Old Days when you could trust your init system to do what it was supposed to do.

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  7. That suspicion isn't like the systemd issues by jbn-o · · Score: 3, Informative

    I recall that being an entirely different issue from what's at issue in this /. thread. This thread concerns possibly buggy free software in need of some maintenance and review. Microsoft's patent licence for .NET core is a threat of a different kind—Microsoft's patents covering software in Mono and licensing that doesn't grant users the freedoms of free software work together to grant Microsoft the power to extracting patent royalties from free software distributors.

    --
    Digital Citizen
  8. Re:Fuck linux and systemd by fnj · · Score: 5, Informative

    What the fuck are you babbling about, schmuck? FreeBSD has an excellent binary package system with automatic dependency resolution: pkg. The user doesn't need to compile source from ports except if he wants something to be built with unusual options (same as linux, incidentally). All you need is "pkg install foo" and it will fetch the package foo and all its dependencies from the repo and install it.

  9. Re:Xinuos OpenServer 10 by unixisc · · Score: 4, Informative

    Actually no! Tarantella was acquired by Sun shortly after it spun off SCO, and it didn't have the OSs - it had some utilities like IIRC OpenVision and some NFS like software.

    Xinuos was the successor company to SCO, Inc, after it filed Chapter 7. They inherited whatever legacy assets SCO had, as well as any customers, but started w/ a FreeBSD fork for enterprises. No idea whether their management has anything in common w/ that of SCO, Inc.

  10. Re: No words. by 0100010001010011 · · Score: 3, Informative

    I tried CentOS. I went to the source.

    I downloaded the latest ISO they had. I did a fresh clean install.

    It let me use 0day as the install user.

    http://imgur.com/a/8PZcS

    It then allowed me to login with it. With zero problems.

    It then allowed me to do this:

    [root@centos ~]# cd
    [root@centos ~]# adduser 1day
    [root@centos ~]# adduser 2day
    [root@centos ~]# useradd 3day
    [root@centos ~]# useradd 4day
    [root@centos ~]# id 1day
    uid=1001(1day) gid=1001(1day) groups=1001(1day)
    [root@centos ~]# id 2day
    uid=1002(2day) gid=1002(2day) groups=1002(2day)
    [root@centos ~]# id 3day
    uid=1003(3day) gid=1003(3day) groups=1003(3day)
    [root@centos ~]# id 4day
    uid=1004(4day) gid=1004(4day) groups=1004(4day)
    [root@centos ~]# uname -a
    Linux centos 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
    [root@centos ~]#

    So now I know you're full of shit. Name one distribution that does that, let alone a 'most'. Fuck at this point take a screenshot of any OS throwing an error trying to add a 0day user. You piqued my interest enough to download OpenIndiana and see what Solaris thinks.

    but if you read the bug you would already know that adduser and useradd disagree on the acceptability of said username

    No, I read what Pottering said. But time and time and time again his actual knowledge of how things work is completely wrong (See the rm -rf /foo/.*).

    Systemd is turning out to be the Theranos of Linux with Pottering at the helm sounding more and more like Elizabeth Holmes every day. It's like he makes it up as he goes.