Slashdot Mirror
Systemd Named 'Lamest Vendor' At Pwnie Security Awards (theregister.co.uk)
Long-time Slashdot reader darkpixel2k shares a highlight from the Black Hat USA security conference. The Register reports:
The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas... The gongs are divided into categories, and nominations in each section are voted on by the hacker community... The award for best server-side bug went to the NSA's Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers...
And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.
And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.
How can Debian's developers justify using systemd, considering all of these unbelievably unjustifiable problems with it? Why have they subjected Debian and its users to these flaws? Is it really just a result of the best Debian users having long ago moved to FreeBSD, leaving around only users who don't know any better?
I've been considering switching from Ubuntu to something without Systemd. But what would that be? Slackware is a bit hardcore and frankly, I'm really scared I won't get my server functional ever again if I start from scratch...
I know I've defended Poettering in the past, but lately I've come to think that he is a right pillock. systemd badly needs somehow who understands security and who can get these issues the attention they deserve.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
An interesting aspect of this is that Xinuos, as the successor to SCO* - the company that inherited UnixWare and w/ it System V Unix IP, has decided to fork off FreeBSD - a BSD project - instead of continuing on System V. That really demonstrates that the System V branch of Unix is for all practical purposes dead. Xinuos just does support work on the legacy SCO Unixes, but beyond that, drives companies towards FreeBSD. Oracle just supports Solaris on legacy SPARC hardware, but otherwise, pushes Oracle Linux. All the other Unixes that were based on System V are dead.