Systemd Named 'Lamest Vendor' At Pwnie Security Awards (theregister.co.uk)
Long-time Slashdot reader darkpixel2k shares a highlight from the Black Hat USA security conference. The Register reports:
The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas... The gongs are divided into categories, and nominations in each section are voted on by the hacker community... The award for best server-side bug went to the NSA's Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers...
And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.
And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.
they are not #1 by any means.. cease fire stand down,, kindness is contagious so is violence deception dishonor.. spiritual bankruptcy can be fatal..
If bugs and programming errors that result in security flaws are a problem with systemd, would rewriting it in a language like Rust help? Rust is a systems programming language that has been designed from the ground up to be safe and secure. Rust isn't the only option of course. Go is another language that would be a good candidate.
You should have followed the links and informed yourself. You would have seen that each bug was properly addressed, and that this is about some disagreements about how to classify them, if CVEs should be filed, and when that happens how to document that a fix is related to a CVE. There is nothing about this that amounts to "There are serious bugs, and they won't fix them!" Also, none of these bugs were "horrendous", but your understanding of them as well as what a normal development process looks like might be. I guess we'll find out if you follow the links and try to understand what you read. This does however get some press for the Pwnies, and that is all it does.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Most of those who oppose systemd are pining for the Good Old Days of loading the boot target using bat-handle toggle switches on the front of their IMSAI. Technology marches on. Instead of wading through several kilobytes of init scripts to figure out what mods I need to make, I can create a systemd file of a few lines and I'm up and running.
But you can go back to worrying about how to pay for your 80-column card so you can get a wider screen to play Pong. Enjoy!
slashdot: A failed experiment.
Yes, it is one of the four bugs that got found and fixed. At no point did anyone suggest it wasn't a bug, nor did anyone suggest it shouldn't be fixed. The problem the Pwnies had was they wanted a way to easily search the git logs to see what commit(s) fixed the issue. As usual, you are an uninformed moron.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
What the FUCK are you talking about? Never mind, you made it pretty clear you don't know.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I'll just pick the obvious one: systemd accepts valid usernames. If you look at the useradd (8) man page you will see that it is distribution dependent what constitutes a valid username. In general they insist on an underscore or letter as the first character. It is dangerous to allow them to start with digits as we have seen. Most distributions follow this safe rule. Complaining that system does proper input validation is the real gaffe in your rant that is icing on the cake of your lack of understanding of both Linux usernames and secure programming in general though. Your apology is accepted.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun