Disgruntled Security Researcher Publishes Major VirtualBox 0-Day Exploit

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

VirtualBox is open source

[mccalli]

So submit the patch instead of waiting for someone else to for 15 months.

Re:VirtualBox is open source

He's a security RESEARCHER not a security DEVELOPER!

Re:VirtualBox is open source

only oracle employees have write access to the repos, so you're dealing with the bureaucracy and ineptitude of oracle regardless. 15 months previously probably means about that same turnaround now from patch submission to distribution.

Re:VirtualBox is open source

[ShanghaiBill]

So submit the patch instead of waiting for someone else to for 15 months.

It is not that simple. Oracle controls which patches get applied. Sure, you can "fork it", but almost nobody has the time and resources to successfully fork a project.

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql. They have closed source commercial products that compete with both of these. A big motivation for Oracle to acquire Sun was to get their hands on these open source projects so they could slowly strangle them. Late and slow security patches are part of the strangulation process.

If you ever see Oracle doing something that appears to not be evil, then you misunderstand what is going on.

Re:VirtualBox is open source

[El+Cubano]

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql.

I would have to agree with this. Things like quarterly "CPU" releases (critical patch update) that mix security fixes with "feature updates" (and those being the only way to obtain security fixes, not annotating CVE IDs in the commit messages of related commits, and forbidding Oracle personnel from helping outside project personnel identify specific commits associated with specific security vulnerability fixes (very useful for backporting purposes) makes for Oracle having a well earned reputation for being obnoxious to the open source community in general.

Re:VirtualBox is open source

[Tom]

Same with MySql. They have closed source commercial products that compete with both of these.

The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope. You have a reasonably smooth upgrade path to PostgreSQL, in fact if you are using database abstraction as you should, it's a config option.

Re:VirtualBox is open source

[Megol]

As you apparently don't know the definition of the word forbidding:
https://dictionary.cambridge.o...

Re:VirtualBox is open source

Exactly! We already moved all our MySQL servers to MariaDB. And for new projects we use PostgreSQL.

If we were ever going to pay for a database license, Oracle would be out of our price range, and would probably go with MS SQL Server (it even runs on Linux now).

Re:VirtualBox is open source

The fear is over the number that would migrate from Oracle to MySQL, if they had a chance.
Oracle used to have some good features that a business might want, AND couldn't get for free elsewhere. Now, they mostly can.

Re:VirtualBox is open source

[ShanghaiBill]

The percentage of MySQL users that would migrate to Oracle must be something that is a challenge to find even with a microscope.

You are missing the point. Oracle knows these people won't migrate to Oracle-DB. Their big concern is people migrating in the other direction. Many customers (recently including Amazon) have dumped Oracle's DB, and gone to MySQL or Postgres. They want to slow that hemorrhaging.

Oracle is playing defense, not offense.

Re:VirtualBox is open source

[Tom]

Why in all nine hells would you ever want to go with MS SQL for anything, at all, ever ?

I've been doing sysadmin stuff all my adult life, even now that I'm a security architect I keep in close contact with sysadmins. Not one of them has ever recommended MS SQL, everyone who used it was unhappy, in most discussions it doesn't even appear as an option.

I'm really curious which strange twisting of dimensions makes you the only person on the planet to seriously consider it who is not forced by external circumstances.

Re:VirtualBox is open source

[Dog-Cow]

Why would you expect a sysadmin to know anything about RDMS’s?

Re:VirtualBox is open source

[Zontar+The+Mindless]

Where's your sense of humour, buddy?

Re:VirtualBox is open source

[Tom]

Because they have to run them. Your DB-Admin is not a happy camper when he can't get his console because the stupid system hung itself, again.

Re:VirtualBox is open source

[Per+Wigren]

You have a reasonably smooth upgrade path to PostgreSQL, in fact if you are using database abstraction as you should, it's a config option.

Um, no, unless you use such an incredibly small subset of SQL that you are not using the database for more than storing and retrieving your application data as-is. Depending on your code, it may be just minor adjustments or it may require a full application architecture overhaul to support a second database. Realistically, no in-house application ever changes database engine without it being a part of a major rewrite and rearchitecturing anyway. If you develop for PostgreSQL, take full advantage of its fantastic feature set. Don't restrict yourself and your coworkers to the 5% of it that it shares with MySQL just to be able to switch with a config option.

Re:VirtualBox is open source

[piojo]

Oracle WANTS VIRTUALBOX TO DIE. Same with MySql.

Why have they been doing such a good job of developing it? I recently tried to use MariaDB in my project, and it fundamentally could not do a basic JSON manipulation I needed (recursive merge with overwrite). I looked into how to write custom functions and got nowhere. As far as I could tell, the API deals with rows and tables, not other datatypes.

After using MySQL for ten minutes, I found the function that did what I needed. It has been adapted to real-world usage it a way that MariaDB has not.

I can't give the strongest testimonial because I'm not an experienced database programmer, but it certainly seems to me that Oracle is actively developing MySQL. What makes you think they want it to die?

Re:No virtualbox in FEDERAL PRISON

[ShanghaiBill]

There is no need for Virtualbox in Federal Prison.

They use FreeBSD Jails instead.

Hooray for this!

[pierceelevated]

If more bugs were called out like this, the programmers would spend more time testing their software instead of taking the "we'll fix it if we get caught" attitude.

Re:Virtualbox is crap compare to VMware player

[bferrell]

I have to disagree... I've seen VMware products do a lot of nasty things, even in environments with high end paid support. The answers from VMW TAC were, to say the least, very unsatisfactory (destroy the VM and start over, it does that sometimes).

I use Virtualbox a lot. No, the polish of VMware isn't there, but ya know, there is NOTHING VMware/VSphere does that I can't do with Virtualbox... If I don't mind fiddling around with it for a while. Sometimes I mind. Other times, not so much.

Just my two scheckles worth

virtualbog is crap, owned by a crap company.

vbox is seductively easy to use on windows, but shit it's rotten software. Even something simple like the "cli" is clearly "designed" by windows-only idiots who just don't get proper CLI at all. And mysql is the same kind of idiocy with a different face on it. Both of them dying would be a good thing. Take docker and php with it while at it, please.

Though realistically even should mysql die there's still mariadb, natch. For vbox, there's several alternatives you might use. Someone'll whip up a front-end on windows and off you go.

Anyhoo. I really don't understand what sun was thinking when they bought mysql, and I don't know what oracle was thinking when they bought sun. Both really don't "get" lots of things they bought (cobalt raq, anyone?), though they're far from the only ones to buy stuff and then strangle it from sheer incompetence with the stuff they bought. Or buying a company with a good product just for "the ip" and then abandoning the product alienating a loyer customer base. I bet you too can name a few.

As for this "security researcher", he's saying some of the same things others, including me, have been saying for years: The security industry is terribly immature and ineffective. The "responsible disclosure" folderol and all the bickering about what makes your disclosure responsible and the other guy's not, makes it only moreso.

(Though honestly, if you've found a hole in a FOSS project, kindly do email them first. Not even trying with a big fat bureaucracy I get, but FOSS projects do deserve a chance, or at least a heads-up in their security contact's inbox.)

And in closing, this is old news. I saw this announced on tuesday on a not particularly up-to-date website in a different language, translated from the original Security Industry Standard Hollibru Engrish. EditorDavid apparently was too busy reading drivel to notice actual news for nerds, stuff that matters. To me, more proof that these editors are entirely irrelevant and outdated. Maybe they ought to get jobs at oracle.

Overblown much?

[Bert64]

This vulnerability requires root level privileges inside a guest os, and for that guest os to be running with very specific configuration (must have e1000 nic and be configured in nat mode)...

Incidentally nat mode doesnt support ipv6, rendering it useless for me.

Re:Overblown much?

[mvdwege]

One of the reasons for running VMs is to isolate applications that require root privileges. And the e1000 is a very popular nic to virtualise. Almost everything I met had either VirtIO networking or an emulated e1000.

So this is actually a pretty common configuration. No, this is not overblown.

Re:Overblown much?

[mvdwege]

e1000 is the Linux device driver name for that NIC family.

Re:Virtualbox is crap compare to VMware player

[goose-incarnated]

How good or poor is opengl support in vmware workstation?

I found it glitchy when I tried it a few years ago, but still far better than virtualbox. If workstation had bulletproof opengl support I'd license it.

They're both crap. VMWare is slightly better than Virtualbox, but it's still crap.

Re:Virtualbox is crap compare to VMware player

What's the virtual box alternative to vCenter?

Re:Virtualbox is crap compare to VMware player

[bferrell]

well... There are PHPVirtualbox, remotebox and hyperbox, that I know of and have used or do use. There may be others now, but I stopped looking when I found some that I liked (why is it that my keys are always in the last place I look? because I stop looking!) .

As I said, they can take some fiddling but are well worth the time/effort.

Add OpenVswitch (NICs for which are supported by Virtualbox VM guests) to the mix for a distributed switch fabric and a VirtualBox based "Vcenter" becomes very doable. Yes, you DO have to roll it yourself, unlike VMware, but...

Just like Vcenter, shared storage is necessary for moving running VMs for host to host.

Other than VMware, Virtualbox has the most pre-rolled "stuff". KVM CAN XEN do all of this stuff, but there is a lot more that has to be done for integration.

All of that said, I've also found that when importing an OVA into Virtualbox, low level details of the guest DO get changed. Nothing huge, but some things DO check for those details and do various unpleasant things when they don't match. I haven't found any I can't change back, if I know what they are.

Like I said, it CAN be a wee tad fiddly.

Use KMS on Linux or Hyper-V on Win10

[Billly+Gates]

If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically. If you run linux KMS is there and qemu if you want a gui. Shoot even pfsense ran under Hyper-V natively without any hacks or packages out of the iso!

Both KMS and Hyper-V are type-1 hypervisors unlike the shitty VmWare Workstation and virtualbox. No guest tools and run bare metal near native speeds.

Re:Use KMS on Linux or Hyper-V on Win10

If you have to use WIndows upgrade to pro under "This PC" and enable Hyper-V. It supports Linux and even FreeBSD at the kernel level without guest tools automatically.

Uh, no. Integration components is MS's term for guest tools and are automatically installed. Linux has its own tools which MS went out of its way to make sure were compatible with Hyper-V. Linux also has native support for its own para-virtualized devices, its term for guest tools, so it supports KVM "natively" since many, many years ago. For Windows, you install guest drivers. In short, you don't get out of using host to guest drivers.

Both KMS and Hyper-V are type-1 hypervisors unlike the shitty VmWare Workstation and virtualbox. No guest tools and run bare metal near native speeds.

Unless you want to be able to use a Windows VM on Windows, move it to Linux, then move it back again. The only reasonable way to get near native speed without guest tools is to do hardware pass-through, and that's generally not worth it for anything but graphics cards and possible network cards. Seriously, argue at least something sensible like standardizing on guest tools across KVM, Hyper-V, VMware, and Virtualbox to make it all pretty moot. Don't spout bullshit.

Re:Use KMS on Linux or Hyper-V on Win10

[Billly+Gates]

The integration tool,.s are default on modern linux distros as a kernel module. I do not have experience in ArchLinux but I have never needed to install them manually ever.

Re:Use KMS on Linux or Hyper-V on Win10

"Installed by default" != "without guest tools" || "run bare metal". And, again, while Linux guests are setup to automatically support guest drivers for Hyper-V and KVM, Windows guests are not setup to automatically support KVM (AFAIK, and that guide I pointed to was from Feb 2018). Beyond that, 3d graphical support is horrible without pass-through and pass-through is a PITA presuming it works.

You want to argue Virtualbox is more insecure or has more performance bottlenecks compared to KVM or Hyper-V, that might be the case. But virtually all virtualization solutions use guest drivers in some form because emulating most hardware is ass slow. It's the main reason DOS/Windows 9x is so shitty in all the various virtualization solutions I've seen as no one wants to support an OS that was all about direct hardware access and the mess that is constant root access and trying to defend against everything. That and I think most people think DOSBox is good enough*, think wanting to virtual Windows 9x is stupid (go figure on the logic on that one), and honestly I don't know if virtualization will ever get to the level of being as good as DOSBox with the difficulty of timing and such.

* PCEm is also pretty awesome. AFAIK, the next version is supposed to work a lot harder on performance which is pretty awesome. I have a lot respect for the developer trying to make things cycle accurate precisely because it's the only way to get a lot of DOS demos, games, etc working properly.

Re:Use KMS on Linux or Hyper-V on Win10

[thegarbz]

Since you look like you know a bit about this, are there any downsides to enabling Hyper-V in Windows? Being a Type-1 hypervisor does that mean that Windows 10 itself suddenly becomes a guest on the hardware? Will it affect gaming or other performance?

I've been considering playing with Hyper-V but haven't seen an answer to this question yet. I don't worry about it on my Linux box since it doesn't sit there gaming, rendering or otherwise heavily loading the hardware, and in that case I happy run Ubuntu on Xen (which was incredibly trivial to install).

Re: Use KMS on Linux or Hyper-V on Win10

[Billly+Gates]

You are correct. In a type 1 hypervisor there is a parent child relationship as the hypervisor runs in ring -1 underneath the kernel inside the CPU itself. So near native speeds for the parent and more restrictions for the children or so called guests as they call them in type 2. On my home PC I can game fine. World of Warcraft slowed down only 1 to 2 fps and I have an older i7 4770K. Guests would be slower with the GPU in pass through mode but much quicker than virtual box as no software layer is used.

So far my CPU runs much cooler and all my guests sleep when the parent OS sleeps as everything is integrated which is cool

I/O is much faster in hyper-V and KMs for all vms and GPU pass thru. Downside is latency dependent apps like audio mixing might have problems. Also your nic gets virtualized into a switch so if you use custom DNS stuff like cloudflare which I vuse then you need to configure this before enabling hyper-V as your Ethernet 1 doesn't move packets anymore as the hypervisor does this now

Re: Use KMS on Linux or Hyper-V on Win10

[thegarbz]

Thanks, I may have a play with this.

Re:Here's how to protect yourself... apk

[Zontar+The+Mindless]

You are so INCREDIBLY predictable, Alex. You're like the hamster running inside the little wheel.

Mostly.

(The hamster eventually figures out how to get off.)

Happy Armistice Day from Stockholm!

Re:ZIP you already committed public suicide... apk

[Zontar+The+Mindless]

Links are not some form of magic, Alex. Two rotten apples are not any more edible than one, and hyperlinking to repetitions of lies does not make them true, no matter how many times you do it.

Re:Virtualbox is crap compare to VMware player

[ayesnymous]

Yup, VMware is some of the worst software I've ever seen. And they still require Flash for their fully-functional UI.

Re:Virtualbox is crap compare to VMware player

[rl117]

Poor. Intermittent random freezing of kde kwin input, window switching and compositing when hw accel is enabled, plus occasional hard lockups of the whole machine. It's also a really old gl version. Unusable. This is with a well supported radeon RX 580. Spent months of back and forth with their tech "support". They don't seem to care. Was a waste of money (not cheap) and hard to recommend. The quality tanked when they fired their US team and was offshored. It's a maintenance mode cash cow at this point. I would pay good money for a replacement which worked and was actually developed. Look at what was in Workstation 15, I couldn't justify paying to upgrade from 14 when there was nothing compelling and no real hope the showstopper bugs were fixed.

Re: Virtualbox is crap compare to VMware player

[Zontar+The+Mindless]

i have no idea what you're talking about (you might not either)

He doesn't.

Heck, they fixed a bug in 5.2.22 (released 2 days ago) that I reported in 5.2.18.

Re:Virtualbox is NOT free if you add the add ons..

[Zontar+The+Mindless]

I count: one (new) unsubstantiated allegation and at least two lies (which you've repeated before). Why are you trolling this thread, anyhow?

Curious definition of reliability

[CustomSolvers2]

"The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

Can I reproduce that exploit? Yes. It will work or not. Funny. It seems the post-truth adaptation of "it works in my machine". Why even caring about saying something appearing to be true anymore, right?

Most of people seem completely incapable of understanding simple concepts. In fact, I am starting to think that well-reasoned-and-validatable-but-long statements are more likely to be assumed wrong or even untruthful by a big number of (usually noisy) individuals; unlikely not saying anything or using simple, short, ideally-repeated-many-times-&-cool-looking expressions with no real meaning.

Although I am not the kind of Schadenfreude guy, I do feel really good with myself and with all what I have (= dignity, honesty, not tolerating arbitrariness, etc.) when I see what the tyranny of the most profound stupidity and fanaticism can bring, mainly online. The saddest part is when those having nothing (from my perspective) aren't aware about that fact and seriously expect their nonsense to prevail when I am around. It is a bit pathetic. But as far as I know that helping/reasoning isn't an option (even if they could understand, they are too ignorant, empty, dishonest and invasive to ever do anything about which I could really care), I will simply focus on enjoying my privileged position.

Re:Curious definition of reliability

[CustomSolvers2]

It's not a race or something like that, and he's telling you that he hasn't tested if it still works with mismatched binaries - which you normally shouldn't have.

My post was exclusively focused on the funny (indicative, not-too-honest, etc.) reference to 100% reliability. You have found an exploit working under very specific conditions and you list those specific conditions? Everything is fine with me. You could even go a bit further and get some reliable statistics (+ clearly refer to their source -> this is what you should always do when using generic values intended to have an intrinsic meaning, providing some context about their true reliability) about how probable is for certain group of people/software/computers to be in that situation and to estimate a percentage of success of your exploit. It would also be fine. Almost anything would have been fine. Saying that it is 100% reliable is tremendously far away from being fine, clear, honest and, for me, acceptable.

Re: Curious definition of reliability

[CustomSolvers2]

Wow, you are a pretentious prick.

Read the article you cuck.

?! I wasn't commenting the article, you anonymous piece of shit, but the express reference (direct quote from his author) "The exploit is 100% reliable" and the ridiculously dishonest meaning given to that expression. I took advantage from that to highlight my profound disdain towards the tremendous-ignorance-prone subculture of idiots which internet is creating. You have to be a special kind of idiot to read something like "100% reliable" together with the subsequent explanations and think that it makes any sense. You have to be the kind of credulous, coward/anonymous and pathetic idiot who isn't able to understand a simple post (my previous one), but dares to "participate" in the discussion and naively thinks that using two sentences with two insults saying pretty much nothing about his/her understanding/background makes him/her look intelligent.

Actually, you are so stupid that you aren't even understanding that your post is precisely representing a practical sample of what I was describing in my post. I quote myself:

In fact, I am starting to think that well-reasoned-and-validatable-but-long statements are more likely to be assumed wrong or even untruthful by a big number of (usually noisy) individuals; unlikely not saying anything or using simple, short, ideally-repeated-many-times-&-cool-looking expressions with no real meaning.

You are the kind of pathetic idiot that follows (-> this is what you are, a sheep) people saying short, simple, noisy (and/or arbitrarily insulting, attacking a common enemy, unreasonably appraising what you like, etc.) statements like these. In fact, you might even not be able to understand/write English too well. But you know that those two sentences are right, because you have read them many times from other idiots like you, knowing pretty much the same than you and meaning pretty much the same than your pathetic post means (= nothing). A (not necessarily too bright) parrot should be able to deliver pretty much the same than you have done right now without much effort. You are joke. You are a sample of what no one should ever be. You are the output of pure stupidity. You are so irrelevant and so pathetic that just getting this answer from me might be one of the most relevant things of which you have been part in a while.

Re:Curious definition of reliability

[CustomSolvers2]

Folks, is what the Dunning Kruger effect looks like.

Folks? Who do you think that is caring about your nonsense? Or do you have a multiple-personality disorder? Or is it perhaps your group-, social-media, bubble-based distortion of reality which is playing with you? You aren't able to have a conversation 1-to-1 with another person anymore? You already need to always be able to (anonymously) bash others, be part of a group, get some extra advantage? You think that you aren't alone anymore? That there will always be another pathetic idiot like you repeating, liking, upvoting whatever nonsense you say? Or you could always trick the system a bit, right? Creating different profiles, posting various times anonymously. Seems a bit pathetic, but it feels so good when you see the results! The media/internet supporting you! LOL. As said in my previous message (probably to you too), you are beyond pathetic and just the fact that you think that a piece of shit like you has anything to say to someone like me proves your tremendous disconnection with reality. Not with your reality, with the real reality, the one where all your (fake or not) friends, upvotes, stars have no value. You are a sad joke who should have some minimum survival resources and know with whom you can deal and with whom you cannot.

Even though you don't deserve it, I will share a curious anecdote with you. Some years back, I had a pretty weird interaction with a pretty weird person (or group of them, no idea) who did mention that "Dunning Kruger effect". That person(s) was weirdly obsessed with everyone wanting to use the same approach than them (it was about a methodology to build GUIs; bear in mind that this isn't precisely my strongest suit and that I was clearly transmitting that point, that I was fine with my approach for the limited problems with which I was dealing; but this wasn't enough for them who seem really interested in everyone liking the same that they do!!). Back then, I didn't look the meaning of that expression up, exactly the same that I am not doing it now. I mean... I am the kind of guy who is always learning, but cases like this sound to me similar to urban legends or things that insecure people repeat to impress others (something like saying that you know/saw something when it isn't true). Not saying that it isn't really a medical condition, but probably (because of the two times when I have heard about it) is used in a trendy/ignorant fashion. What do I mean with that? I mean for example how is being Aspergers/autism used within certain "collectives" (groups of idiots). It is the kind of easy understanding on which easy people (I mean idiots) rely to simplify the too-complex-for-them world. Something like a simple chant that they can repeat over and over; approaches that they feel that will always work (-> blindly trusting in the 100% reliability of something seems very important for idiots); ideas making them feel safe like thinking about an abstract enemy/problem/bad guys. You know? The kind of pathetic seeds that generate the worst version of ignorance, eventually converted into fanaticism and hate. I mean... I am not truly familiar with all these "urges" which tremendously insecure and ignorant people (usually violent and invasive too) feel. But I guess that this is a reasonably good estimate. Feel free to correct me if I am wrong, by assuming that you have been able to read until here because I am sure that so many words should be really difficult for someone like you. LOL.

No surprise here

[RuiFRibeiro]

I tried to use VirtualBox in my corporate Windows desktop earlier on this year.
Gave up on frustration of the multitude of bugs I encountered.
I cannot even phantom how people depend on VirtualBox to do some serious work, or how some misguided souls use it to run Linux servers.

Re:Here's how to protect yourself... apk

[BronsCon]

You say your hosts file engine can protect us from advertising. Can you provide assurance that, should I choose to install and use it, I will stop seeing ads such as the one I am currently replying to?

Re: Simple to work around, no?

[Provocateur]

was being the operative word here.

Re:I find word of mouth the BEST advertisement

[BronsCon]

Still an ad, still a valid question, still no affirmative response from you, and still quoting me out off context as explained in my signature. Still just as toxic, underhanded, and dishonest as always; nobody should use or trust software written by someone with those traits. How's that for a review? Dick.

Re:Thanks for saying my work's good BronsCon!

[BronsCon]

I'm saying that, in the context in which I actually said it, it wasn't praise at all. You're too fucking dense to realize that, though... which, honestly, is not my problem.

Re:You don't deny you said my work's good then...

[BronsCon]

You're missing it, so I'll state it more plainly. I did literally write words similar to what you keep quoting (your edit changes the meaning a fair bit so, no, I did not write that), but it was not an endorsement of your work so much as a preface to an insult. Once again, my words were not an endorsement of your work and the fact that you had to edit them to make them appear to be such should be a dead giveaway of that.

I wouldn't bother replying to irrefutable logic, except to concede or agree, because I'm not an idiot. You, on the other hand, have just had your flawed logic refuted.