The court should not be in a position of prior restriant (sic).
That's a difference between US and Canadian courts. Canadian courts have no concerns about imposing publication bans -- most obviously, while US courts hold preliminary criminal hearings in secret in order to avoid tainting the jury pool, Canadian courts allow the public into those hearings but impose a ban on publication of the details.
We just do things a bit differently on this side of the border, that's all.:-)
how do you prohibit the sale or providing information about a book that you PURCHASED
Technically, nobody purchased those books. A sale only takes place if all parties involved intend for a sale to take place, and this was clearly a mistake on the part of the store in question.
Is FreeBSD having the same problems, or are they handling the situation, or are they just ignoring it?
The FreeBSD base system is supported quite well, although we have had occasional manpower problems (e.g., when one member of the security team is travelling around Japan on work, one member is writing his doctoral thesis, another member is job-hunting, et cetera).
The FreeBSD ports tree is supported on a "best effort" basis -- we make no guarantees, but we do our best.
Woah! Wait a moment before you start flaming me on the basis of my subject line...
The problem of providing security support is ill-suited to being solved by the traditional "mob of volunteers" approach which describes most open source development. When you're doing development, it doesn't matter if you have five people coding one week and nobody doing any coding the next week; but when it comes to dealing with a constant stream of security issues which are being reported (in particular, from upstream vendors), it is important to guarantee that there will be someone around to deal with them. When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed.
The job of "security officer" is really one which should be a job, not a role-played-by-a-volunteer. Go out and raise some money to pay for your security officer, so that he is able to always be available when he is needed, because if he needs to get some other job to support himself, he won't be around when you need him.
aren't there any "free classical performers" out there?
Yes. The problem is, they're not very good. Unlike popular music, where someone can start to learn guitar and become a world-famous "musician" a few years later (in some cases, this order is reversed), a good quality symphony orchestra contains 50 or more musicians, rarely with less than fifteen years of experience.
As a general rule, if you're a professional classical musician, you can't afford to give away your work for free -- not to mention the costs of renting a recording studio which can fit an entire symphony orchestra. If you're an amateur classical musician (defined as "has a full time job which isn't music"), then unless you're really exceptional, you're not good enough to make recordings which people will want to listen to.
it was a con by the Bush administration--to what gain? What could they possibly have gained?
Bush has wanted to oust Saddam Hussein for a long time. As for what he gained by doing so... I don't know, but his intention of ousting Saddam Hussein predates 9/11, so it clearly has nothing to do with terrorism.
Instead of me calling up Gateway and saying "Hey my modem is fried, I know what I'm doing with computers, send me a new one" I have to go through an hour of pointless troubleshooting.
Get a real warranty. When the hard drive in my Dell D600 laptop died, I phoned the support number, gave them the serial number, said "the hard drive died and your diagnostic utility is saying <insert error message here>", and I had a new hard drive before 9AM the next morning.
While I'll disagree with the IMPACT of his attack the content is there.
Do you disagree with me about the impact of my attack, or do you merely disagree with the media reports?
I've been quite clear throughout that this only affects systems with untrusted users who are allowed to execute arbitrary code, and that on such systems, the impact is theft of information, potentially resulting in privilege escalation.
If you disagree with this, what is your assessment of the impact?
Despite what the article says, what do you think Microsoft owes you in this case?
Nothing. However, I do believe that they owe the public, and their shareholders, the truth about how they handle security issues -- which, judging by my experience, they did not provide in the linked news article -- and I believe that they should take every opportunity available to improve their security, including working with the people who report security issues to them.
You are an academic nobody in their eyes, despite any delusions of grandeur you may possess.
Maybe; or maybe not. I'm not just an academic who happened to stumble across a security problem; I'm also a FreeBSD deputy security officer. I may not have quite as much experience at dealing with security issues as they have, but I don't think I'm a complete "nobody" in security circles either.
We respond immediately to the initial vulnerability report and provide the researcher with contact names, e-mail addresses and phone numbers. We make it clear we want to work closely with the researcher to pinpoint the problem and get it fixed. We commit to providing [researchers] with a progress report on the Microsoft investigation every time they ask for one
My experience directly contradicts this on all points.
When I reported the hyperthreading security flaw to Microsoft, I was provided with the first name of the person who was responsible for dealing with it ("Christopher"), but I was not provided with his last name, phone number, or any e-mail address (apart from the generic secure@microsoft.com address which I used to report the problem). Later the issue was transferred to "Brian" -- again, no last name, no email address, and no phone number.
Over the following two months, I heard from three independent third parties that Microsoft was "very concerned" about this issue, and had "several people" looking at it; but they never made it clear that they wanted to work closely with me -- in fact, they ignored all my attempts at co-operation.
Finally, prior to releasing my paper, I sent several emails to Microsoft asking about their progress and asking for a vendor statement for my web site; again, they did not respond.
I might be interested in this -- well, except for the slight problem that I don't qualify as a student any more -- but do they really expect $4500 to attract much interest? Given that the $4500 is split between $500 for "startup costs" and a $4000 "reward" if the project is "successfully completed", Google is really asking people to work for two months for a chance at winning $4000 -- and we all know how few software projects actually complete on time, so there are quite significant odds of the participants not getting anything.
I like the idea in principle, but I really don't think the details make sense.
I think you may be confusing agreement with people who decide that you're a complete idiot [...]
I doubt anyone who is aware of my background (entered university at age 13; Putnam fellow; D.Phil. student at Oxford University) would decide that I was a complete idiot.
Now, they might decide that I was insane (as another poster suggested), but that's quite a different matter.:-)
I quite deliberately confront people with, and defend, astonishingly bad ideas. (For example: "If the US government really wants to save as many lives as possible, they should give everybody two weeks' notice and then drop a nuclear bomb in the center of Jerusalem. This would destroy the largest cause of Israeli-Palestinian violence.") I do this not because I actually believe such things, but because I want to find people who are willing to contradict me and justify their positions.
Sadly, the vast majority of people either disagree without justification, or (even more worryingly) agree without justification -- which just demonstrates how unwilling most sheep^Wpeople are to engage in thought and/or debate.
Let me ask you a question. With this flaw in the architecture, will the chip manufacturers or motherboard companies have a solution ready before this exploit gets too far widespread, or will they just keep touting it as "The way to go for next-gen processing?"
The shared-cache-between-threads channel can be fixed in silion. Whether it will be fixed is quite a different question, and which I can't answer. For some strange reason, a certain multi-billion dollar corporation doesn't want to talk to me about its unannounced products...
On March 2nd, I reported to the Microsoft Security Response Center a serious flaw in the implementation of Hyper-Threading on recent Intel processors requiring operating system patches. On May 13th, FreeBSD issued a patch, and several other operating systems have followed suit since then.
When will Microsoft issue a patch or advisory concerning this?
Of course, most linux vendors haven't issued patches or advisories either, but at least some of them have been talking to me...
my stress level on day 2 of knowing that my sshd has a remote-root-exploit would be pretty damned high
This is why security issues are usually not publicly disclosed immediately. A window of a few days between informing vendors and public disclosure allows vendors to prepare and test their patches.
Obviously, if there is a publicly disclosed remote root vulnerability in sshd, FreeBSD would fix it as soon as possible.
Absolutely. On the other hand, if you don't go ahead and get the minor in computer science, what do you answer when someone asks "so, you claim to be really interested in computers... why didn't you take more computer science courses at university?"
I wonder why Colin didnt' spend his 3 months of unemployment making a user space fix for this issue...
Two reasons: First, I was busy informing vendors -- Intel, Microsoft, the *BSDs, and Linux vendors -- about the problem and explaining the possible solutions. Second, because fixing every application in the world (this doesn't only affect cryptography) would take far more than 3 months.
He ran the bloddy "exploit" well over 1000 time to retrieve 30% of an RSA key.
Did you read a paper other than the one I read? I ran the exploit once, taking under one second, and I retrieved enough information to factor the RSA modulus N.
During the Cryptographer's Panel at the RSA conference, Adi Shamir made a short reference to this vulnerability.
Yes, we seem to have discovered the problem independently. (Until today I wasn't sure if we had discovered the same problem -- Adi Shamir didn't reply to an email I sent him about this -- but I got an email from Eran Tromer after my paper went online.)...a presentation would be forthcoming at the Eurocrypt 2005 rump session next week in Denmark.
I don't want to pre-release their results, but Shamir, Tromer, and Osvik decided to demonstrate the attack in a somewhat different way. I think it demonstrates how dangerous this attack is that two people independently discovered the attack and came up with different entirely practical targets for it.
How about just not allow different UIDs on the core at the same time?
That would be the ideal solution (assuming that you also check for setuid/setgid programs). Unfortunately, it's really hard to do that correctly due to problems of kernel data locking.
FreeBSD's policy on security fixes is that they must never ever break anything -- so if necessary (as in this case) a simple but suboptimal fix will be used instead of a complicated fix which might have the inadvertent side-effect of causing machines to crash.
Did anyone else notice the Intel advert for "Hyper Threading Linux" at the top of the google ads on the article page?
I put adsense onto most pages on daemonology.net, just because I can't see any reason not to (given that the ads are reasonably inobtrusive).
This particular time, however, I had a very specific reason for putting them on: I wasn't sure if my server would be able to handle the load, and this way if there is too much traffic then I might be able to afford to get another server.
I wonder how much revenue he'll get from this announcement?
So far, not enough to rent a server. (But so far my server seems to be doing fine.)
Slashdot Mirror
The court should not be in a position of prior restriant (sic).
:-)
That's a difference between US and Canadian courts. Canadian courts have no concerns about imposing publication bans -- most obviously, while US courts hold preliminary criminal hearings in secret in order to avoid tainting the jury pool, Canadian courts allow the public into those hearings but impose a ban on publication of the details.
We just do things a bit differently on this side of the border, that's all.
how do you prohibit the sale or providing information about a book that you PURCHASED
Technically, nobody purchased those books. A sale only takes place if all parties involved intend for a sale to take place, and this was clearly a mistake on the part of the store in question.
Is FreeBSD having the same problems, or are they handling the situation, or are they just ignoring it?
The FreeBSD base system is supported quite well, although we have had occasional manpower problems (e.g., when one member of the security team is travelling around Japan on work, one member is writing his doctoral thesis, another member is job-hunting, et cetera).
The FreeBSD ports tree is supported on a "best effort" basis -- we make no guarantees, but we do our best.
Woah! Wait a moment before you start flaming me on the basis of my subject line...
The problem of providing security support is ill-suited to being solved by the traditional "mob of volunteers" approach which describes most open source development. When you're doing development, it doesn't matter if you have five people coding one week and nobody doing any coding the next week; but when it comes to dealing with a constant stream of security issues which are being reported (in particular, from upstream vendors), it is important to guarantee that there will be someone around to deal with them. When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed.
The job of "security officer" is really one which should be a job, not a role-played-by-a-volunteer. Go out and raise some money to pay for your security officer, so that he is able to always be available when he is needed, because if he needs to get some other job to support himself, he won't be around when you need him.
aren't there any "free classical performers" out there?
Yes. The problem is, they're not very good. Unlike popular music, where someone can start to learn guitar and become a world-famous "musician" a few years later (in some cases, this order is reversed), a good quality symphony orchestra contains 50 or more musicians, rarely with less than fifteen years of experience.
As a general rule, if you're a professional classical musician, you can't afford to give away your work for free -- not to mention the costs of renting a recording studio which can fit an entire symphony orchestra. If you're an amateur classical musician (defined as "has a full time job which isn't music"), then unless you're really exceptional, you're not good enough to make recordings which people will want to listen to.
it was a con by the Bush administration--to what gain? What could they possibly have gained?
Bush has wanted to oust Saddam Hussein for a long time. As for what he gained by doing so... I don't know, but his intention of ousting Saddam Hussein predates 9/11, so it clearly has nothing to do with terrorism.
Instead of me calling up Gateway and saying "Hey my modem is fried, I know what I'm doing with computers, send me a new one" I have to go through an hour of pointless troubleshooting.
Get a real warranty. When the hard drive in my Dell D600 laptop died, I phoned the support number, gave them the serial number, said "the hard drive died and your diagnostic utility is saying <insert error message here>", and I had a new hard drive before 9AM the next morning.
My wife is pregnant with twins, and as much as I'd like to get a DVD of the ultrasounds...
Has the "video every moment of your kids lives" craze really gone so far as recording ultrasound videos for posterity?
What happened to the idea of the ultrasound as a medical diagnostic procedure?
While I'll disagree with the IMPACT of his attack the content is there.
Do you disagree with me about the impact of my attack, or do you merely disagree with the media reports?
I've been quite clear throughout that this only affects systems with untrusted users who are allowed to execute arbitrary code, and that on such systems, the impact is theft of information, potentially resulting in privilege escalation.
If you disagree with this, what is your assessment of the impact?
Despite what the article says, what do you think Microsoft owes you in this case?
Nothing. However, I do believe that they owe the public, and their shareholders, the truth about how they handle security issues -- which, judging by my experience, they did not provide in the linked news article -- and I believe that they should take every opportunity available to improve their security, including working with the people who report security issues to them.
You are an academic nobody in their eyes, despite any delusions of grandeur you may possess.
Maybe; or maybe not. I'm not just an academic who happened to stumble across a security problem; I'm also a FreeBSD deputy security officer. I may not have quite as much experience at dealing with security issues as they have, but I don't think I'm a complete "nobody" in security circles either.
My experience directly contradicts this on all points.
When I reported the hyperthreading security flaw to Microsoft, I was provided with the first name of the person who was responsible for dealing with it ("Christopher"), but I was not provided with his last name, phone number, or any e-mail address (apart from the generic secure@microsoft.com address which I used to report the problem). Later the issue was transferred to "Brian" -- again, no last name, no email address, and no phone number.
Over the following two months, I heard from three independent third parties that Microsoft was "very concerned" about this issue, and had "several people" looking at it; but they never made it clear that they wanted to work closely with me -- in fact, they ignored all my attempts at co-operation.
Finally, prior to releasing my paper, I sent several emails to Microsoft asking about their progress and asking for a vendor statement for my web site; again, they did not respond.
I might be interested in this -- well, except for the slight problem that I don't qualify as a student any more -- but do they really expect $4500 to attract much interest? Given that the $4500 is split between $500 for "startup costs" and a $4000 "reward" if the project is "successfully completed", Google is really asking people to work for two months for a chance at winning $4000 -- and we all know how few software projects actually complete on time, so there are quite significant odds of the participants not getting anything.
I like the idea in principle, but I really don't think the details make sense.
I think you may be confusing agreement with people who decide that you're a complete idiot [...]
:-)
I doubt anyone who is aware of my background (entered university at age 13; Putnam fellow; D.Phil. student at Oxford University) would decide that I was a complete idiot.
Now, they might decide that I was insane (as another poster suggested), but that's quite a different matter.
I quite deliberately confront people with, and defend, astonishingly bad ideas. (For example: "If the US government really wants to save as many lives as possible, they should give everybody two weeks' notice and then drop a nuclear bomb in the center of Jerusalem. This would destroy the largest cause of Israeli-Palestinian violence.") I do this not because I actually believe such things, but because I want to find people who are willing to contradict me and justify their positions.
Sadly, the vast majority of people either disagree without justification, or (even more worryingly) agree without justification -- which just demonstrates how unwilling most sheep^Wpeople are to engage in thought and/or debate.
Despite this, two-thirds of all webservers run Linux.
No. Two-thirds of all publicly visible web servers found by netcraft run Apache, but this includes many other operating systems.
Let me ask you a question. With this flaw in the architecture, will the chip manufacturers or motherboard companies have a solution ready before this exploit gets too far widespread, or will they just keep touting it as "The way to go for next-gen processing?"
The shared-cache-between-threads channel can be fixed in silion. Whether it will be fixed is quite a different question, and which I can't answer. For some strange reason, a certain multi-billion dollar corporation doesn't want to talk to me about its unannounced products...
Of course, most linux vendors haven't issued patches or advisories either, but at least some of them have been talking to me...
Somebody please explain why our government panders to a the terrorist capitol of the world.
The Saudi Arabian government panders to the terrorist capitol of the world because the US government is headed by their friends.
my stress level on day 2 of knowing that my sshd has a remote-root-exploit would be pretty damned high
This is why security issues are usually not publicly disclosed immediately. A window of a few days between informing vendors and public disclosure allows vendors to prepare and test their patches.
Obviously, if there is a publicly disclosed remote root vulnerability in sshd, FreeBSD would fix it as soon as possible.
the degree does not matter as much as the person
Absolutely. On the other hand, if you don't go ahead and get the minor in computer science, what do you answer when someone asks "so, you claim to be really interested in computers... why didn't you take more computer science courses at university?"
I wonder why Colin didnt' spend his 3 months of unemployment making a user space fix for this issue...
Two reasons: First, I was busy informing vendors -- Intel, Microsoft, the *BSDs, and Linux vendors -- about the problem and explaining the possible solutions. Second, because fixing every application in the world (this doesn't only affect cryptography) would take far more than 3 months.
He ran the bloddy "exploit" well over 1000 time to retrieve 30% of an RSA key.
Did you read a paper other than the one I read? I ran the exploit once, taking under one second, and I retrieved enough information to factor the RSA modulus N.
During the Cryptographer's Panel at the RSA conference, Adi Shamir made a short reference to this vulnerability.
...a presentation would be forthcoming at the Eurocrypt 2005 rump session next week in Denmark.
Yes, we seem to have discovered the problem independently. (Until today I wasn't sure if we had discovered the same problem -- Adi Shamir didn't reply to an email I sent him about this -- but I got an email from Eran Tromer after my paper went online.)
I don't want to pre-release their results, but Shamir, Tromer, and Osvik decided to demonstrate the attack in a somewhat different way. I think it demonstrates how dangerous this attack is that two people independently discovered the attack and came up with different entirely practical targets for it.
How about just not allow different UIDs on the core at the same time?
That would be the ideal solution (assuming that you also check for setuid/setgid programs). Unfortunately, it's really hard to do that correctly due to problems of kernel data locking.
FreeBSD's policy on security fixes is that they must never ever break anything -- so if necessary (as in this case) a simple but suboptimal fix will be used instead of a complicated fix which might have the inadvertent side-effect of causing machines to crash.
Did anyone else notice the Intel advert for "Hyper Threading Linux" at the top of the google ads on the article page?
I put adsense onto most pages on daemonology.net, just because I can't see any reason not to (given that the ads are reasonably inobtrusive).
This particular time, however, I had a very specific reason for putting them on: I wasn't sure if my server would be able to handle the load, and this way if there is too much traffic then I might be able to afford to get another server.
I wonder how much revenue he'll get from this announcement?
So far, not enough to rent a server. (But so far my server seems to be doing fine.)