Why notify FreeBSD and then wait 2 or 3 months before notifying other possibly affected vendors (at least other BSDs)?
Two reasons. First, because I'm part of the FreeBSD Security team -- I'm required to notify them about potential issues.
Second, because if I contacted lots of security teams with what I had on December 31st, they wouldn't have listened: "Umm, hey guys, there's a problem with hyperthreading. I've convinced myself that it is real, but I don't really have any evidence to give you, so you'll just have to believe me..."
24 hour turn around times with patches is not uncommon for FreeBSD
In all honesty... 24 hours is very unusual for us. I can think of one case where it happened recently, but that was when we rushed an advisory out in order to fit into the 5.4 release schedule.
A more typical time is 3 days, since we want to test carefully to make certain that a "security fix" never ends up breaking something else.
Don't forget that BSDCan 2005 starts on Friday in Ottawa, Canada. Talks include:
The FreeBSD SMPng Network Stack -- Robert Watson Live Network Backup -- der Mouse "Because it has to be free" - Wireless support in OpenBSD -- Reyk Floeter ioctl is soooo 1980ies -- Poul-Henning Kamp A new security issue -- Colin Percival
Strange, they have a press release on their website dated April 6, 2005 about the report being commissioned by Microsoft
Different report. That press release talks about Windows Server 2003 vs. RHEL 3.0 -- Microsoft must have asked them to produce a newer version of the report/. linked.
These updates come out roughly once a month and usually are several security fixes rolled up into one.
Unfortunately, while Apple collects several security fixes together into a single update package, they aren't following the obvious approach of handling all of the known issues at each point. This security issue was reported over three weeks ago, but doesn't seem to have been patched yet.
Since I drive quite a lot, I am very familiar with the warnings about drinking while driving (could be bunk, but I still respect it and those around me). But what about using LSD? A police officer just told me that I'm not supposed to use any recreational drugs while driving. I often take LSD while driving my car. Could this cause any problems, or is this something I need not worry about?
Ok, maybe I'm taking a few liberties in rewriting the question, but in all seriousness... you are required by law to obey instructions given by aircraft personnel concerning what equipment you can use while on the plane. The fact that they warn you about drinking (using your cell phone) more than they do about taking LSD (using bluetooth) doesn't mean that one is any more legal than the other, or any less stupid than the other.
Yeah - that whole AIDS thing has been a real waste of resources; why bother with non-cures?
Well, now that you mention it...
It isn't entirely clear that all HIV medicines have had net positive effects on the population health. Clearly, they improve the health of the individual being treated, but they also extend the duration in which the infected individual is healthy enough to spread the virus.
If you want to improve the health of an individual patient, of course you throw the most effective medicines you have at him. If you want to save lives, the answer might be quite different.
In Canada [...] Juries are only mandatory for certain offences, I believe murder and attempted murder are examples of those.
Even for crimes like murder, you can get a trial-by-judge in cases where the evidence is deemed to be too complicated for a jury to understand. The Air India trial is a good example of this.
Canada takes quite seriously the concept of making sure that suspects receive a fair trial. When the publication of evidence in advance of the trial would make it impossible for someone to receive a fair trial, a publication ban is entirely reasonable.
Most of the cost of providing phone or DSL service isn't the day-to-day operational cost; it's the cost of running the physical copper cable in the first place. I don't know if the figures are still the same, but at one point it took phone companies 5-10 years to recover their cable-laying investment on new subscribers.
When ADSL first became popular, it was cheap for a very simple reason: Everybody already had a phone line, so the marginal cost of ADSL was merely the cost of the terminating equipment. The physical link was already being paid for out of the phone bill. Take away the landline phone service, and the ADSL cost jumps sharply, since it will now have to cover the formerly "free" copper wiring.
DSL simply doesn't make economic sense without attached landline phone service.
Maybe I'm misreading the description, but it looks to me like this is an 8-round cipher with a round function considerably simpler than Rijndael's round function.
Given that 8-round Rijndael is broken, it seems highly optimistic to think that this new cipher will not be broken.
What makes you think viruses that attach themselves to executables (is this oldschool now?) won't automatically take advantage of this?
Yes, that is rather oldschool now -- which is why I think current viruses which attach themselves to executables might not be a particular problem. I'm not sure if a virus written in the days of MS-DOS (or even one written for Windows 95) would function properly on a Windows XP system.
If this approach of carrying around applications on USB drives catches on, however, I doubt it will take long before a new generation of viruses are written.
Plug your USB drive into a virus-infected machine; run firefox; and you now have a virus-infected copy of firefox on your USB drive. Carry it over to another machine; plug it in; run firefox; and you now have another virus-infected computer.
I'm sure McAfee, Symantec, and Sophos will all love this idea, but I think I'll take a pass here...
I've just found your mail and I've personally not responded because of the lack of details - we already publish our private keys on our webpage so asking for them again is extra work when we've got lots to do.
In the case of my initial vendor-sec posting, well, I don't know who exactly is on that list, so I couldn't search around for everybody's PGP keys -- thus my comment of "if you want to know the details, send me your PGP key". (Also, it's much easier for you to paste your pgp key into an email than it is for me to find your pgp key -- especially when you consider that I'm trying to promptly inform over a dozen different security teams.)
But now that I know you're awake, and now that a sibling post has linked a FAQ which lists your key, I've emailed you all the details.
This issue affects other operating systems, not just Debian. It will be disclosed according to the schedule agreed upon with the other vendors; I'm not going to disclose it early just to spite Debian.
It would be nice, however, if the Debian security team were aware of this issue before the disclosure date rather than after.
I can see the need for keeping ahead of security bugs...
Speaking of which... *tap* *tap* is this thing turned on? Is anyone from the Debian security team listening? I've got a security issue here... I've e-mailed vendor-sec (3 weeks ago)... I've e-mailed debian-security-private directly (1.5 weeks ago)... are you guys planning on responding some time this month?
(Yes, I'm entirely serious. Slashdot isn't my preferred channel for communicating with other security teams, but the usual mechanisms seems to have failed, and I figure that there must be at least a few Debian people reading this story.)
I guess my problem is that I simply cannot see how the author-pays model would become more expensive for a university/organization.
Paperwork. In the case of university researchers, "author pays" almost always means "author's research grant pays". In most circumstances, there are many checks to make sure that researchers don't run off with their grant money -- it has to be spent on legitimate research purposes. The process of writing a cheque involves sending a request for payment through three or four offices, having someone verify that the journal to which the money is to be paid is legitimate, and having the resulting cheque come back through several offices again. If the cost is being split between several co-authors, it's even worse.
A single payment of $10,000 from a university library to a journal costs vastly less than 20 payments of $500 each which come from separate research grants.
Slashdot Mirror
He alerted SCO to a flaw in their OS?
Actually, I posted to vendor-sec. I was rather surprised when I got an email back from SCO -- I didn't think that they'd be on vendor-sec.
Why notify FreeBSD and then wait 2 or 3 months before notifying other possibly affected vendors (at least other BSDs)?
Two reasons. First, because I'm part of the FreeBSD Security team -- I'm required to notify them about potential issues.
Second, because if I contacted lots of security teams with what I had on December 31st, they wouldn't have listened: "Umm, hey guys, there's a problem with hyperthreading. I've convinced myself that it is real, but I don't really have any evidence to give you, so you'll just have to believe me..."
Why wasn't Intel notified over the past SEVEN MONTHS ?
They were. I've clarified the page somewhat now, but "Other security teams" includes Intel.
My paper is available here.
Have fun reading, I'm going back to the conference.
24 hour turn around times with patches is not uncommon for FreeBSD
In all honesty... 24 hours is very unusual for us. I can think of one case where it happened recently, but that was when we rushed an advisory out in order to fit into the 5.4 release schedule.
A more typical time is 3 days, since we want to test carefully to make certain that a "security fix" never ends up breaking something else.
...you can apply for grants from IBM's research division, and believe it or not MSR...
I can't find anything on the MSR web site... can you be a bit more specific?
Don't forget that BSDCan 2005 starts on Friday in Ottawa, Canada. Talks include:
The FreeBSD SMPng Network Stack -- Robert Watson
Live Network Backup -- der Mouse
"Because it has to be free" - Wireless support in OpenBSD -- Reyk Floeter
ioctl is soooo 1980ies -- Poul-Henning Kamp
A new security issue -- Colin Percival
Yes, you can still register.
How many bosses do you think out there read slashdot? How many of them do you think are nuts?
Irrelevant. The important question is how many bosses think that they are nuts.
Odds are that even if the boss in question read this story, he wouldn't recognize it as referring to him.
Strange, they have a press release on their website dated April 6, 2005 about the report being commissioned by Microsoft
/. linked.
Different report. That press release talks about Windows Server 2003 vs. RHEL 3.0 -- Microsoft must have asked them to produce a newer version of the report
...a specific ancient version of Red Hat
This report was written in April 2003, according to the first page. They used the most recent version of RedHat available to them.
This report may be two years out of date, but I can't see any signs of bias in its production.
These updates come out roughly once a month and usually are several security fixes rolled up into one.
Unfortunately, while Apple collects several security fixes together into a single update package, they aren't following the obvious approach of handling all of the known issues at each point. This security issue was reported over three weeks ago, but doesn't seem to have been patched yet.
Not only that, but the five trillionth, forty trillionth, and the quadrillionth bits of Pi are all zero... I did all that work, and it all came to naught.
Since I drive quite a lot, I am very familiar with the warnings about drinking while driving (could be bunk, but I still respect it and those around me). But what about using LSD? A police officer just told me that I'm not supposed to use any recreational drugs while driving. I often take LSD while driving my car. Could this cause any problems, or is this something I need not worry about?
Ok, maybe I'm taking a few liberties in rewriting the question, but in all seriousness... you are required by law to obey instructions given by aircraft personnel concerning what equipment you can use while on the plane. The fact that they warn you about drinking (using your cell phone) more than they do about taking LSD (using bluetooth) doesn't mean that one is any more legal than the other, or any less stupid than the other.
Yeah - that whole AIDS thing has been a real waste of resources; why bother with non-cures?
Well, now that you mention it...
It isn't entirely clear that all HIV medicines have had net positive effects on the population health. Clearly, they improve the health of the individual being treated, but they also extend the duration in which the infected individual is healthy enough to spread the virus.
If you want to improve the health of an individual patient, of course you throw the most effective medicines you have at him. If you want to save lives, the answer might be quite different.
In Canada [...] Juries are only mandatory for certain offences, I believe murder and attempted murder are examples of those.
Even for crimes like murder, you can get a trial-by-judge in cases where the evidence is deemed to be too complicated for a jury to understand. The Air India trial is a good example of this.
How quaint.
Canada takes quite seriously the concept of making sure that suspects receive a fair trial. When the publication of evidence in advance of the trial would make it impossible for someone to receive a fair trial, a publication ban is entirely reasonable.
Most of the cost of providing phone or DSL service isn't the day-to-day operational cost; it's the cost of running the physical copper cable in the first place. I don't know if the figures are still the same, but at one point it took phone companies 5-10 years to recover their cable-laying investment on new subscribers.
When ADSL first became popular, it was cheap for a very simple reason: Everybody already had a phone line, so the marginal cost of ADSL was merely the cost of the terminating equipment. The physical link was already being paid for out of the phone bill. Take away the landline phone service, and the ADSL cost jumps sharply, since it will now have to cover the formerly "free" copper wiring.
DSL simply doesn't make economic sense without attached landline phone service.
Maybe I'm misreading the description, but it looks to me like this is an 8-round cipher with a round function considerably simpler than Rijndael's round function.
Given that 8-round Rijndael is broken, it seems highly optimistic to think that this new cipher will not be broken.
What makes you think viruses that attach themselves to executables (is this oldschool now?) won't automatically take advantage of this?
Yes, that is rather oldschool now -- which is why I think current viruses which attach themselves to executables might not be a particular problem. I'm not sure if a virus written in the days of MS-DOS (or even one written for Windows 95) would function properly on a Windows XP system.
If this approach of carrying around applications on USB drives catches on, however, I doubt it will take long before a new generation of viruses are written.
Plug your USB drive into a virus-infected machine; run firefox; and you now have a virus-infected copy of firefox on your USB drive. Carry it over to another machine; plug it in; run firefox; and you now have another virus-infected computer.
I'm sure McAfee, Symantec, and Sophos will all love this idea, but I think I'll take a pass here...
I've just found your mail and I've personally not responded because of the lack of details - we already publish our private keys on our webpage so asking for them again is extra work when we've got lots to do.
In the case of my initial vendor-sec posting, well, I don't know who exactly is on that list, so I couldn't search around for everybody's PGP keys -- thus my comment of "if you want to know the details, send me your PGP key". (Also, it's much easier for you to paste your pgp key into an email than it is for me to find your pgp key -- especially when you consider that I'm trying to promptly inform over a dozen different security teams.)
But now that I know you're awake, and now that a sibling post has linked a FAQ which lists your key, I've emailed you all the details.
This issue affects other operating systems, not just Debian. It will be disclosed according to the schedule agreed upon with the other vendors; I'm not going to disclose it early just to spite Debian.
It would be nice, however, if the Debian security team were aware of this issue before the disclosure date rather than after.
I can see the need for keeping ahead of security bugs...
Speaking of which... *tap* *tap* is this thing turned on? Is anyone from the Debian security team listening? I've got a security issue here... I've e-mailed vendor-sec (3 weeks ago)... I've e-mailed debian-security-private directly (1.5 weeks ago)... are you guys planning on responding some time this month?
(Yes, I'm entirely serious. Slashdot isn't my preferred channel for communicating with other security teams, but the usual mechanisms seems to have failed, and I figure that there must be at least a few Debian people reading this story.)
In fact, it's very hard to justify the "R" in the acronym in dungeon crawls.
Not at all. In dungeon crawls, the "R" just stands for "Roll" instead of "Role".
I guess my problem is that I simply cannot see how the author-pays model would become more expensive for a university/organization.
Paperwork. In the case of university researchers, "author pays" almost always means "author's research grant pays". In most circumstances, there are many checks to make sure that researchers don't run off with their grant money -- it has to be spent on legitimate research purposes. The process of writing a cheque involves sending a request for payment through three or four offices, having someone verify that the journal to which the money is to be paid is legitimate, and having the resulting cheque come back through several offices again. If the cost is being split between several co-authors, it's even worse.
A single payment of $10,000 from a university library to a journal costs vastly less than 20 payments of $500 each which come from separate research grants.