The Jeff School of Customer Relations
-
So a dude finds a bug in grsecurity:
https://twitter.com/marcan42/status/724745886794833920
They respond just like any rational adult would, by insulting and banning him:
https://twitter.com/marcan42/status/724830847128506373
And banning anyone that retweeted him.
-
@NedFodder Security people can be twats about disclosure.
-
Exposing an easy way to crash a system without doing the whole responsible disclosure thing - possibly a dick move.
Not allowing the same user to patch their system in the future - definite dick move.
-
@Onyx it's dicks all the way down.
-
@NedFodder said in The Jeff School of Customer Relations:
And banning anyone that retweeted him.
Awesome, I wish all Linux-y bullshit had an easy mechanism to make themselves disappear from my Twitter feed forever.
-
I wish Windows Hypervisor Manager wouldn't just decide to set my Exchange server to use a single virtual CPU.
If wishes were horses, then beggars would ride.
-
I love the part where they were all "no, the code was correct to use an unsigned type for
room
because it is a non-negative quantity, but it's trying to detect an edge case whereroom
has an original value of 0"... which might justify writingroom <= 0
, but still can't justifyroom < 0
(the line Hector Martin highlighted with "try reading the code next time").
-
@anotherusername
Oh, that's interesting. They're removing a decrement ofroom
but that changes what the computation of the value forldata->no_room
will yield. At the very least, that code needs to be completely reviewed to see if there are any other “exciting” problems like that about.
-
@Onyx said in The Jeff School of Customer Relations:
Exposing an easy way to crash a system without doing the whole responsible disclosure thing - possibly a dick move.
Not allowing the same user to patch their system in the future - definite dick move.I read a bit of the explanation and this is actually par for the course on grsecurity kernels - any kind of size overflow will crash at least parts of the kernel because they're using a "exploit prevention more important than uptime" approach.
Even if the size overflow doesn't actually lead to any kind of exploit and is just a false positive.
Which means that you have kernel panics on a regular basis.
-
Using bare unsigned integers for counter types: helping users avoid having nice things since 1946.
EDIT: Yeah, I know it isn't exactly a counter, and I also know that C doesn't do either ranged types or automagic range checking. It just struck me as funny, given a comment I posted to OSDev not too long ago.
EDIT EDIT: I should mention that the post in question was itself related to the following exchange regarding language and compiler design (specifically, about whether type ranges can be completely checked at compile time, or if runtime checks might be needed under some circumstances):
My question #1
Brendan's reply #1
Rusky's reply #1
Brendan's reply #2
my question (request for clarification) #2
Rusky's reply #2
Brendan's reply #3
My questions #3
Brendan's reply #4
My Questions #4
Brendan's reply#5
I gave the links to each relevant post because the thread they were part of was a sprawling cancerous flamewar over what the term 'managed code' meant, and whether an OS should (or even could) be written in a 'managed language'.Feel free to take this as TL;DR, as I think most of the people on that site did, too.
-
@ScholRLEA said in The Jeff School of Customer Relations:
'managed code'
That means that code sits in meetings a lot and has to go on corporate culture awareness courses.
-
Not to mention that anyone who thinks using a size_t for a boolean is perfectly fine because it can represent "the range of a bool value" is a fucking idiot. In code that's supposed to be security focused, no less.
-
@dkf said in The Jeff School of Customer Relations:
@ScholRLEA said in The Jeff School of Customer Relations:
'managed code'
That means that code sits in meetings a lot and has to go on corporate culture awareness courses.
No, but that would probably be an improvement.