"Month of Kernel Bugs" Project Head Interviewed 42
An anonymous reader writes "November has been labelled the 'Month of Kernel Bugs' in security circles. The Month of Kernel Bugs began on November 1, with the publication of a vulnerability in Apple's AirPort drivers. SecuriTeam blogs did an interview with LMH, who hosts the project."
A question I wish was answered (Score:2, Insightful)
Re:A question I wish was answered (Score:4, Informative)
Re: (Score:1)
*smack*
Bad mod! No cookie! (except the one from XXX-hawt-slutty-shemales-dot-com that's hacking your wireless, obv)
Re: (Score:2)
Sounds interesting (Score:1)
Shifty business in the kernel. (Score:4, Informative)
In particular, he remarks: "Another point, is actually that silent patches are much more popular in kernel development. Remote denial of service issues may be patched under rather fun terms like 'this may dereference a null pointer', 'foo is signed when it should be unsigned', etc. And some kernel interfaces are literally a royal pain to work with. Filesystem code itself is a rather complex part of the kernel as it deals in low-level with things we typically know 'abstracted' (ex. you copy files, you don't deal with inodes, blocks, etc)."
This seems rather contrary to the OSS development model in general, and if it's something that's happening a lot, it seems as though something's wrong, procedurally. Why is all this buggy code getting in, in the first place? While I'm aware that a lot of Linux people don't like BSD or its development methods, maybe there needs to be some sort of stricter review process for contributions.
If there was one place where transparency and accountability were most important, it seems like it would be in the Linux kernel, it being arguably one of the most important projects, or at least most visible, that the F/OSS movement has produced.
Re: (Score:3, Interesting)
Well for starters Linux isn't the only kernel with bugs [theaimsgroup.com]. I'm not slamming OpenBSD but it was a very quick example.
The kernel of any OS is a very complicated piece of code and bugs can be very subtle and hard to spot. You have a wider range of inputs than other pieces of software and at the same time you have a large array of hardware and BIOS to interface and they all have potential bugs of their own.
I've gone through bug reports to try and understand what goes wrong and how it's fixed. Those progra
Problem is more the secret fixing. (Score:3, Interesting)
It was more the practice of silently or clandestinely fixing bugs, wit
Re: (Score:1)
That the patches are understood by multiple people is important. I'm not sure why you feel this practice of weak descriptions implies this is the case, or why this practice is considered to apply specifically to linux. My understanding of TFA did not conveey that to me.
Re: (Score:1)
From my experience with open source, some developpers are just dishonest. Of course they don't like to admit the mistakes they have made. They even try to blame them on others (counting on most people not bothering - or not having the time - to go through ChangeLogs, commits, etc).
There's no procedure to fix that. Just make noise and expose them. If there's some 'influential' one who's the guilty part, so much better :)
Re: (Score:2)
Re: (Score:2)
Re:Broadcom wireless driver exploit published toda (Score:2)
Original announcement (Score:2)
Emphasis was in the original. Source was Kernelfun [blogspot.com].
Apple flaw? No. (Score:1, Interesting)
Re: (Score:2)
Maybe because it gets more press?
Re:Apple flaw? No. (Score:5, Informative)
Why is that Apple supporters are in such denial about their favorite products having security flaws? This bug was one of many in the Airport drivers and one an even bigger set of wireless exploits that we plan on releasing. A Broadcom bug was released today which likely affects more systems than Apple has ever shipped.
Re: (Score:1, Insightful)
umm maybe because it is not just an 'APPLE' flaw. It is the attempt to hide this that is the problem. Look at it this way.
THE BATTERIES IN APPLE COMPUTERS ARE ALL GOING TO BURN (and all other computers using batteries from the same plant in china will do the same thing.)
Yes, apple products have their 'issues' - but FUD is FUD. Good you found a bug. Next time do your homework and figure out where the
Re: (Score:1)
Maybe it has something doing with this quote: 'One rotten (or bad) apple spoils the barrel.'
Re: (Score:2)
I don't think they are; in fact, I think most, myself included, are pleased that there are people working to improve the security of Apple's systems and who call them out when they get it wr
Re: (Score:1)
Re: (Score:2)
Speaking of which, while I definitely can't b
Re: (Score:1, Insightful)
Re: (Score:2, Informative)
Re: (Score:2, Informative)
Re: (Score:2)
The press in general is stupid since they don't understand technology. Most of the press coverage of virus, trojan, etc. problems fails to mention that these are almost exclusively the problems of Windows PCs and that Apple and Linux computers are almost free of such problems.
It's not a plot, it's just sloppy
Apple vs Broadcom (Score:5, Insightful)
There was apparently a problem in Apple's drivers, as well as in a lot of other closed-source drivers. In fact, when those two guys did the "Hack a MacBook's Wireless in 30 Seconds" demo (of which I am a bit ashamed to admit I submitted the
If you read a few posts up in the thread you'll see that they have now found a pretty big hole in Broadcom's (assumedly Windows) drivers for wireless cards, where transmitting a specifically crafted SSID can result in kernel-mode code execution.
I think Apple got hit because it was a big target; since Microsoft doesn't specifically (to my knowledge) make WL drivers, and Apple being bigger than any single third-party WL-card vendor, when people found a vulnerability affecting many drivers and chipsets, they went for the one that would get them the most press coverage. While I can't condone this (since I think it involves fear-mongering and pandering to the knee-jerk Apple-haters), it's not hard to understand.
Re: (Score:2)
Interview with who? (Score:2)
MOKB (Score:4, Informative)
No, this isn't my blog, and I've got nothing to do with it, it's just that it's not linked to or mentioned in the main story...