From owner-freebsd-security@freebsd.org Tue Jun 28 11:14:29 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7E3BB85E30 for ; Tue, 28 Jun 2016 11:14:29 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id AF218254D for ; Tue, 28 Jun 2016 11:14:28 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id A67473ACDA for ; Tue, 28 Jun 2016 04:09:06 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Stuff I don't understand, and maybe never will. Date: Tue, 28 Jun 2016 04:09:06 -0700 Message-ID: <44255.1467112146@server1.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2016 11:14:29 -0000 Please forgive the following outburst/rant. Sometimes, I just see something that makes me want to scream "I can't take it anymore!" I've just seen a link to the following in my twitter feed: http://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html Short summary: Apparently a team @ Google spend a whole bloody year, just to find a handful of bugs in the Windows 7 kernel. Every single thing about this article drives me crazy, almost like fingernails scratching slowly over a blackboard, and, you know, I'm sorry about this, but for some strange reason I felt compelled to share this feeling with others. In the first place, knowing virtually nothing about Windoze kernels, I was floored by the assertion (and the perhaps well known fact... to everybody except me) that something as ridiculous as font processing was actually embedded into the Windoze 7 kernel. I mean seriously, who ever thought that THAT was a good idea?? Putting that kind of crap inside a *kernel* goes against pretty much my entire understanding of what a kernel should be. (And apparently, even MS was wised up to the incomprehensible stupidity of this now, and has moved this crap outside the kernel in Windows 10, as the article itself states.) Second, I'm having trouble understanding why these Google guys are patting themselves on the back for finding bugs in *Windows 7* at this late date. I mean jeeezzzz. Doesn't that OS have one foot in the grave already? It's swell that they were able to find bugs in this now old and crusty OS, but I'm not persuaded that it is a cause for breaking out the champaign, and I do have to wonder if maybe Google's engineering talent and resources couldn't have been better spent finding bugs in Windows 8, Windows 8.1, Windows 10, or, ya know, maybe even Android (which, as I understand it, has more than its fair share of security and other bugs). Last but by no means least, the authors bemoan the difficulties they had finding *security* bugs in code they didn't have access to the source code for. Well, I mean, like DUH! This totally begs the question: Particularly (but not exclusively) in a post-Snowden world, is anybody in their right minds who actually gives a serious rats's ass about security really going to continue to just hope and pray that they'll be safe while putting all their secrets on top of a closed source OS? It may still be several years yet, but I do believe that over the long run, the Snowden effect will slowly, but surely (and finally) rid the world of closed source forever... and good riddance to it! Again, my apologies for the rant. I just had to vent spleen on all this or else I'd have burst. Some of the stuff I encounter these days is just almost too absurd for words. Regards, rfg P.S. I myself developed a trivial (but powerful) sort of fuzzing tool about ten years ago. To this day, I'm disappointed that nobody but me ever saw fit to actually use the thing. Here it is and its free: http://www.tristatelogic.com/m4r/ From owner-freebsd-security@freebsd.org Wed Jun 29 12:36:31 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CDEBEB730F5 for ; Wed, 29 Jun 2016 12:36:31 +0000 (UTC) (envelope-from david.i.noel@gmail.com) Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 87DD82209 for ; Wed, 29 Jun 2016 12:36:31 +0000 (UTC) (envelope-from david.i.noel@gmail.com) Received: by mail-vk0-x230.google.com with SMTP id m127so4129791vkb.3 for ; Wed, 29 Jun 2016 05:36:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=NsgYVz3TvHWYSZ7Lt+aoc9VE3no0VqG2x4ibR7wlWlk=; b=sQaCjo28R0RpDfzqV6o3wZ3o0CdipY3fzNYoCF+/G6SloU7MiSqtXx8Ki5NOk+RXMS /pnYN9v5Q2+LFj4iXT/qtrjC9ChK2Zsk3hTeMqogB5VR9Hwyrr+gGNmvbWiTXwfNNgNO OCcB4D7g88nk42vO2a55ZX5XA9o2qQpD7CSBJBITjVnjtFQs1twO+2hzr+KqIxNg6TiV XNc62qpxYvsAXhFWmCutS+aBrAlqk84q1zlhXXm9MTkH8am6cDA7o3d/TuXijDTcWOwE 5ECjhqYTKXU3v7nGfhfpcpP/7BhcX7ejVO7vbsnH2uDJy1QWv7zy261LqN69PAJYB2kD yRhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=NsgYVz3TvHWYSZ7Lt+aoc9VE3no0VqG2x4ibR7wlWlk=; b=WAoCptOhlMX5TXheiOhPcF+nm/ZH4q502/eSo/evg7Mlzn/bxCMEvUZE6fBjSLafF0 BMNPAmVxeTC8/p9sTn4OKzzLFF10i/sd9iIpI0ysWvwF4k/P7yT21siUaBet/HhouhFZ g/j2ne8hypEINdjBiJNPGISxBqNkRl7hIj6kDXfHKoi/EcMyCXC1zIgjfG8on0PLUn// i8sEu9KF2PKsqUZwc7smekgDIBPdmroqgr9TbE+RoSOnZ66rJJSG54okkp1Wzd0Y5mou XnqEvrhQoHNbbCyDRM7QQmDR0QIcB/t2D6sFTmPzKL6ulClj327Ghvzrm2Gq5bRMfsXa P1oQ== X-Gm-Message-State: ALyK8tKBM2lqQ7WvYLEPCYzGcbwzKMY2o9VbM8XL8jw07yXluuCvTwsbJn8Tjiyu45GCcrjHG/FWoc+VVn/E1g== X-Received: by 10.176.5.103 with SMTP id 94mr2981847uax.129.1467203790578; Wed, 29 Jun 2016 05:36:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.100.2 with HTTP; Wed, 29 Jun 2016 05:36:29 -0700 (PDT) Reply-To: David.I.Noel@gmail.com In-Reply-To: <44255.1467112146@server1.tristatelogic.com> References: <44255.1467112146@server1.tristatelogic.com> From: David I Noel Date: Wed, 29 Jun 2016 07:36:29 -0500 Message-ID: Subject: Re: Stuff I don't understand, and maybe never will. To: "Ronald F. Guilmette" Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 12:36:31 -0000 On 6/28/16, Ronald F. Guilmette wrote: ... > I've just seen a link to the following in my twitter feed: > > http://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-fo= nt-fuzzing-1_27.html > > Short summary: Apparently a team @ Google spend a whole bloody year, > just to find a handful of bugs in the Windows 7 kernel. ... > I was floored by the assertion (and the perhaps well known fact... to > everybody except me) that something as ridiculous as font processing > was actually embedded into the Windoze 7 kernel. I mean seriously, > who ever thought that THAT was a good idea?? Putting that kind of > crap inside a *kernel* goes against pretty much my entire understanding > of what a kernel should be. (And apparently, even MS was wised up to > the incomprehensible stupidity of this now, and has moved this crap > outside the kernel in Windows 10, as the article itself states.) > > Last but by no means least, the authors bemoan the difficulties they > had finding *security* bugs in code they didn't have access to the > source code for. ... > is anybody > in their right minds who actually gives a serious rats's ass about securi= ty > really going to continue to just hope and pray that they'll be safe while > putting all their secrets on top of a closed source OS? ... > Some of the stuff I encounter these days is just > almost too absurd for words. > > Regards, > rfg > > P.S. I myself developed a trivial (but powerful) sort of fuzzing tool > about ten years ago. To this day, I'm disappointed that nobody but me > ever saw fit to actually use the thing. > > Here it is and its free: http://www.tristatelogic.com/m4r/ I agree with the essence of your message: that this article brings up some very important lessons we should all use as something to think about--what should and what should not be running in kernel space (or as root[1]) by default, what are the risks, the performance trade-offs, and whether those trade-offs worth the security gains of making the changes vs some alternative/s (and if so what is that/are those alternative=E2=80=99s?) Also, highlighting the continued relevance of fuzzing and the shared frustration at the lack of its more wide-spread adoption and recognition as a useful, relevant, and valid tool for finding bugs in code. Is anyone actively fuzzing FreeBSD? As far as the kernel, all I can see is that it's listed as an =E2=80=9CIdea= =E2=80=9D on the Wiki (https://wiki.freebsd.org/IdeasPage -- 5.4). Beyond the kernel, what about the ports collection? Some of them are an absolute^W^W^W could probably use a once-over with AFL or others. Why not start a =E2=80=9CFizz[2.1] *BSD Day=E2=80=9D?[2.2] David 1. One simple example could be: ... a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:24/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-16:24/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch ... ...a much less simple example would be something along the lines of X. 2.1. I figured in the spirit of things: Can=E2=80=99s, =E2=80=9CFree as in = beer=E2=80=9D, etc... 2.2 Though unless the final note in the =E2=80=9CDescription=E2=80=9D on th= e Wiki is accurate it seems the Fuzzing/"Fizzing" will have to be limited to the ports collection: =E2=80=9CA native tool would be good but perhaps just running the Trinity tool under the linux emulator, and memguard, would reveal general bugs in the kernel.=E2=80=9C From owner-freebsd-security@freebsd.org Thu Jun 30 18:30:27 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7FD2B87983 for ; Thu, 30 Jun 2016 18:30:27 +0000 (UTC) (envelope-from maxnix.bsd@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6D49D2B51 for ; Thu, 30 Jun 2016 18:30:27 +0000 (UTC) (envelope-from maxnix.bsd@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id f126so232902304wma.1 for ; Thu, 30 Jun 2016 11:30:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=kvn9lYQnusUpqVF2Ee5d/aAmkmaXRbmAAnqmx6H0dZo=; b=zSfs3BHOSGEt3GGvdyJRYJhQY2jElcWlXoY9s2//WDgw63U6N01E5PRtfH9946Oqkq NC/kqyEohxXE61NS/+3iDsKAWZPBnpUvmpapmAMUqgMwshnCHno3n+A+pQKMDRcGn2FZ TQbB7OkSgTf4VqOS4Jt1XwVMPwUn7DnX5W7s16VO37AxkW86Tas+x2cO6jFFtoqFLoCi aBY9vfE+lfloco6bshEpVz//toPtWTwlj+LPhbSGwknmg9I8qfxuvtsfmoRy6+/GP0HJ KdN7+TMXmqKhEP2a2fwJvZ5U7s25geyX9NG0/oM6yLNq7wVRIqYL/OyZ8Z75H+9JYJly fsQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=kvn9lYQnusUpqVF2Ee5d/aAmkmaXRbmAAnqmx6H0dZo=; b=jGPWSCbunzWiwJQxnkkuOfLJbkDjA7mSz52yvh02DOkUGUfwdKe4Bl7nKjvcaX5y3D IVyZ70SdbzYECcJgkQD0D1QfrxJjqFeiodA4EuyI04SKdTUHZcnsd3rlb/ZiiJISsR8Y M8hp4AOIP7tFwjKFCQU5wW/8bEPQ77qZGH4mwwkWMiPTR5kK5ndAZwZ0jxGorHenLNm0 Srf1QaR0ReWEAQdJNNdpkP/XO0ztPnrS0eR3d6rKHNaykg2w5zRrw/pclQt1OlV+Fxj1 4RXKFSyzLAz0XBCpkh/K/Y8t8RkZQJB9c6PS8ZZk2VXLC61a0xTEY5AjZFrvoQ00KcPI IImQ== X-Gm-Message-State: ALyK8tJxB/HmzcG4bzM84cFYvE4hoct1ob6lRqEinjkN82xK7BjlNgzRByXfzHx3l6Li4w== X-Received: by 10.194.179.199 with SMTP id di7mr15339820wjc.26.1467311425671; Thu, 30 Jun 2016 11:30:25 -0700 (PDT) Received: from max-BSD ([94.166.245.66]) by smtp.gmail.com with ESMTPSA id q71sm5185768wme.17.2016.06.30.11.30.23 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 Jun 2016 11:30:23 -0700 (PDT) Date: Thu, 30 Jun 2016 20:30:13 +0200 From: maxnix To: freebsd-security@freebsd.org Subject: Re: Stuff I don't understand, and maybe never will. Message-ID: <20160630203013.1038690d@max-BSD> In-Reply-To: <44255.1467112146@server1.tristatelogic.com> References: <44255.1467112146@server1.tristatelogic.com> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; i386-portbld-freebsd10.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2016 18:30:27 -0000 Il giorno Tue, 28 Jun 2016 04:09:06 -0700 "Ronald F. Guilmette" ha scritto: > Please forgive the following outburst/rant. Sometimes, I just see > something that makes me want to scream "I can't take it anymore!" > > I've just seen a link to the following in my twitter feed: > > http://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html > > Short summary: Apparently a team @ Google spend a whole bloody year, > just to find a handful of bugs in the Windows 7 kernel. > > Every single thing about this article drives me crazy, almost like > fingernails scratching slowly over a blackboard, and, you know, I'm > sorry about this, but for some strange reason I felt compelled to > share this feeling with others. > > In the first place, knowing virtually nothing about Windoze kernels, > I was floored by the assertion (and the perhaps well known fact... to > everybody except me) that something as ridiculous as font processing > was actually embedded into the Windoze 7 kernel. I mean seriously, > who ever thought that THAT was a good idea?? Putting that kind of > crap inside a *kernel* goes against pretty much my entire > understanding of what a kernel should be. (And apparently, even MS > was wised up to the incomprehensible stupidity of this now, and has > moved this crap outside the kernel in Windows 10, as the article > itself states.) > > Second, I'm having trouble understanding why these Google guys are > patting themselves on the back for finding bugs in *Windows 7* at this > late date. I mean jeeezzzz. Doesn't that OS have one foot in the > grave already? It's swell that they were able to find bugs in this > now old and crusty OS, but I'm not persuaded that it is a cause for > breaking out the champaign, and I do have to wonder if maybe Google's > engineering talent and resources couldn't have been better spent > finding bugs in Windows 8, Windows 8.1, Windows 10, or, ya know, > maybe even Android (which, as I understand it, has more than its fair > share of security and other bugs). > > Last but by no means least, the authors bemoan the difficulties they > had finding *security* bugs in code they didn't have access to the > source code for. Well, I mean, like DUH! This totally begs the > question: Particularly (but not exclusively) in a post-Snowden world, > is anybody in their right minds who actually gives a serious rats's > ass about security really going to continue to just hope and pray > that they'll be safe while putting all their secrets on top of a > closed source OS? > > It may still be several years yet, but I do believe that over the > long run, the Snowden effect will slowly, but surely (and finally) > rid the world of closed source forever... and good riddance to it! > > > Again, my apologies for the rant. I just had to vent spleen on all > this or else I'd have burst. Some of the stuff I encounter these > days is just almost too absurd for words. > > > Regards, > rfg > > > P.S. I myself developed a trivial (but powerful) sort of fuzzing tool > about ten years ago. To this day, I'm disappointed that nobody but me > ever saw fit to actually use the thing. > > Here it is and its free: > > http://www.tristatelogic.com/m4r/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" I share your opinion and feeling, but I don't think that the Snowden effect will be enough to get rid of the closed source world. The closed source world exists because there are people who don't care about how their devices work: all they want is to have their tech gadgets let them do all they desire. Stop. And usually these people judge those devices by looking at their aspect, not functionality (and if they don't mind about functionalities, guess if they care about security). But, on the other hand, who encourage them at looking under the hood? Companies? Absolutely not. Why they should, after all? The more users know, the less they can base thier business on appereance and the "fancy looking" factor. So PCs, smartphones, tablets, etc. are usually presented as hard-to-understand blackboxes that just work. (Note: not necessary all companies act so, but IMHO the ones under the reflectors does...) And, talking about Windows, this document came in mind: https://www.over-yonder.net/~fullermd/rants/winstupid/1 I hope that, in a world where telecommunication devices are more and more pervasive, in schools will teach to kids not only how to work with computers, but even how computers work. Sorry for the rant, but all of this is very sad. Regards. Maxnix From owner-freebsd-security@freebsd.org Thu Jun 30 20:56:45 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47C98B889BB for ; Thu, 30 Jun 2016 20:56:45 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 3260D2C14 for ; Thu, 30 Jun 2016 20:56:44 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 4992D3AF00 for ; Thu, 30 Jun 2016 13:56:38 -0700 (PDT) From: "Ronald F. Guilmette" To: freebsd-security@freebsd.org Subject: Re: Stuff I don't understand, and maybe never will. In-Reply-To: <20160630203013.1038690d@max-BSD> Date: Thu, 30 Jun 2016 13:56:38 -0700 Message-ID: <15664.1467320198@server1.tristatelogic.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2016 20:56:45 -0000 In message <20160630203013.1038690d@max-BSD>, maxnix wrote: >And, talking about Windows, this document came in mind: >https://www.over-yonder.net/~fullermd/rants/winstupid/1 This is excellent! Thanks for sharing! >I hope that, in a world where telecommunication devices are more and >more pervasive, in schools will teach to kids not only how to work with >computers, but even how computers work. I think that if schools could at least just teach kids why they have good reason to be properly aware of, and concerned about the perils of their devices, *and* if they could also teach kids about the long tails they are all leaving for themselves on social media... which may perhaps never disappear in their lifetimes... then that alone would be progress. Regards, rfg P.S. I've been firmly convinced for at least a couple of decades now that crap software (and crap firmware) was all fostered, encouraged, and made possible by U.S. legislation and/or court interpretations thereof which have made it virtually impossible to even get past first base if one attempts to file a product liability claim based on a software (or firmware) defect. In essentially every other industry, crappy dangerous products, sold to the public en mass (and generally with no warnings) can be taken to task in a U.S. court of law. But not software. In this way, software is in rare and elite good company with other marvelous products which are also and likewise immune from product liability actions, in particular tobacco and firearms. And to anybody who wishes to retort "Yea, but software doesn't kill people!" I respectfully suggest that you first google for "Therac-25". From owner-freebsd-security@freebsd.org Thu Jun 30 23:18:56 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1B13B869FC for ; Thu, 30 Jun 2016 23:18:56 +0000 (UTC) (envelope-from chris@behanna.org) Received: from nm19-vm9.access.bullet.mail.gq1.yahoo.com (nm19-vm9.access.bullet.mail.gq1.yahoo.com [216.39.62.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 845552015 for ; Thu, 30 Jun 2016 23:18:55 +0000 (UTC) (envelope-from chris@behanna.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1467328526; bh=+JGY2G7Y276D0nSidFU2Kz5iL0JYQUQrFqN8qlsmKp0=; h=Subject:From:In-Reply-To:Date:References:To:From:Subject; b=rychxj1dA7SVcAQHxEtOeXe7zL1LWewMABrcB2Aowk/niKFlJrs9Zks0zRq4rRwyhnjjpQgIU5cBrD3Cs2cyv+tUBZHKBoHUh1TSB2IVKluYeiGXl7kJWgTfg8j42xuqrAbBoPbkZeKm1exdcnljbbJx7I2vMeLNbWN5QuC4yzCXhRmR5wFWcHp0Ndphof7F1tKh1TIQ80012LIM3eb/Q6IK3W/ejl72z1ulWO3zptIXRb+aSjudfK540/UvFdld5JDtFILiyEp9eeUw6NW7HLq8CAB6mlV6pYjfR+PyCpWLuOj8x1NUjT8bfruaTo14XMp3k9S3y7KjaajMQtnmLA== Received: from [216.39.60.172] by nm19.access.bullet.mail.gq1.yahoo.com with NNFMP; 30 Jun 2016 23:15:26 -0000 Received: from [67.195.23.144] by tm8.access.bullet.mail.gq1.yahoo.com with NNFMP; 30 Jun 2016 23:15:26 -0000 Received: from [127.0.0.1] by smtp116.sbc.mail.gq1.yahoo.com with NNFMP; 30 Jun 2016 23:15:26 -0000 X-Yahoo-Newman-Id: 856835.56531.bm@smtp116.sbc.mail.gq1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: EswQbCkVM1mrHej9vrivaOXkG2n0W0Wk0nDQAMN7vKqgRoR kprfvIjgQEkEmLL.4_FqQofonrreiWI1PICEDNgAOjCR8Ox96ApTODX5t9h_ lSogWNR1noyNzwPorfERSNB670LblT2he4snAnKvJjobcx49NZm3Zh4ociYB uRTOcQEhkz7FgtoEH_ajYVDsD9ct3I8RQ7_uZCSxZ8_gOEsN7rF6g6SxuYrM bGxVdOLq37jN4liVPQyMbhXx.wWPMAHc7vKa7CV7tZTl6JvFVju9T3wBHoeU UslnKDDp_XXcfbctTqVqNI.1bt4sWmrhR8zANdMsCTa4RJe82wHB.ZYydbi1 E1MXAMc6i23Ivu3E.HBt5hiuHpUGDmX0wc.1wajL6EcIebv36vyq2Yz9qacZ cG8mVhZNBoL30OZgg16SfcawGVTj5RvT3AovT2hAb11keQRF2Vva0xHxIFM7 3qfqB9Zm4r8E72xfOM8hD2_VYtPwuQ0.aATxSjO5EyiYQcvsoCJFlgHJlVPy z9tMBXSBmWesNKDUNlz4ZRCeM5NuCriPRGXcy67yj51Nnit45.XwlwCr6Dc. TdVMRHigjB1XYhVWgQV.Q76E- X-Yahoo-SMTP: IImPLAuswBCrx2RdXZGWc4UZbB59Q8rbW69ykY5boJ7l_g-- Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: Stuff I don't understand, and maybe never will. From: Chris BeHanna X-Mailer: iPhone Mail (13F69) In-Reply-To: <15664.1467320198@server1.tristatelogic.com> Date: Thu, 30 Jun 2016 18:15:24 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <1767EE85-222D-4773-83B9-F773958CE092@behanna.org> References: <15664.1467320198@server1.tristatelogic.com> To: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2016 23:18:56 -0000 On Jun 30, 2016, at 15:56, Ronald F. Guilmette wrote= : > In essentially every other industry, crappy dangerous products, sold > to the public en mass (and generally with no warnings) can be taken > to task in a U.S. court of law. But not software. In this way, > software is in rare and elite good company with other marvelous > products which are also and likewise immune from product liability > actions, in particular tobacco and firearms. Groan. I just love FUD, don't you? Firearms are most definitely NOT "immune from product liability actions." I= f one fails to function in the manner it was designed, and someone is injure= d as a result, the manufacturer most certainly is NOT immune from liability.= If it fires out of battery and the user gets a faceful of burning powder a= nd brass, yup, liability. If the firearm catastrophically fails and it's no= t user error, the manufacturer is most certainly NOT immune from liability. = If the weapon fires while the safety is engaged, or when dropped muzzle-fi= rst, the manufacturer is most certainly NOT immune from liability.=20 Now, if the nonsense you're peddling is that you're upset that manufacturers= aren't liable for the blatant, deliberate, criminal misuse of their product= s, that's quite a different thing. We don't, for example, hold an auto manu= facturer responsible if a crazed soccer mom or a loser twenty-something mows= down a sidewalk full of people, nor should we, nor do we hold the FreeBSD Fo= undation liable if someone uses FreeBSD to craft a worm or virus, or to comm= it some other cybercrime.=20 --=20 Chris BeHanna chris@behanna.org= From owner-freebsd-security@freebsd.org Fri Jul 1 02:51:06 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E59CB889EE for ; Fri, 1 Jul 2016 02:51:06 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [IPv6:2607:f2f8:abf8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "orthanc.ca", Issuer "Let's Encrypt Authority X1" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 44F622DF3 for ; Fri, 1 Jul 2016 02:51:06 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from [192.168.43.199] ([72.143.231.200]) (authenticated bits=0) by orthanc.ca (8.15.2/8.15.2) with ESMTPSA id u612p4ms079665 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 30 Jun 2016 19:51:05 -0700 (PDT) (envelope-from lyndon@orthanc.ca) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Stuff I don't understand, and maybe never will. From: Lyndon Nerenberg In-Reply-To: <15664.1467320198@server1.tristatelogic.com> Date: Thu, 30 Jun 2016 19:50:58 -0700 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <8A1A13B6-59BB-42AA-ABE8-DD140377ACD8@orthanc.ca> References: <15664.1467320198@server1.tristatelogic.com> To: "Ronald F. Guilmette" X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 02:51:06 -0000 > On Jun 30, 2016, at 1:56 PM, Ronald F. Guilmette = wrote: >=20 > And to anybody who wishes to retort "Yea, but software doesn't kill > people!" I respectfully suggest that you first google for "Therac-25". Followed by "always mount a scratch monkey." From owner-freebsd-security@freebsd.org Sat Jul 2 01:30:27 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2997B8F035 for ; Sat, 2 Jul 2016 01:30:27 +0000 (UTC) (envelope-from freebsd@johnea.net) Received: from mail.johnea.net (johnea.net [70.167.123.7]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AE2B82CD7 for ; Sat, 2 Jul 2016 01:30:27 +0000 (UTC) (envelope-from freebsd@johnea.net) Received: from [192.168.100.193] (worker500.johnea.net [192.168.100.193]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.johnea.net (Postfix) with ESMTPSA id BB3665F236DD for ; Fri, 1 Jul 2016 18:21:24 -0700 (PDT) Subject: HOPE - Re: Stuff I don't understand, and maybe never will. To: freebsd-security@freebsd.org References: <44255.1467112146@server1.tristatelogic.com> <20160630203013.1038690d@max-BSD> From: freebsd@johnea.net Message-ID: Date: Fri, 1 Jul 2016 18:21:24 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <20160630203013.1038690d@max-BSD> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2016 01:30:27 -0000 On 2016-06-30 11:30, maxnix wrote: > I hope that, in a world where telecommunication devices are more and > more pervasive, in schools will teach to kids not only how to work with > computers, but even how computers work. Unfortunately, this is also not too common. I have a son in High School in California, most schools think tech training means buying a bunch of ipads, or teaching the kids to use M$ word. As a note on organizing, I would encourage anyone who is able, to attend the "Hackers On Planet Earth" conference in Manhattan in late July: https://xi.hope.net/schedule.html There is a presentation on this subject by Richard Stallman: "Freedom and Privacy in Our Lives, Our Governments, and Our Schools" This is a great conference in general. If you are able, come mingle and communicate with similarly informed and motivated people. johnea