Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Feb 1997 18:02:09 -0600 (CST)
From:      Karl Denninger  <karl@Mcs.Net>
To:        phk@critter.dk.tfs.com (Poul-Henning Kamp)
Cc:        karl@Mcs.Net, jkh@time.cdrom.com, current@freebsd.org
Subject:   Re: Question: 2.1.7?
Message-ID:  <199702050002.SAA05789@Jupiter.Mcs.Net>
In-Reply-To: <901.855098550@critter.dk.tfs.com> from "Poul-Henning Kamp" at Feb 5, 97 00:22:30 am

next in thread | previous in thread | raw e-mail | index | archive | help
> In message <199702042206.QAA01949@Jupiter.Mcs.Net>, Karl Denninger writes:
> Hi Karl!

Hi Paul.

> >In other words, you don't like opposing points of view.
> 
> We don't mind opposing views one bit.
> 
> What we >do< mind is people who can >only< talk in extreemes and ultimatums.
> 
> People who don't know why the middle road has to be found, because they
> see the world from the trench on one side of the road.

When the patient is bleeding from the arteries, there is no time to talk
about middle ground.  You do the triage first, THEN assess what and how to 
take care of the underlying problem.

The problem here is that Jordan refuses to admit that the patient is already
without heartbeat and bleeding to death on the table.

> People who lack the ability to "see it from the other partys side" is 
> right there on the list too btw.

On the contrary.  I have been VERY patient and reasonable with the MULTITUDE
of gratuitous changes and serious problems (including NFS related ones) that
are in -CURRENT and other branches of the tree.  I've done considerable work
to get around some of those, and just live with the others.

> You would get much more of your usually not entirely unreasonable
> suggestions through if you communicated them in a civilized manner
> rather than as a monkey on caffeine.

I START being reasonable.  When I'm dismissed out of hand and ignored on 
something that is of extreme importance then its time to up the volume more 
than a few notches.  When the other party starts getting into the whole 
"you're smoking crack" game then its time to give up on reasonable 
discourse and decide if the issue is important enough to persue.

In this case, it is.  Therefore, I'm persuing it with all available means 
at my disposal and will do so until its resolved.

> As far as I know the FreeBSD project is in the process of finding out 
> how to respond to this problem.  

The FIRST LEVEL response is to REMOVE the 2.1.6 executables from the FTP
servers and make a PUBLIC announcement that the vulnerability has been 
found.

Period.

The reason you do this is so that *MORE PEOPLE DO NOT GET HURT*.

Again, Paul, I'm not demanding this because I'm one of the people affected.
Other than a paranoia-based reload which I did today prospectively, I wasn't
affected in any way by this debacle.  But I COULD HAVE BEEN, very easily,
and that's very, very troubling to me because unless I was paying CAREFUL
attention I wouldn't have known until my disks had been formatted by one 
of the many criminal assholes out there on the net.

> Being an volounteer, spare-time, unpaid
> project, we cannot just call everybody to attention and fix it in 10min
> flat.  We need the planet to rotate a couple of times to get people
> mobilized.

You're missing the point Paul.  Nobody is demanding an instant fix.

What I'm demanding is that you ADMIT IT IS BROKEN, and help stop people 
from being burned by it.  You can't save the world, but you CAN mitigate 
further damage.  You do this by WARNING PEOPLE and giving them fair notice 
*BEFORE* their disks get formatted or moles inserted into their systems
which 99% of the admins will NEVER find.

The problem is that the CORE team has REFUSED TO ADMIT ITS BROKEN and take
action to minimize the ONGOING damage.  And yes, that means killing the
2.1.6 CD shipments and removing the distribution from the FTP sites.

RIGHT NOW.  Not tomorrow, not in a week when you have a fix.

NOW.  

That's 10 minutes of someone's time and effort.  The so-called "security
officer" should have done this INSTANTLY as soon as the exploit was posted
to the security list and the extent of the problem was disclosed.  There is
absolutely no excuse for failure to do this.  

FreeBSD doesn't HAVE a revenue problem with doing this -- you're not selling
operating systems.  But you *DO* have a credibility problem now, and its
only going to get worse the longer you wait.

If I have to call Walnut Creek tomorrow morning and plead my case with them
I will.  I'll go to the wall on this, because I absolutely do not need the
problems on *MY* network that come from customers who attach known-to-be-
insecure machines and then come looking to us when they get hacked to little
bits.  I also don't need the random disruptions that we end up with when
we're forced into picking up the pieces when others in the community get 
screwed.

> If this is not good enough for you you have three choices:
> 	1. Pay somebody to fix it "right now!"  (You can look in our
> 	   web pages for people offering services of that kind.)
> 	2. Do it yourself.

Already did that.  That's not what's under discussion here.  What's under
discussion is your responsibility to the entire Internet community that uses
the software you publish.  Not whether or not Karl Denninger got screwed and
how pissed he is over that event (I didn't GET screwed).

> >Is it time yet for someone else to set up yet ANOTHER source tree and
> >development branch for FreeBSD?
> 
> Now, I'm seriously confused...
> 
> Why would you want to do that ?
>
> I could understand it if we refused to acknowledge and/or fix the bug, but
> as far as I know that is far from the case...

On the contrary.  The core team, Jordan in particular, has in fact refused
to acknowledge the severity and serious nature of this bug.  He has also
refused to mitigate the damage.  And he has further responded to my calls
for that action with personal insults and attacks.

Now he has basically told me that the core team wants me to pack and leave.
So have you (I read the rest of your note before writing this.) I have it 
on good authority from at least one of the core members, however, that 
there are other opinions on this matter -- so for right now, I'm not 
leaving.

You ask why I want to set up another branch.... I'll tell you why:

If FreeBSD's core team won't be up front about mitigating damage to other
people when you find problems then I can't TRUST that I'm getting all the
information being provided to you -- and that's an untenable position.

What I (and I believe others) want is simple:

1)	ACKNOWLEDGE security issues in a timely fashion, in public, where
	the ENTIRE community can see them.
2)	REMOVE AFFECTED DISTRIBUTIONS when SERIOUS problems which can't be
	quickly fixed and verified are found until a fixed distribution can
	be generated.

The question, obviously, is "how many other issues have been swept under the
rug and not acknowledged as being serious when in fact they are?"

The answer is, "I don't know".  I'm not confident that the answer is
"zero" or anywhere close to it.

> If such is the case:  Good bye & Good riddance.
> 
> --
> Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.

Be careful what you wish for... you just might get it.

I've spoken by voice with one of the rational core team members in the last
hour.  I've given him some time to work the issues with the rest of you --
and I note, HE asked for that time -- not me.  But barring some kind of 
RATIONAL resolution on this that I can see within the next two hours, 
the announcements *ARE* going out to the general Internet community (at
roughly 8:00 PM tonight Chicago time).

Unlike you, Poul, I believe that if I find out about something like this 
I owe it to the community *as one of its members* to disclose it so OTHER
PEOPLE DON'T GET HURT, or at least, so they know they're at risk.

Whether your FEELINGS get hurt by my doing so doesn't even enter the
evaluation process.  What did enter that process is giving the core team
the opportunity to do it first, and take ownership and control of the 
problem.

The Core team has refused.  That doesn't change my stance one bit -- it 
only changes who's going to do the talking.

--
-- 
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl     | T1's from $600 monthly to FULL DS-3 Service
			     | 99 Analog numbers, 77 ISDN, Web servers $75/mo
Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/
Fax:   [+1 773 248-9865]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702050002.SAA05789>