Date: Tue, 28 Jun 2016 04:09:06 -0700 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-security@freebsd.org Subject: Stuff I don't understand, and maybe never will. Message-ID: <44255.1467112146@server1.tristatelogic.com>
next in thread | raw e-mail | index | archive | help
Please forgive the following outburst/rant. Sometimes, I just see something that makes me want to scream "I can't take it anymore!" I've just seen a link to the following in my twitter feed: http://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html Short summary: Apparently a team @ Google spend a whole bloody year, just to find a handful of bugs in the Windows 7 kernel. Every single thing about this article drives me crazy, almost like fingernails scratching slowly over a blackboard, and, you know, I'm sorry about this, but for some strange reason I felt compelled to share this feeling with others. In the first place, knowing virtually nothing about Windoze kernels, I was floored by the assertion (and the perhaps well known fact... to everybody except me) that something as ridiculous as font processing was actually embedded into the Windoze 7 kernel. I mean seriously, who ever thought that THAT was a good idea?? Putting that kind of crap inside a *kernel* goes against pretty much my entire understanding of what a kernel should be. (And apparently, even MS was wised up to the incomprehensible stupidity of this now, and has moved this crap outside the kernel in Windows 10, as the article itself states.) Second, I'm having trouble understanding why these Google guys are patting themselves on the back for finding bugs in *Windows 7* at this late date. I mean jeeezzzz. Doesn't that OS have one foot in the grave already? It's swell that they were able to find bugs in this now old and crusty OS, but I'm not persuaded that it is a cause for breaking out the champaign, and I do have to wonder if maybe Google's engineering talent and resources couldn't have been better spent finding bugs in Windows 8, Windows 8.1, Windows 10, or, ya know, maybe even Android (which, as I understand it, has more than its fair share of security and other bugs). Last but by no means least, the authors bemoan the difficulties they had finding *security* bugs in code they didn't have access to the source code for. Well, I mean, like DUH! This totally begs the question: Particularly (but not exclusively) in a post-Snowden world, is anybody in their right minds who actually gives a serious rats's ass about security really going to continue to just hope and pray that they'll be safe while putting all their secrets on top of a closed source OS? It may still be several years yet, but I do believe that over the long run, the Snowden effect will slowly, but surely (and finally) rid the world of closed source forever... and good riddance to it! Again, my apologies for the rant. I just had to vent spleen on all this or else I'd have burst. Some of the stuff I encounter these days is just almost too absurd for words. Regards, rfg P.S. I myself developed a trivial (but powerful) sort of fuzzing tool about ten years ago. To this day, I'm disappointed that nobody but me ever saw fit to actually use the thing. Here it is and its free: http://www.tristatelogic.com/m4r/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44255.1467112146>