I just hope people on LibTech read the kind of emails like the one Jacob just wrote and see why I really think this guy has no place doing outreach at all. Jesus.
NK On 2013-08-06, at 1:23 PM, Jacob Appelbaum <[email protected]> wrote: > Nadim Kobeissi: >> >> On 2013-08-06, at 12:55 PM, Jacob Appelbaum <[email protected]> >> wrote: >> >>> Nadim Kobeissi: >>>> >>>> On 2013-08-06, at 11:46 AM, Al Billings <[email protected]> >>>> wrote: >>>> >>>>> Nadim you seem confused by how this works. Tor doesn't need to >>>>> issue advisories for Firefox issues. We, at Mozilla, already >>>>> issue them. Perhaps they can link to them clearly but if you >>>>> want to know about security issues Mozilla fixes in Firefox, >>>>> you're best served by reading Mozilla advisories. There's not >>>>> much point in duplicating them on a second site. Tor would be >>>>> better served by writing advisories for its own, unique, >>>>> security fixes. >>>> >>>> Tor doesn't need to issue advisories for Firefox issues. Tor >>>> needs to issue advisories for Tor Browser issues, and not five >>>> weeks later when s**t hits the fan. I really don't think one can >>>> reasonably disagree with the above statement. Tor Browser is a >>>> Firefox fork. >>> >>> Should we issue a single advisory for each possible security issue >>> that Firefox has already noted in their change log? Each confirmed >>> security issue? Should we ask for a second CVE to cover each CVE >>> they receive? >> >> What's the alternative, Jake? > > That was a list of choices and you didn't choose one. Please choose one > or more - though not all of them make sense when put together. It was a > question and well, your answer isn't much of an answer. > >> Wait until the NSA exploits an >> innumerable amount of Tor users and then quickly write an advisory >> for a bug that was quietly fixed without a warning from Tor five >> weeks but still exploited? > > This is not accurate. We heard about attempts at exploitation and within > ~24hrs we released an advisory - we had already released fixed code a > ~month before exploitation was found in the wild. Please do not mix up > the time-line. To restate: > > > 2.3.25-10 (released June 26 2013) > 2.4.15-alpha-1 (released June 26 2013) > 2.4.15-beta-1 (released July 8 2013) > 3.0alpha2 (released June 30 2013) > > > The exploit was found in the wild on last weekend, I learned about it on > or around August 4th. Please note that our patched versions were > released nearly a month before this was found in the wild. There is no > reason to support the conclusion that we "silently" fixed anything in > response to an exploit. Please consider that your statement is entirely > unsupported by evidence, Nadim. > >> Because that is exactly what happened this >> time. Tor can just go on doing this again and again, or yes, you >> could issue advisories. You are maintaining your own browser called >> Tor Browser. Stop shifting blame onto Firefox. You're the guy who >> told me to never shift blame when you have a security vulnerability >> in the software you yourself are shipping. Practice what you preach. >> > > Your assessment of this situation is incorrect. > > We regularly release updates that include updates to included code and > often, we make note of the fact that the upstream code has security > fixes included. There is no blame shifting, only a question of how to > best share that information in a way that users will understand. I have > asked repeatedly for examples and for details of how to improve things - > you seem only interested in slinging mud. Perhaps this isn't the most > useful way forward? > >> I sound harsh, sure, but at least I'm being productive and not >> freaking out about my ego. > > I don't think you are being productive at this point in the > conversation. You are correct and I agree with you - you are harsh - > I'll extend this commentary: it reflects poorly on you(r ego) and very > little is gained by such behavior. > > All the best, > Jacob > -- > Liberationtech list is public and archives are searchable on Google. Too many > emails? Unsubscribe, change to digest, or change password by emailing > moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
