Re: DefCon lecture BSD Kern Vulns

2017-08-09 Thread rollingbits (Lucas) 
-- Forwarded message --
From: "rollingbits (Lucas)" 
Date: Aug 9, 2017 9:36 PM
Subject: Re: DefCon lecture BSD Kern Vulns
To: "Dag-Erling Smørgrav" 
Cc:

On Jul 31, 2017 12:50 PM, "Dag-Erling Smørgrav"  wrote:

Michelle Sullivan  writes:
> People should talk between, and maybe people should put security and
> co-operation before pride and empires... [...]

There are decades of history here of which you are clearly unaware.
Your may have the best of intentions, but nothing good will come of
raising this topic here and now.  Just drop it.


History continues... our lives are more connected. More peoples are
involved. There are decades of examples of hacking and computer
insecurities. l also think this project should be more aware of security.

Some times I think that another period of plain bug hunting as happened in
the long 4.x series will make wonders to the system. l ended here because
of this mythical series, even. Other times I just think I misunderstood the
engineering process: a bug hunting and integration phases are hidden
somewere l still don't know.

-- 
rollingbits -- 📧 rollingb...@gmail.com 📧 rollingb...@terra.com.br
📧 rollingb...@yahoo.com 📧 rollingb...@globo.com
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-08-09 Thread Ørjan Tønder 
If one are too fix all of what Ilja van Sprundel pointed out here we need
too put aside difference and work along side with each other, the newbie
and the professor needs too talk the same language.
It should't be this way that a bug that has been adressed two years ago
get's no attention at all, and after two years it gets a brushed of because
it didn't follow the right form what ever that means.

Problem is that this pro person who said it wasn't the right form, killed
of a patch that might have been a good solution on the problem with no
guidance or anything. For all that the person who did this knew he brushed
of someone that could have been a real asset, i never submit bug reports
anymore cause of this. Why should i they are never followed up any how,
mainly cause i am still just a newbie.

my suggestion too all of you invite people into your code into the secret
security world, let them try. And secret security people stop blaming the
other bsd for this and that and see what they are doing, there is still
alot too learn.

-- 
-BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1

mQENBFUByQgBCAChgKlX3wlCovKXZG//oGdpVCFxiC8X6kSWC2pvdfcxgII/corC
o2ndED6Zp9AEzBjT46ilzbwJkxPWB+Qq4oucj5zLSUrWb0pIszCWksFhOKEqJ87D
lR0UXBpR5a9+SYqydVgRsyZmHGDAyWnneKvcp6MlYcsqYogC9xYJjK2K0r91f9pn
vsQmiLJcNMPVWxQ+w7pEQFtntoHcKbZ0LaEG/hhEN2fOA8SNa3FYQ2bexLVtgFhR
q+5VYyO89XWHH20ovoltRUOR7XvXNAY4GT6jMwi7QJ9FTTPFy7v1uGrBJbuDZ2fM
gegRMbykNBtadztATpGAw9+be4879Cfzt6d7ABEBAAG0N8OYcmphbiBUw7huZGVy
IChyZWFsIG5hbWUga2V5KSA8b3JqYW4udG9uZGVyQGdtYWlsLmNvbT6JATgEEwEC
ACIFAlUByQgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJVR+IZRCu10
wuMH/2INhf+aLPTdH0xD9DLNQJXlxofhkKZtWxBLeHCcl0lHFjHDC65OQ/pyuqQZ
KyevSdRo21uXv72YcAPLuCqxsuIOvpNoUpS36Cat8K8wK0zLS3XQlZI/wvP6qWse
W/OYGM2VGuG7Sn5Mjx8BcSiUiAItfNTy+Ao1LIldywOtjHIaKDK5y+Ml4PWkSk1q
H77XoIS/6QKDmAQzpOYoNgnR4R4pucHVrriCWW5A3vWktK4prcO8SI3Ci88JmL5v
imDITMOFwlNBQD4j7e3T/qwBZ5DGsnQ4s4fe8Xd1sFx4UYRompH485RrUAWLJ+wS
65hEUQ9jx9w/68iDSr5PXI6Peaw=
=1oDp
-END PGP PUBLIC KEY BLOCK-
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-08-07 Thread Ian Smith 
On Tue, 8 Aug 2017, Dewayne Geraghty wrote:

 > 
 > 

Indeed, there are times when it's best to say nothing :)
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-08-07 Thread Dewayne Geraghty 

___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-08-07 Thread Michelle Sullivan 

Mail Lists wrote:




Monday, July 31, 2017 4:20 PM UTC from Dag-Erling Smørgrav
:

Big Lebowski mailto:spankthes...@gmail.com>> writes:
> Dag-Erling Smørgrav mailto:d...@des.no>> writes:
> > There are decades of history here of which you are clearly
unaware.
> > You may have the best of intentions, but nothing good will come of
> > raising this topic here and now. Just drop it.
> Des, please, stop doing that. You're greatest example of
cant-be-done
> about almost anything anyone asks for on this list.
>
> Michelle, please, don't stop. Keep talking, keep asking, and
maybe one
> day a new breed of people who don't care about cant-be-done or
> 'decades of history' will get things done.

No. You truly have no idea. You're pouring gasoline on a fire and
inadvertantly insulting everyone involved.

Come see me at a con and we can discuss it over a beer. But not here.

Remind me - who are you to set the standards what people can tell and 
what not ?


I'm off this list. This is ridiculous. An important topic killed by 
some dickhead.


Don't be like that, it is important, but there is a lot of bad blood as 
well... one can only ask from time to time.


--
Michelle Sullivan
http://www.mhix.org/

___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-31 Thread Michelle Sullivan 

Dag-Erling Smørgrav wrote:

Michelle Sullivan  writes:

People should talk between, and maybe people should put security and
co-operation before pride and empires... [...]

There are decades of history here of which you are clearly unaware.
Your may have the best of intentions, but nothing good will come of
raising this topic here and now.  Just drop it.

DES


I know some (though definitely not all) of the histor, I've been around 
a long while... but it was worth a comment/try... sooner or later 
someone has to try again.


--
Michelle Sullivan
http://www.mhix.org/

___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-31 Thread Dag-Erling Smørgrav 
Big Lebowski  writes:
> Dag-Erling Smørgrav  writes:
> > There are decades of history here of which you are clearly unaware.
> > You may have the best of intentions, but nothing good will come of
> > raising this topic here and now.  Just drop it.
> Des, please, stop doing that. You're greatest example of cant-be-done
> about almost anything anyone asks for on this list.
>
> Michelle, please, don't stop. Keep talking, keep asking, and maybe one
> day a new breed of people who don't care about cant-be-done or
> 'decades of history' will get things done.

No.  You truly have no idea.  You're pouring gasoline on a fire and
inadvertantly insulting everyone involved.

Come see me at a con and we can discuss it over a beer.  But not here.

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-31 Thread Big Lebowski 
>
> There are decades of history here of which you are clearly unaware.
> Your may have the best of intentions, but nothing good will come of
> raising this topic here and now.  Just drop it.
>
> DES
>

Des, please, stop doing that. You're greatest example of cant-be-done about
almost anything anyone asks for on this list.

Michelle, please, don't stop. Keep talking, keep asking, and maybe one day
a new breed of people who don't care about cant-be-done or 'decades of
history' will get things done.

BL.
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-31 Thread Dag-Erling Smørgrav 
Michelle Sullivan  writes:
> People should talk between, and maybe people should put security and
> co-operation before pride and empires... [...]

There are decades of history here of which you are clearly unaware.
Your may have the best of intentions, but nothing good will come of
raising this topic here and now.  Just drop it.

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-31 Thread Michelle Sullivan 

Dag-Erling Smørgrav wrote:

Dirk Engling  writes:

have those findings officially been reported? Is someone working on
them?

Speaking as a secteam member but not on behalf of so@, we are aware of
these issues but did not get sufficient advance notice to fix them in
time for DefCon.

DES
After reading the presentation a few minutes ago... I'm going to say the 
obvious


He has a point.

.. now to add something more helpful .. :)

People should talk between, and maybe people should put security and 
co-operation before pride and empires... before us vs them... and I know 
that means its not just FreeBSD, but also NetBSD and OpenBSD people who 
have historically had their differences... perhaps now is the time for 
an olive branch? (and there is a massive 'us vs them' on IRC when it 
comes to OpenBSD and FreeBSD.)


From a personal point of mine and on my observations I would add that 
Microsoft et al all went through similar issues that everyone is seeing 
today.. everyone wants new features, everyone wants new drivers, 
everyone thinks they want new releases perhaps a shift is needed in 
thoughts/actions when it comes to FreeBSD this constant push forward 
leaves bugs which often become security issues in old code..  2 of the 
highlighted bugs in the presentation were introduced in 8.1... In the 
past I opened filesystem bugs against 9.x (think it was 9.2 then 9.3 for 
one of the bugs)... however it was never fixed (and the one I am 
thinking of is "panicable" one)... in fact I predicted that what would 
happen would be the bug would be looked at just after 9.x was EOLd 
completely... and it was hilarious.. 6th Jan (IIRC) the message came 
through, "please replicate on a supported version" ...  I haven't and I 
haven't submitted a single bug since and why would I?


Perhaps we should consider a change in how we manage these things, and 
sorry if this message p**ses off anyone (particularly those in the 
Security Team) because I know you all do good work, however the whole 
"well you should pay for our time" argument compounds the problem, it 
won't get any more funds in most cases, it will just p**s people off 
elsewhere so you end up with less eyes looking for these issues this 
is one of the things linux has gotten right.. fix bugs no matter what 
and regardless, new features... different matter that's on a whim of a 
coder.


I hope this will start a constructive conversation rather than people 
ignoring or worse arguing.


Regards,

--
Michelle Sullivan
http://www.mhix.org/

___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-31 Thread Dag-Erling Smørgrav 
Dirk Engling  writes:
> have those findings officially been reported? Is someone working on
> them?

Speaking as a secteam member but not on behalf of so@, we are aware of
these issues but did not get sufficient advance notice to fix them in
time for DefCon.

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-28 Thread Yonas Yanfa 

On 07/28/2017 16:21, Luke Crooks wrote:

I was sent a link earlier, seems to work...

https://www.pdf-archive.com/2017/07/28/defcon-25-ilja-van-sprundel-bsd-kern-vulns/defcon-25-ilja-van-sprundel-bsd-kern-vulns.pdf

Some great work and an enjoyable read.

On 28 Jul 2017 21:02, "Yonas Yanfa" > wrote:


On 07/28/2017 08:08, Dirk Engling wrote:

Out of curiosity:

have those findings officially been reported? Is someone
working on them?


https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf



If not, shall I extract them?

That link doesn't work for me:

# fetch

"https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf

"
No server SSL certificate
fetch:

https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf

:
Authentication error

# fetch

"http://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf

"

fetch:

http://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf

:
No error: 0



Thanks!
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-28 Thread Luke Crooks 
I was sent a link earlier, seems to work...

https://www.pdf-archive.com/2017/07/28/defcon-25-ilja-van-sprundel-bsd-kern-vulns/defcon-25-ilja-van-sprundel-bsd-kern-vulns.pdf

Some great work and an enjoyable read.

On 28 Jul 2017 21:02, "Yonas Yanfa"  wrote:

> On 07/28/2017 08:08, Dirk Engling wrote:
>
>> Out of curiosity:
>>
>> have those findings officially been reported? Is someone working on them?
>>
>> https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pre
>> sentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf
>>
>> If not, shall I extract them?
>>
>> That link doesn't work for me:
>
> # fetch "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pr
> esentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf"
> No server SSL certificate
> fetch: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pre
> sentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf: Authentication
> error
>
> # fetch "http://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pre
> sentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf"
> fetch: http://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pres
> entations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf: No error: 0
>
>
> --
>
> Yonas Yanfa
> In Love With Open Source
> Drupal  :: GitHub 
> :: Mozilla 
> fizk.net | yo...@fizk.net
>
> ___
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org
> "
>
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-28 Thread Yonas Yanfa 

On 07/28/2017 08:08, Dirk Engling wrote:

Out of curiosity:

have those findings officially been reported? Is someone working on them?

https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf

If not, shall I extract them?


That link doesn't work for me:

# fetch 
"https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf";

No server SSL certificate
fetch: 
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf: 
Authentication error


# fetch 
"http://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf"; 

fetch: 
http://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf: 
No error: 0



--

Yonas Yanfa
In Love With Open Source
Drupal  :: GitHub 
 :: Mozilla 


fizk.net | yo...@fizk.net

___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: DefCon lecture BSD Kern Vulns

2017-07-28 Thread Joey Kelly 
I haven't read the paper yet, and I'm surely not up on things enough to
know what I'm looking at, but are these 0-days? If so, do they store them
up so they can present at defcon?

--Joey

> Out of curiosity:
>
> have those findings officially been reported? Is someone working on them?
>
> https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf
>
> If not, shall I extract them?
>
> Maybe we should start an "audit a subsystem" week ;)
>
>   erdgeist
> ___
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscr...@freebsd.org"
>


-- 
Joey Kelly
Minister of the Gospel and Linux Consultant
http://joeykelly.net
504-239-6550
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"