Viewing posts for the category Critiques
The Blue Hat Prize: A late April Fools joke
Posted by: Subreption LLC in Security Money Critiques 9 months, 2 weeks ago It's August 2011. The weather has been getting warmer and warmer over the course of the last few weeks. The sun is roasting all Vegas sentient life against the pavement, while swarms of security professionals stroll down the sidewalks. It's been a very strange year so far. Keeping up with the hype-n'-bake modus operandi of the industry in the past decade, Microsoft has announced the Blue Hat Prize Contest with a "whopping" prize (but not a cash prize while at it) for building new "security mitigation technologies". Circa 260,000 USD are at stake, including paid travel and expenses to Black Hat 2012, that is, if the world doesn't implode with the help of the naive and the people at Microsoft Outreach.Disregarding of the fact that the very same people offering this prize have been consistently developing business intelligence on the industry, gathering gossip and influence from unsuspecting and not-so-unsuspecting professionals and "sceners", we have decided, as the independent, enfant terrible ensemble company we are, to completely vivisect this contest and explain, summing up the lengthier article in as few words as possible, why you should really not sell yourselves so cheap. Tags: stunts microsoft bluehat mitigationsread more / Comments
Linux Kernel Silent Patching: VMI write_ldt_entry() privilege escalation
Posted by: Subreption LLC in Linux Security Critiques 3 years, 6 months ago Once again, the Linux kernel developers delight us with their always discreet (read: silent, no-advisory, no-warning policy) and wonderful patching practices. Sometime between 2.6.24 and 2.6.25 a patch from a Red Hat developer was committed into the Linux kernel git tree, implementing changes to the VMI interfaces hooking some functions dealing with the GDT and LDT. Tags: linuxread more / Comments
Linux kernel developers silently patching issues? No way!
Posted by: Subreption LLC in Linux Security Critiques 3 years, 10 months ago Alright, this might be the first article on the "Silent Patches" series, starting today and possibly lasting... forever. So, let's get to the business. Brad "spender" Spengler is pissed, and that's already a bad thing for the many people that knowingly or not, take advantage of his work and that from the guy or guys behind PaX, to be referred as The PaX Team, or Those Smart Guys Teaching Security On LKML. spender and the PaX Team have possibly contributed the most important advances in proactive defense technology for the past decade. ASLR was there before it became a marketing buzzword, NX and memory protections enforcement existed way before Red Hat pushed ExecShield to the Linux kernel and TCP & UDP source port randomization have been known for a while (even though now they seem to be the world's new internet superheroes with all this DNS the-end-is-nigh media frenzy). If you have used grsecurity in the past few years, you've used what Microsoft, Apple and Red Hat pretended to market as brand new technology baked in their very own development cubicles. The story now is how the Linux kernel developers managed to absolutely and irremediably piss off the very same people that fed them with security research and technology that really worked as expected. The very same people that have patched upstream vulnerabilities in their "third-party patches". Back in 2005 (see [1]) this was already happening. The fact that now we have a handy git interface where we can retrieve commit logs without difficulty just helps to pinpoint the silently patched issues and identify potentially hot issues. Our take on this fracas is that spender and the PaX Team are rock-solid consistent with their arguments, and that the Linux kernel development people should definitely change their alleged full-disclosure policy text with one more accurate accordingto their true practices. read more / Comments- < Previous
- 1