Theo's BOF at BSDcan

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Theo's BOF at BSDcan

Warner Losh
Greetings,

I've discovered that a video of Theo's BOF has been posted online, along
with a complaint about behavior in it by an unnamed individual.

That person was me.

I honestly don't recall using such strong language, but it's clear as day
on the tape. That language has no place in a technical forum, and I'd like
to offer my unconditional personal apology for using such unprofessional
language when talking to Theo. It was wrong for me to do so, and I'd like
to also offer an apology to anybody who was in the room and was
uncomfortable as a result. It was not my intent. It's not up to the
standards of decorum we strive for.

Thanks for listening, and for tolerating a perhaps off-topic post.

Warner
Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Craig Skinner-3
On Tue, 12 Jun 2018 14:22:35 -0600 Warner Losh wrote:
> ... I honestly don't recall using ... It was not my intent. ...

BBC documentary "Madness in the Fast Lane - Swedish Sisters (full)"

Bizarre behaviour in high speed traffic, on a British motorway.

https://www.youtube.com/watch?v=VTpFWiEx3eo

Abnormal....
--
Craig Skinner | http://linkd.in/yGqkv7

Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

anexit
In reply to this post by Warner Losh
It was a good talk either way.. It's an issue that keeps getting larger as
time goes on.



--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html

Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Rudy Baker
Anyone got a link to this video? Can't find it anywhere

On Thu, Jun 21, 2018, 11:52 AM anexit <[hidden email]> wrote:

> It was a good talk either way.. It's an issue that keeps getting larger as
> time goes on.
>
>
>
> --
> Sent from:
> http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Kevin Chadwick-4
In reply to this post by anexit
On Thu, 21 Jun 2018 08:34:55 -0700 (MST)


> It was a good talk either way.. It's an issue that keeps getting
> larger as time goes on.

Whilst I can see but disagree with a point of view that Open Source
will be locked out if they don't comply with embargos. I would not
participate.

After all, those that have important stuff to protect will patch sooner.
Are they supposed to sit on those patches for a month (after 3 weeks of
cloud provider notification?) to allow those who run blogs about flower
arrangements to patch at the same time.

Who decided clouds are more important than Open Source. I'm sure there
are some exceptions, military/gov that pay to patch well in advance and
perhaps the cloud providers pay to be part of those programs, but it is
wrong. Do Intel profit from bugs?

They should have the resources to countermeasure or check and reset as
needed. Anything more than very short embargos surely just create
windows of opportunity for attackers. High assurance systems will
likely have extra defenses on top of Intel chips anyway.

We should want to send a clear message and be annoyed about *anyone*
signing upto embargos.

Or is it "playing the game"...I hate that term!

Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Theo de Raadt-2
Kevin Chadwick <[hidden email]> wrote:

> On Thu, 21 Jun 2018 08:34:55 -0700 (MST)
>
>
> > It was a good talk either way.. It's an issue that keeps getting
> > larger as time goes on.
>
> Whilst I can see but disagree with a point of view that Open Source
> will be locked out if they don't comply with embargos.

Wow, just look at that sentence.  OpenBSD did not break any embargos.
This situation may have no relationship to embargo breaking rumours.
However, false rumours about breaking embargos have to stop, especially
when spread by people at other open source projects.

You imply that someone broke an embargo.  Look at the sentence.  What
gives you that right?  Gossip much?  Can't write correct sentences?

I completely understand that people who kick dogs might write sentences
like that.

> I would not participate.

You are not involved in any of the decisions, you are just a mouth on a
mailing list.  Always fastinating to see such decisive decision making
from outsiders.  Such conviction!

Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Kevin Chadwick-4
On Thu, 21 Jun 2018 12:09:00 -0600


> Wow, just look at that sentence.  OpenBSD did not break any embargos.
> This situation may have no relationship to embargo breaking rumours.
> However, false rumours about breaking embargos have to stop,
> especially when spread by people at other open source projects.
>
> You imply that someone broke an embargo.

I thought it was widely understood by now that braking an embargo could
not be and was not the case by any third party either and I apologise
if I wasn't clear enough. My point was that signing up in the first
place should be criticised, if anything.

I am just surprised that so much talk about breaking/excluding from
embargos and the dangers of breaking them have been discussed and yet
the real risks involved in long embargos...not so much.

Atleast Microsoft have some justification for their monthly patch timing
even if that has been heavily criticised and the policy weakened now.

Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Theo de Raadt-2
Kevin Chadwick <[hidden email]> wrote:

> My point was that signing up in the first
> place should be criticised, if anything.

So you criticize our previous involvement in embargos where it was
neccessary?

Even in the situations where it took > a week to write a fix?

Everyone can tell that you are wrong.  Adults will make those
decisions on a case by case basis.

You really should just say sorry and drop it.

Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Kevin Chadwick-4
On Thu, 21 Jun 2018 13:07:23 -0600


> Kevin Chadwick <[hidden email]> wrote:
>
> > My point was that signing up in the first
> > place should be criticised, if anything.  
>
> So you criticize our previous involvement in embargos where it was
> neccessary?

I think you had little choice because of an incorrect established
procedure.

In fact, the KRACK case showed that OpenBSD patched well before
many others and many phones are still unpatched.

The embargo did not help others patch before release or allow users
to avoid and warn about certain use cases of Bluetooth and WIfi as soon
as possible (many months).

embargos create the idea that testing is more important than security
with Lenovos purchase of Motorola they now say we promise oreo even
though you are missing 6 separate months of android security patches
and the newer phones have less security patches than the older ones.

Some people say I shall update later I just want to browse and it can
take a week for Windows to update because Windows don't want to get in
the way.

Some say don't patch on patch release day.

Others patch and avoid browsing until it is patched.

It should be upto us to do what we can as soon as possible and not hope
some bad guy won't pay for information or work things out quicker.

Would it be faster to patch in open source if everything was public and
are emails secure?

>
> Even in the situations where it took > a week to write a fix?
>

Yes especially when the plan was a month plus embargo and who knows how
many weeks earlier people could have been told.

Is it feasible that code could be run on cloud systems (patched early)
to search for OS differences and hints on secret fixes.

> Everyone can tell that you are wrong.  Adults will make those
> decisions on a case by case basis.
>
> You really should just say sorry and drop it.

I can't if I disagree but I apologise for lack of clarity on the
embargo existence/honouring front.

Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Wiremu Demchick
In reply to this post by Rudy Baker
Kia ora Rudy,

I think that this is the video under discussion:
    https://www.youtube.com/watch?v=UaQpvXSa4X8

Kind regards,

Wiremu

Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Roman Zolotarev
> I think that this is the video under discussion:
> https://www.youtube.com/watch?v=UaQpvXSa4X8

A fragment with better sound:
https://www.youtube.com/watch?v=_E873DaCLN4

Roman

Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Rupert Gallagher
In reply to this post by Kevin Chadwick-4
There is a fact missing from the discussion: state-funded espionage companies (NSA, Hacking Team, etc) and criminals they both purchase and profit from bugs. My guess is that OpenBSD does not get first-hand information from Intel because Intel knows that OpenBSD will patch it as if there is no tomorrow.
@gmail.com>
Reply | Threaded
Open this post in threaded view
|

Re: Theo's BOF at BSDcan

Rupert Gallagher
On Fri, Jun 22, 2018 at 07:10, Rupert Gallagher <[hidden email]> wrote:

> There is a fact missing from the discussion: state-funded espionage companies (NSA, Hacking Team, etc) and criminals they both purchase and profit from bugs. My guess is that OpenBSD does not get first-hand information from Intel because Intel knows that OpenBSD will patch it as if there is no tomorrow.

I mean that there is an ethical problem here. Intel ought to come clean first, make a public statement of intent and and welcome key actors in the industry who have an established reputation of being ethically clean themselves. Until then, nobody can trust Intel.

On a technical side, Intel Atom c3000 series have no Hyperthreading. They have a single thread per core. Perhaps they are easier to mantain.