I've discovered that a video of Theo's BOF has been posted online, along
with a complaint about behavior in it by an unnamed individual.
That person was me.
I honestly don't recall using such strong language, but it's clear as day
on the tape. That language has no place in a technical forum, and I'd like
to offer my unconditional personal apology for using such unprofessional
language when talking to Theo. It was wrong for me to do so, and I'd like
to also offer an apology to anybody who was in the room and was
uncomfortable as a result. It was not my intent. It's not up to the
standards of decorum we strive for.
Thanks for listening, and for tolerating a perhaps off-topic post.
> It was a good talk either way.. It's an issue that keeps getting
> larger as time goes on.
Whilst I can see but disagree with a point of view that Open Source
will be locked out if they don't comply with embargos. I would not
After all, those that have important stuff to protect will patch sooner.
Are they supposed to sit on those patches for a month (after 3 weeks of
cloud provider notification?) to allow those who run blogs about flower
arrangements to patch at the same time.
Who decided clouds are more important than Open Source. I'm sure there
are some exceptions, military/gov that pay to patch well in advance and
perhaps the cloud providers pay to be part of those programs, but it is
wrong. Do Intel profit from bugs?
They should have the resources to countermeasure or check and reset as
needed. Anything more than very short embargos surely just create
windows of opportunity for attackers. High assurance systems will
likely have extra defenses on top of Intel chips anyway.
We should want to send a clear message and be annoyed about *anyone*
signing upto embargos.
> On Thu, 21 Jun 2018 08:34:55 -0700 (MST)
> > It was a good talk either way.. It's an issue that keeps getting
> > larger as time goes on.
> Whilst I can see but disagree with a point of view that Open Source
> will be locked out if they don't comply with embargos.
Wow, just look at that sentence. OpenBSD did not break any embargos.
This situation may have no relationship to embargo breaking rumours.
However, false rumours about breaking embargos have to stop, especially
when spread by people at other open source projects.
You imply that someone broke an embargo. Look at the sentence. What
gives you that right? Gossip much? Can't write correct sentences?
I completely understand that people who kick dogs might write sentences
> I would not participate.
You are not involved in any of the decisions, you are just a mouth on a
mailing list. Always fastinating to see such decisive decision making
from outsiders. Such conviction!
> Wow, just look at that sentence. OpenBSD did not break any embargos.
> This situation may have no relationship to embargo breaking rumours.
> However, false rumours about breaking embargos have to stop,
> especially when spread by people at other open source projects.
> You imply that someone broke an embargo.
I thought it was widely understood by now that braking an embargo could
not be and was not the case by any third party either and I apologise
if I wasn't clear enough. My point was that signing up in the first
place should be criticised, if anything.
I am just surprised that so much talk about breaking/excluding from
embargos and the dangers of breaking them have been discussed and yet
the real risks involved in long embargos...not so much.
Atleast Microsoft have some justification for their monthly patch timing
even if that has been heavily criticised and the policy weakened now.
> Kevin Chadwick <[hidden email]> wrote:
> > My point was that signing up in the first
> > place should be criticised, if anything.
> So you criticize our previous involvement in embargos where it was
I think you had little choice because of an incorrect established
In fact, the KRACK case showed that OpenBSD patched well before
many others and many phones are still unpatched.
The embargo did not help others patch before release or allow users
to avoid and warn about certain use cases of Bluetooth and WIfi as soon
as possible (many months).
embargos create the idea that testing is more important than security
with Lenovos purchase of Motorola they now say we promise oreo even
though you are missing 6 separate months of android security patches
and the newer phones have less security patches than the older ones.
Some people say I shall update later I just want to browse and it can
take a week for Windows to update because Windows don't want to get in
Some say don't patch on patch release day.
Others patch and avoid browsing until it is patched.
It should be upto us to do what we can as soon as possible and not hope
some bad guy won't pay for information or work things out quicker.
Would it be faster to patch in open source if everything was public and
are emails secure?
> Even in the situations where it took > a week to write a fix?
Yes especially when the plan was a month plus embargo and who knows how
many weeks earlier people could have been told.
Is it feasible that code could be run on cloud systems (patched early)
to search for OS differences and hints on secret fixes.
> Everyone can tell that you are wrong. Adults will make those
> decisions on a case by case basis.
> You really should just say sorry and drop it.
I can't if I disagree but I apologise for lack of clarity on the
embargo existence/honouring front.
There is a fact missing from the discussion: state-funded espionage companies (NSA, Hacking Team, etc) and criminals they both purchase and profit from bugs. My guess is that OpenBSD does not get first-hand information from Intel because Intel knows that OpenBSD will patch it as if there is no tomorrow.
On Fri, Jun 22, 2018 at 07:10, Rupert Gallagher <[hidden email]> wrote:
> There is a fact missing from the discussion: state-funded espionage companies (NSA, Hacking Team, etc) and criminals they both purchase and profit from bugs. My guess is that OpenBSD does not get first-hand information from Intel because Intel knows that OpenBSD will patch it as if there is no tomorrow.
I mean that there is an ethical problem here. Intel ought to come clean first, make a public statement of intent and and welcome key actors in the industry who have an established reputation of being ethically clean themselves. Until then, nobody can trust Intel.
On a technical side, Intel Atom c3000 series have no Hyperthreading. They have a single thread per core. Perhaps they are easier to mantain.