

Undisclosed hole in openssh on FreeBSD and Juniper? - Xylakant
http://thread.gmane.org/gmane.os.openbsd.tech/35722/focus=35731

======
awakened
Many years ago, I submitted a bug report to OpenBSD about an issue I had
discovered with threads. I received a one line response from Theo. I still
have the mail. He wrote:

    
    
       "Threads are for idiots."
    

At the time, I felt discounted and I was upset. I was younger then. Today, I
realize what he meant and that he's right.

~~~
tptacek
This is vintage Theo. It has the virtue of sounding correct, but, because
OpenBSD ships threaded libraries, it probably lacks the virtue of being
correct.

I had a similar experience (note, though: I have a history with Theo, who I
know/knew personally).

When I was at Arbor Networks, we shipped appliances that monitored ISP
backbones that were based on OpenBSD. An analysis process that happened to
allocate a lot of memory would occasionally lose a giant chunk of memory. I
was able to produce a reduction of the bug and narrow down where in the VM
subsystem the bug was happening, but I wasn't able to recommend a fix. Theo's
response, to what was clearly a serious bug in OpenBSD, was "I'm not going to
look at UVM; it's just Chuck Cranor's thesis project".

I lobbied for a switch to FreeBSD, but the monkey.org people that ran the
place were dyed-in-the-wool for OpenBSD. :)

~~~
Flow
What happened next? Did the bug get fixed? Did you do a work-around somehow?
Don't leave stories unfinished like this :)

~~~
tptacek
I actually don't know. Arbor could have had its dev team hunt for a fix for
the bug, but that would have been silly; no way did it make sense for them to
take ownership of a custom fork of the most complicated kernel subsystem. So
we worked around the problem instead.

------
davorb
> Please ask Kirk McKusick, he knows the story about why this is not being
> disclosed to FreeBSD

Could someone please explain this?

~~~
Xylakant
I'd be curious as well.

------
fabulist
What good reason could their possibly be for not disclosing a hole to FreeBSD?
Especially if it effects networking infrastructure....

1\. Government gag order? I'd call this a "good reason", but it wouldn't clear
my conscience.

2\. Disclosure to or interception by malicious parties? I can't imagine that
the best solution would be STO.

~~~
lholden
Short Answer: Bitterness.

Long Answer: It's complicated and I do not understand the whole picture
myself.

I can however outline two things that likely exasperate the situation.

a) OpenSSH is used by nearly everyone. Nearly every unix-like installation
includes a copy of OpenSSH. Most companies which do business on the internet
use a unix-like operating system in some way.

The OpenBSD Foundation has had trouble obtaining funding to cover operating
costs in the past. Included in these operating costs is support and auditing
of OpenSSH.

b) There has been a long and colored history between FreeBSD and OpenBSD. A
lot of code and features developed under OpenBSD has been ported over to
FreeBSD such as the OpenBSD Packet Filter (PF).

Juniper uses FreeBSD and PF in their routers and have donated in various ways
to FreeBSD. For example, Juniper donated three EX3200s with full contracts to
FreeBSD for use in their datacenter.

The OpenBSD Foundation on the other hand has not really seen the same support.

~~~
nnkh
Sure, De Raadt/OpenBSD are bitter about the lack of funding but that does not
explain anything about this mysterious hole. This email can mean anything.
Does Kirk McKusick know about this hole and has he pressured De Raadt not to
disclose it (for what reason could that even be?), or is it a vague reference
to a fallout he had with him earlier(making this an absurdly petty reason not
to disclose it)?

Just dropping that hint is ambiguous drama baiting.

~~~
lholden
Drama baiting is something Theo de Raadt is good at. :)

I have a feeling it has less to do with something sinister, and more to do
with Theo's very vocal stance on the security situation in FreeBSD.

[http://www.itwire.com/business-it-news/open-
source/62641-cry...](http://www.itwire.com/business-it-news/open-
source/62641-crypto-freebsd-playing-catch-up-says-de-raadt)

Most likely the FreeBSD kernel or libraries are doing something in a certain
way that Theo finds insecure/insufficient. (Justified or not)

~~~
nnkh
FreeBSD dev response to De Raadt's very vocal stance:
[http://tech.slashdot.org/comments.pl?sid=4559455&cid=4570198...](http://tech.slashdot.org/comments.pl?sid=4559455&cid=45701981)

It really does seem like De Raadt's just being really petty to me. But if this
is an actual hole and he doesn't want to say what it is, that is worrisome.
Doesn't he insinuate the rest of FreeBSD does _not_ know about the hole?

~~~
lholden
It's Theo de Raadt...

It's possible that he knows of a real exploitable problem.

It's possible that he is trying to boast about his prowess with things
"security".

It's possible the "hole" is a design feature in FreeBSD that he just doesn't
like. (And hence, considers to be a security problem.)

It's possible that he is bitter that FreeBSD has gotten more attention than
OpenBSD.

It's possible that he said it to spur FreeBSD take more interest in security.
(Justifiably or not...)

It's possible that he wanted to cause a commotion.

It's possible that more than one of the above is true. :) He is under no
obligation to make a disclosure of an exploit that he finds. Does it make him
a bad net-denizen? Perhaps. But it's his prerogative.

------
roeme
Dupe.

Previously:
[https://news.ycombinator.com/item?id=7568059](https://news.ycombinator.com/item?id=7568059)

------
willvarfar
If I parse Theo correctly, he clearly says that FreeBSD _does_ have a hole.

Its really really hard to imagine he is lying.

~~~
fabulist
I'm guessing it is of modest severity, if they even feel they can _get away_
with keeping it to themselves. But its still deeply troubling.

------
egwynn
This is unsettling, to be sure. If there's anything to this, I'd really love
to hear a response from the actual FreeBSD folks.

But it should be noted that this guy has a relatively rocky history with *BSD,
and his nearly context-free, ambiguous trash-talking of FreeBSD should be
taken with a grain of salt.

------
pvg
Dupe of
[https://news.ycombinator.com/item?id=7568059](https://news.ycombinator.com/item?id=7568059)
and still flag button fodder.

------
jmnicolas
Why would he say that and not reveal the vulnerability ?

------
icantthinkofone
Theo is Sloppy Mo:
[https://www.youtube.com/watch?v=zKvhVssO348](https://www.youtube.com/watch?v=zKvhVssO348)

