upvote

points

by whatevaa18 hours ago |
comments
upvoteby pamcake9 hours ago|
next
[-]
Look, if they namedrop specific distros in their announcement (marketing) blog post as affected, I think a heads-up before publishing that is appropriate and expected.

I don't think they would have gotten as much flame if it weren't for how the RHEL 14 mention and such were put.

This is a security company with a professional(?) communications department banking on pointing fingers at distro maintainers. We are not talking about solo security researchers or academics here.

reply
upvoteby nirava6 hours ago|
parent|
[-]
Exactly. Any security person absolutely KNOWS that the distros are still going to be vulnerable. They're exploiting this process loophole to knowingly cause chaos and gain notoriety.

At this point this is not really white-hat/ethical hacking anymore.

Ofc the kernel-distro security loophole is stupid and should be patched ASAP, but that doesn't absolve this company of wrongdoing.

reply
upvoteby systems_glitch1 hours ago|
parent|
[-]
We all know that's what it is, I don't know why people aren't willing to just say it.

It has a domain, it has a logo, they were going for maximum impact because it's their business.

reply
upvoteby 17 hours ago|
prev|
next
[-]
deleted
reply
upvoteby bcjdjsndon3 hours ago|
prev|
next
[-]
Linus should take his trademark autistic rage where he calls other peoples code "dogshit" onto his own work for once. He likes the glory of leading the kernel development but not the responsibilitys like this.
reply
upvoteby dweinus15 hours ago|
prev|
next
[-]
No, I will. The distros and the kernel devs should be talking and moving on high sev patches, sure. But real people will have gotten hurt because the reporter didn't want to wait for that to happen. That's on them.
reply
upvoteby john_strinlai14 hours ago|
parent|
[-]
you must be unfamiliar what used to happen before hard deadlines were set on disclosure. it was much worse for the users.

here is a good start: https://projectzero.google/vulnerability-disclosure-faq.html...

there is ~3 decades of more context if you search for it.

reply
upvoteby stingraycharles6 hours ago|
parent|
[-]
tldr: if security issues don’t get disclosed (or the real threat of disclosure) they won’t get fixed / prioritized.
reply
upvoteby pkoiralap15 hours ago|
prev|
[-]
It's one thing to report a vulnerability, another entirely to make a crazy exploit available for any tom, dick, and harry to take and use. It was irresponsible of whoever came up with it to release it in the world without first giving major distros a head's up.
reply
upvoteby rcxdude1 hours ago|
parent|
next
[-]
A proof of concept is a very standard thing to include in a disclosure, almost table stakes nowadays because of the amount of bad reports. Once there's any disclosure there will be exploits developed and published anyway, it's not a meaningful difference.
reply
upvoteby bell-cot15 hours ago|
parent|
prev|
[-]
Bashing on the reporter is pointless feel-good. This is a massive vuln. It was 4 weeks after Kernel had a patch. They had no way to know if others parties had also discovered the vuln. Lord Knows how many millions of systems could already have been rooted. The reporter is not their minion.

If I call 911 to report a fire at an oil storage facility - and they ask me to alert the hospital, then phone the neighboring county's Sheriff Dept., and then...yeah. Either I'm way out in the sticks (and known to/trusted by the 911 operator), or else the 911 service is run by children.

reply
upvoteby robocat5 hours ago|
parent|
[-]
Great metaphor.

I'd hate to be involved in any emergency services. Too many people have opinions on how things should have been done.

reply