Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 04 Jun 2017 10:15:53 -0400
From: Daniel Micay <danielmicay@...il.com>
To: Brad Spengler <spender@...ecurity.net>
Cc: kernel-hardening@...ts.openwall.com
Subject: Re: Stop the plagiarism

> Cryptomnesia I guess, you looked at every other line of PaX to rip out
> stuff like:

Searching for __read_only and categorizing them as ones requiring
pax_open_kernel and not requiring it != reading the entire patch set
line by line, and you have the timeline very wrong.

> when I pointed it out to you.  Are the above changes your own work
> too?

Clearly not, and they aren't submitted upstream like that. I've been
treating it as a scratch space for putting together changes to send
upstream and they haven't all had commit messages written. For the
__ro_after_init changes that I submitted, I wrote commit messages
stating which parts came from PaX. I'll write full commit messages
before pushing there from now on. I hadn't done it for those because I
wasn't finished and I couldn't yet write a commit message that I
wouldn't need to change later.

My knowledge of the SSP canary issue predates making linux-hardened or
being on bad terms from you.

> but totally never saw that line that's been there ever since SSP
existed
> in the kernel.  It also doesn't mesh with your lengthy excuse on
github
> when I pointed it out to you.  Are the above changes your own work
too?

I don't have total knowledge about what exists in PaX. I had no idea
that it made changes like effectively disabling the cr4 caching or
partially protecting page tables on x86 until recently. How would I know
that it made a one line change fixing that stack canary issue? I wasn't
familiar with the ASLR implementation then including the
pax_get_random_long function which it used as the fix.

And yes my "excuse" is consistent with what I said on GitHub. I became
of the stack canary issue when Jann Horn told me about it months ago. I
might have IRC logs from back then. I then assumed it was going to get
fixed and promptly forgot about it as I do with pretty much every other
specific bug. I noticed it again when making related changes in
CopperheadOS but: that's a 3.18 LTS kernel and 3.10 LTS kernels for
older devices, so it didn't occur to me than Jann might not have gotten
it fixed in master, and arm64 doesn't use the per-task canaries so I
didn't need to fix that or add the zero byte there yet. Not sure what is
so hard to understand about that. I noticed it still wasn't fixed when
first making linux-hardened by porting those changes ahead.

If I *had* done research into the issue to point to when it had been
first discovered by someone, I wouldn't have found PaX. You don't have
patches uploaded on the site from before the earliest mailing list post
that you pointed me at, which doesn't mention PaX.

It's a one line fix for a bug that barely even matters. I'm not sure why
it's so important to you that I do impossible historical research (you
don't have the patches uploaded, I don't see them anywhere else) to
figure out who to credit, and as I've pointed out it cannot be assumed
that a change in PaX is something to credit to you or pipacs rather than
a fix you picked up from a mailing list, even if I had access to those
earlier patches and had decided to go on a research expedition to fix a
minor bug.

If it was so important to you that you get credit for fixing the bug,
why didn't you submit it yourself? It was trivial to get it landed when
it was simply sent to the right people without needing any discussion.

> 
> > > And how is grsecurity not entirely based on the work of others
> > > i.e.
> > the Linux kernel, just as CopperheadOS is based on Android Open
> > Source
> > Project and all of the baseline functionality and security model
> > provided by it?
> 
> These false equivalences of yours are nonsense -- anyone can look at
> https://github.com/thestinger/linux-hardened/issues
> and see how utterly dependent you are.  You are comparing apples and
> oranges because you need to to justify your existence.  You didn't
> contribute a line of code to our work in 16 years and now you're
> trying
> to make a name for yourself off our work and reputation.  But you just
> make a fool of yourself when on one hand you're desperately
> copy+pasting
> and on the other trying to pretend you don't depend on it, or that
> your
> dependence on copy+pasting our work is somehow equivalent to building
> on
> top of whatever version of Linux that exists.
> 
> -Brad

The linux-hardened project was just created. The initial work is porting
existing hardening features to a mainline kernel split out as components
since that's the lowest hanging fruit: working towards parity with what
we already had before. Changes like slab canaries, SSP tweaks and
fortify aren't linux-hardened work, they existed in CopperheadOS for a
long time.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.