Conversation
Notices
-
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 18-Sep-2023 01:55:05 JST 
pistolero :thispersondoesnotexist:
@w
> This is fucking evil shit.
While you were sending angry DMs and refusing to answer "What the hell did I do that you're so pissed about?" and then stirring up a panic by also refusing to answer simple questions like "What is the impact of this, are all the admin tokens compromised?" I'd very much like not to have some stupid internet fight, so I held off until I saw this. But if you're insisting I'm evil (among other things in this thread), maybe I ought to say something.
The reason for a disclosure timeline is to give people time to apply a mitigation or patch. You give the vendor a chance to patch (that is, you and r, and to a lesser extent, me) and you give people time to apply the patches or do the mitigation. The point is to give notice to people that are affected and to give them a chance to avoid being impacted. It makes no sense to try to gag the stakeholders and panic users, so I just assumed that's not what we were doing. So I see your big announcement, people are asking me whether they need to stop using bloat, I just assume that you wouldn't be panicking people for no reason and I tell them the impact, and you start yelling at me over DMs. If the plan was "Just scare people and tell them to shut it all down because a bug exists and it might be tenuously called a security bug, but don't give them anything useful" then it should be completely understandable if I misread the plan, because no one would expect that plan.
There's already a patch. There's no reason to tell everyone to turn anything off, just send the patch to people that run public instances of bloat, tell them that you'll avoid discussing the bug in public for a couple of days. Unless you explain the impact and communicated the problem to people that were affected and able to do something about the problem, you've done more harm than good. No need for extra pageantry or two days' lead time because it doesn't actually help anyone. Last I heard, you were planning to wait an additional week anyway. If it's actually serious, you don't wait to make some small tweaks to the patch to make it configurable, you send out the patch.
Theatrics don't serve any purpose but to hype a couple of very minor bugs. I don't think I'm "evil" for letting people that use the software know about the impact (because that's what anyone would do) and crying wolf about security bugs is going to get you ignored if you actually find one; I think it's more evil to try to scare people without letting them know what's so scary.
> The issue is being downplayed now to a misleading/factually incorrect degree. DO NOT USE THE CLIENT.
Since I've seen the issue and am right now typing this message on bloat and have not felt the need to apply any patches to bloat, I can say that I am certain that the issue is not being downplayed but rather inflated. Theatrics don't serve any purpose but to hype a couple of very minor bugs. I don't think I'm "evil" for letting people that use the software know about the impact (because that's what anyone would do) and crying wolf about security bugs is going to get you ignored if you actually find one; I think it's more evil to try to scare people without letting them know what's so scary. Here: https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure
internetfight2.gif- and † top dog :pedomustdie: like this.
-
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Monday, 18-Sep-2023 21:43:47 JST
pistolero :thispersondoesnotexist:
@graf @w Yeah, I got notified, r got notified, consensus seemed to be that the bug is a bug but wasn't a big deal.
If we're doing security LARP, no one expects that "responsible disclosure" processes gag the vendor or the users. -
(mint@ryona.agency)'s status on Monday, 18-Sep-2023 21:43:47 JST 
@p @w @graf What a fucking drama queen, holy fuck.
https://archive.ph/CHhdY -
:btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Monday, 18-Sep-2023 21:43:48 JST 
:btrfly: anime graf mays 🛰️🪐
yeah you really shouldn't pen up a public post about something until all parties have been notified and a plan of action/fix is already in place -
pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Monday, 18-Sep-2023 21:50:53 JST 
pomstan
likes this. -
(mint@ryona.agency)'s status on Monday, 18-Sep-2023 21:51:51 JST
@pomstan @w @p @graf Made the logo in best /g/ tradition. -
pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Monday, 18-Sep-2023 21:55:27 JST
pomstan
On Unixy systems such as Linux there’s a little devil called the “OOM killer” (or here I’ll call him Oomy because that sounds cute.)
имаджинируйте ебало автора
likes this. -
Vivi Nella Verita :Debian_logo: (verita84@poster.place)'s status on Monday, 18-Sep-2023 21:59:09 JST 
Vivi Nella Verita :Debian_logo:
@pomstan @w @p @graf @mint likes this. -
laurel (laurel@freespeechextremist.com)'s status on Monday, 18-Sep-2023 22:04:24 JST 
laurel
@mint @p @graf @w
>I created an eleven megabyte file that would fill those ten gigabytes in seconds.
>The response body is limited to 8MB
Pretty sure someone could do it with less than 8 megabytes, so I am FORCED to ANNOUNCE:
This an EXPLOIT marked SEVERE
Apply my patch now or your whole system will CRASH, you are putting your user's (digital) LIVES at RISK.
tr := &http.Transport{
DisableCompression: true,
}
client := &http.Client{Transport: tr} likes this. -
teknomunk (teknomunk@apogee.polaris-1.work)'s status on Monday, 18-Sep-2023 22:18:55 JST 
teknomunk
@laurel @w @p @graf @mint
So this is all over a decompression bomb vulnerability and not something actually serious like admin credentials being stolen?
:talulah_tired: likes this. -
(mint@ryona.agency)'s status on Monday, 18-Sep-2023 22:21:07 JST
@teknomunk @w @laurel @p @graf Yes, but there's a chance someone doesn't run earlyoom or something, so he just had to raise DEFCON 1 about it and omit all details. -
Exterminatus (ex@utih.net)'s status on Tuesday, 19-Sep-2023 00:20:25 JST 
Exterminatus
@pomstan
@w @p @graf @mint likes this. -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Tuesday, 19-Sep-2023 00:27:45 JST
pistolero :thispersondoesnotexist:
@mint @graf @w Well, now that it's all disclosed, I can point to that and say that it's fucking stupid to say I was downplaying the issue. A malicious upstream server can make bloat exhaust its available memory: it's not a segfault, it's not remote execution, no exfiltration of tokens, no nop-sleds, nothing. bloat can't allocate more memory and falls over. That's it. likes this. -
pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Tuesday, 19-Sep-2023 00:52:34 JST
pistolero :thispersondoesnotexist:
@mint @teknomunk @graf @laurel @w OOM score is going to be higher for something that has started allocating a ridiculous amount of memory out of nowhere and shows no signs of slowing down.
I think it's best to run with a really low vm.overcommit_ratio to avoid OOM anyway. I never liked the optimistic allocator, it's like it's designed to cope with bad code. likes this.
All 076萌SNS content and data are available under the 