Il giorno Tue, 28 Jun 2016 04:09:06 -0700
"Ronald F. Guilmette" <rfg at tristatelogic.com> ha scritto:
> Please forgive the following outburst/rant. Sometimes, I just see
> something that makes me want to scream "I can't take it
anymore!"
>
> I've just seen a link to the following in my twitter feed:
>
>
http://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html
>
> Short summary: Apparently a team @ Google spend a whole bloody year,
> just to find a handful of bugs in the Windows 7 kernel.
>
> Every single thing about this article drives me crazy, almost like
> fingernails scratching slowly over a blackboard, and, you know, I'm
> sorry about this, but for some strange reason I felt compelled to
> share this feeling with others.
>
> In the first place, knowing virtually nothing about Windoze kernels,
> I was floored by the assertion (and the perhaps well known fact... to
> everybody except me) that something as ridiculous as font processing
> was actually embedded into the Windoze 7 kernel. I mean seriously,
> who ever thought that THAT was a good idea?? Putting that kind of
> crap inside a *kernel* goes against pretty much my entire
> understanding of what a kernel should be. (And apparently, even MS
> was wised up to the incomprehensible stupidity of this now, and has
> moved this crap outside the kernel in Windows 10, as the article
> itself states.)
>
> Second, I'm having trouble understanding why these Google guys are
> patting themselves on the back for finding bugs in *Windows 7* at this
> late date. I mean jeeezzzz. Doesn't that OS have one foot in the
> grave already? It's swell that they were able to find bugs in this
> now old and crusty OS, but I'm not persuaded that it is a cause for
> breaking out the champaign, and I do have to wonder if maybe Google's
> engineering talent and resources couldn't have been better spent
> finding bugs in Windows 8, Windows 8.1, Windows 10, or, ya know,
> maybe even Android (which, as I understand it, has more than its fair
> share of security and other bugs).
>
> Last but by no means least, the authors bemoan the difficulties they
> had finding *security* bugs in code they didn't have access to the
> source code for. Well, I mean, like DUH! This totally begs the
> question: Particularly (but not exclusively) in a post-Snowden world,
> is anybody in their right minds who actually gives a serious rats's
> ass about security really going to continue to just hope and pray
> that they'll be safe while putting all their secrets on top of a
> closed source OS?
>
> It may still be several years yet, but I do believe that over the
> long run, the Snowden effect will slowly, but surely (and finally)
> rid the world of closed source forever... and good riddance to it!
>
>
> Again, my apologies for the rant. I just had to vent spleen on all
> this or else I'd have burst. Some of the stuff I encounter these
> days is just almost too absurd for words.
>
>
> Regards,
> rfg
>
>
> P.S. I myself developed a trivial (but powerful) sort of fuzzing tool
> about ten years ago. To this day, I'm disappointed that nobody but me
> ever saw fit to actually use the thing.
>
> Here it is and its free:
>
> http://www.tristatelogic.com/m4r/
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
I share your opinion and feeling, but I don't think that the Snowden
effect will be enough to get rid of the closed source world.
The closed source world exists because there are people who don't care
about how their devices work: all they want is to have their tech
gadgets let them do all they desire. Stop. And usually these people
judge those devices by looking at their aspect, not functionality
(and if they don't mind about functionalities, guess if they care about
security).
But, on the other hand, who encourage them at looking under the hood?
Companies? Absolutely not. Why they should, after all? The more users
know, the less they can base thier business on appereance and the "fancy
looking" factor. So PCs, smartphones, tablets, etc. are usually
presented as hard-to-understand blackboxes that just work.
(Note: not necessary all companies act so, but IMHO the ones under the
reflectors does...)
And, talking about Windows, this document came in mind:
https://www.over-yonder.net/~fullermd/rants/winstupid/1
I hope that, in a world where telecommunication devices are more and
more pervasive, in schools will teach to kids not only how to work with
computers, but even how computers work.
Sorry for the rant, but all of this is very sad.
Regards.
Maxnix