| G | Ouch, glibc GHOST doesn't sound very nice... http://www.openwall.com/lists/oss-security/2015/01/27/9 | 00:00 |
|---|---|---|
| olly | it's already fixed in upstream glibc at least | 00:16 |
| olly | not looked at ubuntu, but debian testing and unstable weren't vulnerable | 00:16 |
| G | basically all the LTS' from <'13 because it wasn't backported as security until today | 00:17 |
| olly | the email from the discoverers is an interesting read | 00:18 |
| G | yeah, I just saw an interesting tweet too: 'The embargo on CVE-2015-0235 was broken by a ham-fisted PR engaged by the firm who discovered it. So CVEs now come with cute names AND PR.' https://twitter.com/matthewbloch/status/560216208751202307 | 00:23 |
| * olly was wondering earlier what the indirect benefits from finding a high-profile vulnerability are | 00:23 | |
| G | well I guess cute name + PR dept answers it... Trademark the cute name, be the only company that can sell the "<cute name> Detection Tool" | 00:24 |
| olly | i suspect the real benefits are from reputation - if you're looking for someone to audit some code, going for the guys who found X, Y and Z is an obvious choice | 00:25 |
| G | that too | 00:25 |
| G | better to list a bunch of cute names than random CVE numbers that a lot of people won't make the connection too | 00:26 |
| olly | parallels to FOSS development - if you want some work doing related to a project, you're likely to hire the people who put a lot of work into it | 00:26 |
| olly | true | 00:26 |
| olly | it's kind of a nice eco-system - there's a motivation for people to put work into finding vulnerabilities without direct renumeration | 00:28 |
| G | + the fact that for the major online-impacting bugs that have cute names, the media are using on them. So even 'muggles' know abotu Heartbleed for instance. "Hey #non-up-with-tech-boss, CompanyX can audit our code for $x, they were the ones that found Heartbleed" does sound better than "that found CVE-2014-...." | 00:28 |
| olly | remuneration even | 00:28 |
| G | so yeah, you are right, PR part is likely so they put info packets together for justification of paying that company for other security related services | 00:30 |
| olly | quite possibly they have a PR company anyway | 00:31 |
| olly | many companies do | 00:31 |
| olly | does trusty mount /tmp noexec? | 01:38 |
| mwhudson | not sure, utopic does | 01:51 |
| olly | thanks | 02:13 |
| ibeardslee | morning | 19:05 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!