[00:00] <G> Ouch, glibc GHOST doesn't sound very nice... http://www.openwall.com/lists/oss-security/2015/01/27/9
[00:16] <olly> it's already fixed in upstream glibc at least
[00:16] <olly> not looked at ubuntu, but debian testing and unstable weren't vulnerable
[00:17] <G> basically all the LTS' from <'13 because it wasn't backported as security until today
[00:18] <olly> the email from the discoverers is an interesting read
[00:23] <G> yeah, I just saw an interesting tweet too:  'The embargo on CVE-2015-0235 was broken by a ham-fisted PR engaged by the firm who discovered it. So CVEs now come with cute names AND PR.' https://twitter.com/matthewbloch/status/560216208751202307
[00:23]  * olly was wondering earlier what the indirect benefits from finding a high-profile vulnerability are
[00:24] <G> well I guess cute name + PR dept answers it... Trademark the cute name, be the only company that can sell the "<cute name> Detection Tool"
[00:25] <olly> i suspect the real benefits are from reputation - if you're looking for someone to audit some code, going for the guys who found X, Y and Z is an obvious choice
[00:25] <G> that too
[00:26] <G> better to list a bunch of cute names than random CVE numbers that a lot of people won't make the connection too
[00:26] <olly> parallels to FOSS development - if you want some work doing related to a project, you're likely to hire the people who put a lot of work into it
[00:26] <olly> true
[00:28] <olly> it's kind of a nice eco-system - there's a motivation for people to put work into finding vulnerabilities without direct renumeration
[00:28] <G> + the fact that for the major online-impacting bugs that have cute names, the media are using on them.  So even 'muggles' know abotu Heartbleed for instance.   "Hey #non-up-with-tech-boss, CompanyX can audit our code for $x, they were the ones that found Heartbleed"  does sound better than "that found CVE-2014-...."
[00:28] <olly> remuneration even
[00:30] <G> so yeah, you are right, PR part is likely so they put info packets together for justification of paying that company for other security related services
[00:31] <olly> quite possibly they have a PR company anyway
[00:31] <olly> many companies do
[01:38] <olly> does trusty mount /tmp noexec?
[01:51] <mwhudson> not sure, utopic does
[02:13] <olly> thanks
[19:05] <ibeardslee> morning