Stuff I don't understand, and maybe never will.
Ronald F. Guilmette
rfg at tristatelogic.com
Tue Jun 28 11:14:29 UTC 2016
Please forgive the following outburst/rant. Sometimes, I just see something
that makes me want to scream "I can't take it anymore!"
I've just seen a link to the following in my twitter feed:
http://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html
Short summary: Apparently a team @ Google spend a whole bloody year,
just to find a handful of bugs in the Windows 7 kernel.
Every single thing about this article drives me crazy, almost like
fingernails scratching slowly over a blackboard, and, you know, I'm
sorry about this, but for some strange reason I felt compelled to
share this feeling with others.
In the first place, knowing virtually nothing about Windoze kernels,
I was floored by the assertion (and the perhaps well known fact... to
everybody except me) that something as ridiculous as font processing
was actually embedded into the Windoze 7 kernel. I mean seriously,
who ever thought that THAT was a good idea?? Putting that kind of
crap inside a *kernel* goes against pretty much my entire understanding
of what a kernel should be. (And apparently, even MS was wised up to
the incomprehensible stupidity of this now, and has moved this crap
outside the kernel in Windows 10, as the article itself states.)
Second, I'm having trouble understanding why these Google guys are
patting themselves on the back for finding bugs in *Windows 7* at this
late date. I mean jeeezzzz. Doesn't that OS have one foot in the
grave already? It's swell that they were able to find bugs in this
now old and crusty OS, but I'm not persuaded that it is a cause for
breaking out the champaign, and I do have to wonder if maybe Google's
engineering talent and resources couldn't have been better spent finding
bugs in Windows 8, Windows 8.1, Windows 10, or, ya know, maybe even
Android (which, as I understand it, has more than its fair share of
security and other bugs).
Last but by no means least, the authors bemoan the difficulties they
had finding *security* bugs in code they didn't have access to the
source code for. Well, I mean, like DUH! This totally begs the question:
Particularly (but not exclusively) in a post-Snowden world, is anybody
in their right minds who actually gives a serious rats's ass about security
really going to continue to just hope and pray that they'll be safe while
putting all their secrets on top of a closed source OS?
It may still be several years yet, but I do believe that over the long run,
the Snowden effect will slowly, but surely (and finally) rid the world
of closed source forever... and good riddance to it!
Again, my apologies for the rant. I just had to vent spleen on all this
or else I'd have burst. Some of the stuff I encounter these days is just
almost too absurd for words.
Regards,
rfg
P.S. I myself developed a trivial (but powerful) sort of fuzzing tool
about ten years ago. To this day, I'm disappointed that nobody but me
ever saw fit to actually use the thing.
Here it is and its free:
http://www.tristatelogic.com/m4r/
More information about the freebsd-security
mailing list