[go: up one dir, main page]
|
|
Log in / Subscribe / Register

How to (not) fix a security flaw

How to (not) fix a security flaw

Posted Apr 4, 2019 9:35 UTC (Thu) by sorokin (guest, #88478)
Parent article: How to (not) fix a security flaw

I wonder what the thought process was of the person who decided that checking user agent would be sufficient for the fix. It looks so wrong on so many levels.

One can only guess what other remarkable design decisions are taken by the engineer (or the team) who released the fix.

to post comments

How to (not) fix a security flaw

Posted Apr 4, 2019 13:39 UTC (Thu) by foom (subscriber, #14868) [Link] (4 responses)

I'd typically expect multiple people to be involved in a CVE patch like this: a software engineer on the team supporting the product, a code reviewer on the same team, possibly their manager, a member of the company's security team investigating the report, and probably someone to QA verify the release. Any of these people could have noted that this was a ridiculously bad patch.

That a security fix like this was actually _released_ is... yes...remarkable.

How to (not) fix a security flaw

Posted Apr 4, 2019 17:23 UTC (Thu) by mm7323 (subscriber, #87386) [Link]

Having worked with some ex-cisco software devs, this doesn't surprise me from their description of the development process.

It sounded like they had loads of devs churning out garbage to loads of QA teams who repeatedly knocked things back until enough 'quality' had been tested into the code that it could be released... QA looked good for finding lots of bugs, and development looked good for fixing them all quickly, even though it was the same junk going round and round.

How to (not) fix a security flaw

Posted Apr 4, 2019 17:29 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (2 responses)

Oh, but that stack of people is quite possibly the *reason* this was such a clusterfuck. It's like a game of telephone:

1. Somebody, probably in PR, gets told that "the software is vulnerable to an attack... here's an example using curl."
2. Over repeated rounds of transoceanic communication between PR and eng, this gradually mutates into "Our software must block curl."
3. Somebody gets assigned the bug to "Block curl."
4. They protest that blocking curl is ridiculous and impractical. They get told that this is a mandate and they have to do it anyway. At no point is the word "security" used.
5. Engineer shrugs and codes a simple UA check, figuring that if the user is spoofing the UA, then blocking them is basically impossible anyway.
6. QA confirms that curl is blocked.
7. PR is pleased to see that eng has "finally" "fixed" the "bug" and announces it.

How to (not) fix a security flaw

Posted Apr 5, 2019 2:09 UTC (Fri) by sml (subscriber, #75391) [Link]

> 3. Somebody gets assigned the bug to "Block curl."
> 4. They protest that blocking curl is ridiculous and impractical. They get told that this is a mandate and they have to do it anyway. At no point is the word "security" used.
> 5. Engineer shrugs and codes a simple UA check, figuring that if the user is spoofing the UA, then blocking them is basically impossible anyway.

ugh this is too real...

How to (not) fix a security flaw

Posted Apr 8, 2019 19:47 UTC (Mon) by rweikusat2 (subscriber, #117920) [Link]

> 1. Somebody, probably in PR, gets told that "the software is vulnerable to an attack... here's an example using curl."
> 2. Over repeated rounds of transoceanic communication between PR and eng, this gradually mutates into "Our software must block
> curl."

Very complimentary assumption. Thanks to OpenBSD's tireless efforts in this respect, "security" is usually considered equivalent to "block known exploits". Hence "our software can be attacked with curl" => "block curl" is a completely natural reaction. After all, there's really no reason to spend a lot of time on this unless someone demonstrably comes up with an exploit which doesn't use curl.

How to (not) fix a security flaw

Posted Apr 5, 2019 4:12 UTC (Fri) by mebrown (subscriber, #7960) [Link] (15 responses)

It was almost certainly some just-barely-out-of-college hire in India tasked with fixing this without any code review or oversight.

How to (not) fix a security flaw

Posted Apr 5, 2019 11:56 UTC (Fri) by NAR (subscriber, #1313) [Link]

My first idea too :-(

How to (not) fix a security flaw

Posted Apr 5, 2019 12:48 UTC (Fri) by ceplm (subscriber, #41334) [Link] (13 responses)

Don't be racist! Besides, I really think it is more problem of idiotic management (as described above) than fault of one poor engineering sod, who might be force to write such disaster.

How to (not) fix a security flaw

Posted Apr 8, 2019 8:24 UTC (Mon) by Yenya (subscriber, #52846) [Link] (12 responses)

Matěj, I fail to see how mentioning name of the country can be racist. Location has (almost) nothing to do with race. And we all know that IT companies often go to India when looking for extreamly cheap yet sometimes barely compentent workforce. This of course does not say anything about _all_ IT workers in India.

How to (not) fix a security flaw

Posted Apr 8, 2019 8:57 UTC (Mon) by ceplm (subscriber, #41334) [Link] (8 responses)

If I write "A white girl dated a black man and so she was raped" or "Job was contracted to a Gypsy builder and so it was completed a way late" I have never said that all black men are rapists or all Roma people are lazy (to use two very common nasty racist stereotypes), but I kind of live in the world were this is assumed. When you assume that Indian programmers are ineffective (not even saying they are stupid) you assign a stereotype to the whole group, not only this is racist in my opinion (that's exactly what racism is about, IMHO), but you overlook tons of good work done by Indian programmers (in the same way you overlook majority of gentle and caring black men, or hard-working and diligent Roma). Does it make sense to you?

How to (not) fix a security flaw

Posted Apr 8, 2019 9:13 UTC (Mon) by Yenya (subscriber, #52846) [Link] (7 responses)

You omit the main objection of my post - that saying _India_ (a country name) has nothing to do with _race_.

How to (not) fix a security flaw

Posted Apr 8, 2019 9:28 UTC (Mon) by ceplm (subscriber, #41334) [Link] (6 responses)

I see. Does it matter that much though? OK, so it is not racism per se, just different type of xenophobia.

How to (not) fix a security flaw

Posted Apr 8, 2019 12:57 UTC (Mon) by Yenya (subscriber, #52846) [Link] (5 responses)

For me, it does. I see lot of things around me being labeled "racism" where there are no races involved. As a side note, presumptions are not fear per se, so I would object against word "xenophobia" as well.

How to (not) fix a security flaw

Posted Apr 9, 2019 3:14 UTC (Tue) by rmayr (subscriber, #16880) [Link] (1 responses)

I feel that this discussion doesn't help readers who come to lwn.net for technical content. Can we please stop it?

How to (not) fix a security flaw

Posted Apr 9, 2019 4:54 UTC (Tue) by sml (subscriber, #75391) [Link]

Yenya is known for disingenuous trolling along these lines[0] on LWN.

Reminder that comment filtering is available from your LWN account page.

[0] https://lwn.net/Articles/766080/

How to (not) fix a security flaw

Posted Apr 9, 2019 13:17 UTC (Tue) by tao (subscriber, #17563) [Link] (2 responses)

Considering that races are a social construct, rather than something biological, by your reasoning there's no such thing as racism.
To help you: in common parlance racism means discrimination or prejudice based on colour of skin, ethnicity, or region of origin.

How to (not) fix a security flaw

Posted Apr 9, 2019 19:29 UTC (Tue) by Yenya (subscriber, #52846) [Link] (1 responses)

Sorry, I don't buy into this kind of newspeak. Either races do not exist, and so does racism, or they do, and racism has to be about races and nothing else.

That said, rmayr above is right, this is not a technical discussion, so I will stop here.

On the other hand, sml, I do not consider myself being a troll - the above statements are not intendent to provoke a flame war or anything, these are my genunie opinions. I am sorry if they do not match your narrow view of the universe.

How to (not) fix a security flaw

Posted Apr 11, 2019 22:09 UTC (Thu) by tao (subscriber, #17563) [Link]

There's no necessary link between whether races exist and whether racism exists.
Gods don't exist, yet a large part of Earth's population are theists. Or to take a rather less controversial statement; the Earth is an oblate spheroid, yet there are flat Earthers. Races don't exist, yet there are racists (and, granted, people who believe in races but aren't racists; being a racist tends to strongly imply believing in races, but believing in races doesn't imply being a racist).

I don't see how your disagreement with the common use of the word racist makes my view of the universe narrow.

How to (not) fix a security flaw

Posted Apr 8, 2019 11:45 UTC (Mon) by lkundrak (subscriber, #43452) [Link]

> And we all know that IT companies often go to India when looking for extreamly cheap yet sometimes barely compentent workforce.

We also should all know that a lot of the most competent people in the industry come from India. The statement which was objected to is easily understood as making an assumption that only the less qualified group exists. That, I believe, is not fair.

How to (not) fix a security flaw

Posted Apr 8, 2019 12:39 UTC (Mon) by jospoortvliet (guest, #33164) [Link] (1 responses)

Yet generalizations like that tend to stigmatize people which, esp given we are talking about one of the most populous countries on earth, is deeply unfair. So yeah, it would be nice not to get such gross over generalizations on LWN. I know this happens, no doubt, but at least refer to ‘low wage coutries’ as that emphasizes the problem (managements desire to cut cost at the expense of everything else) rather than sound like all people in India are low quality developers. Keep in mind that these developers do exactly as told: ‘be cheap’. It is in the end indeed a matter of bad management decisions, not bad people.

How to (not) fix a security flaw

Posted Apr 8, 2019 12:52 UTC (Mon) by Yenya (subscriber, #52846) [Link]

I hope I did not write anything which is in conflict wrt. your wording. Yes, I agree that part of the reason is "be cheap" as you wrote. I tried to make two points:

1) mentioning India in that context is not _racist_ (it might carry some presumptions about countries or whatever, but nothing about races per se)

2) there are indeed _some_ (not all, not even majority, nothing like that) barely competent just-out-of-college IT wokers in India.

As such, I fail to see a problem with the original post by mebrown (https://lwn.net/Articles/784998/).


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds