[Open-graphics] NVIDIA Binary Driver exploit
Lance Hanlen
lance.hanlen at gmail.com
Tue Oct 17 01:53:29 EDT 2006
Try http://www.openbsd.org/
They don't resort to crippled languages, they just take the time to do
things correctly. But you're right, There is a problem with the rest
of us.
However I think the issue here is giving the user and the developer
the opportunity to dig their own grave, rather than forcing them to
choose nVidia binary traps or ATI binary traps.
I fear the unknown.
On 10/16/06, Ulf Ochsenfahrt <ulf at ofahrt.de> wrote:
> Vinicius Santos wrote:
> > On 10/16/06, Lance Hanlen <lance.hanlen at gmail.com> wrote:
> >> At the risk of sounding naive, I don't think there's anything negative
> >> or cynical about speaking out against a company that forces you to let
> >> people run arbitrary code as root on your computer.
> >
> > There isn't! And that's what I mean: Before having that vunerability
> > known, it was all
> > about "Binary blobs could be insecure", but now it's a proven fact
> > that it is, and it
>
> Yep. As is Open Source Software (just subscribe to one of the security
> mailing lists).
>
> > takes more than 2 years for a vendor to (probably) fix after the issue
> > is reported.
>
> nVidia has already released an updated version.
>
> > It's now a real issue that makes OGP even MORE of a solution. It's not
> > only about
> > hobbist who want to develop hardware and drivers, it's about the freedom
> > to run
> > "secure hardware".
>
> I'm all in favor of Open Source soft- and hardware, but from a security
> point of view this issue is just another drop of water in the ocean of
> insecure software - open or not. A far more sensible thing would be to
> call for known working security measures.
>
> Hardware separation mechanisms have been available on the x86 line of
> cpus for how long? And programming languages that are known not to be
> susceptible to buffer overruns, heap overflows, stack smashing attacks,
> and similar niceties? These things have been known for long enough that
> noone can validly claim that they didn't.
>
> /me takes this story as an incentive to take another look at HURD and
> check whether it's actually useable now.
>
> Cheers,
>
> -- Ulf
>
>
>
--
_Lance
More information about the Open-graphics
mailing list