| ▲ | turkeyboi 3 hours ago |
| Why does this need to be a whole ass website |
|
| ▲ | cryo32 3 hours ago | parent | next [-] |
| You're not going to get anywhere in the security sector unless you gain notoriety i.e. are noticed. This appears to come from dressing up like Elton John in a feather suit and hiring a marketing team. |
| |
| ▲ | tptacek 2 hours ago | parent [-] | | It's a wall of text about a kernel stack overflow. I'm not sure where the "Elton John" part is. Is it... that they used an accent color? | | |
| ▲ | 866-RON-0-FEZ 36 minutes ago | parent [-] | | Maybe the researcher was wearing windshield-wiper spectacles when he discovered the vulnerability. I don't understand why you're being so defensive about this. | | |
| ▲ | tptacek 22 minutes ago | parent [-] | | Because it's a tiresome, tropey, and ultimately invalid complaint. Look downthread at the person who said the FreeBSD commit log was better than this page, despite being inscrutable to security practitioners who don't work in the kernel and not saying a word about proven exploit vectors. These complaints aren't about what's better or worse for the user community; they're about people trying to put vulnerability researchers in their place. | | |
| ▲ | 866-RON-0-FEZ 10 minutes ago | parent [-] | | While I believe whimsical names will always be silly, I do concede that commit log is effectively useless to 99% of eyeballs. | | |
| ▲ | tptacek 7 minutes ago | parent [-] | | It's not even a complete description of the vulnerability. It's what the kernel maintainers need to know to understand and fix the bug in the code. The claim that it's superior to the branded vulnerability page gives away the whole game. |
|
|
|
|
|
|
| ▲ | 866-RON-0-FEZ 40 minutes ago | parent | prev | next [-] |
| It gives legitimacy to whatever whimsical name was given to a vulnerability by registering the domain. CVE numbers are for boring professionals. |
| |
|
| ▲ | tptacek 2 hours ago | parent | prev | next [-] |
| Why not? This weird complaint has been happening since ~2010 and it has never made any sense. You are strictly better off with the website than without it. When it was vulnerability researchers getting all peevish about the status competition they were running, I at least understood where the complaint was coming from, but even among practitioners, branded vulnerabilities are so much the norm at this point that there's no status implication anymore. |
| |
| ▲ | themafia 39 minutes ago | parent [-] | | > You are strictly better off with the website than without it. Why? This is a better resource in every way: https://cgit.freebsd.org/src/commit/?id=000d5b52c19ff3858a6f... It details the actual problem instead of showing off tired stack exploit tricks. | | |
| ▲ | tptacek 29 minutes ago | parent [-] | | No, that commit log is obviously not better than the page explaining the vulnerability and the exploit vectors. Case in point: what's "tired" about the stack exploitation techniques they're using here? And, while you're not right, even stipulating that you were, what would that matter? How is anyone better off with less explanation of a vulnerability? |
|
|
|
| ▲ | rs_rs_rs_rs_rs an hour ago | parent | prev | next [-] |
| Have you not done anything remotely interesting for you that you want to build a website so the whole world can see it? |
|
| ▲ | throwaway613746 10 minutes ago | parent | prev | next [-] |
| [dead] |
|
| ▲ | dragontamer 3 hours ago | parent | prev [-] |
| What? Is there something in this website that feels unnecessary? It seems like a good format of sharing high quality information. This looks like a full bug into a complete root escalation of a kernel. That's hard to do and deserving of praise. The fact that we have a writeup organized like this is awesome. ------- This is sort of the expert level stuff that I thought HackerNews would most enjoy. |
