Subj : Re: Tutorial for rookies
To   : tenser
From : N1uro
Date : Tue Oct 12 2021 01:25 pm

tenser;

-=> tenser wrote to N1uro <=-

te> Bluntly, I don't believe you.  With no supporting evidence of the
te> existence of these bugs, let alone tracking, this is nothing more
te> than typical ham-centric FUD.

Is it your policy in life to call those who develop the things you may use
a liar? This is the sort of thing that belongs on facebook. Why not show
a bit of appreciation for the things and be proactive rather than point
fingers and say hateful things instead.

te> To be clear, I was hoping for a pointer to a bug tracker.  It
te> wouldn't be hard to produce patches for something as simple as
te> Linux's AX.25 implementation, but without any sort of knowledge
te> about what is _actually_ wrong, let alone root cause
te> investigation, it's not a good time investment.

We -did- submit requests for this to be added to some sort of a bug tracker
however the cracks involved are so grave in nature it was decided best  not
to publish them as to protect the licenses of the hams who may be using
such configurations. A full and total take-over of a system can easily be
accomplished if the bugs were published. Is this what you promote in your
thinking?

te> "Read the archives of my project's mailing list" is not a good
te> answer.

te> Since you appear to keep shutting that project down on a whim, I'm
te> not particularly interested in looking closely at it.  Sorry, it's
te> just not worth my time to deal with cantankerous folks who don't
te> want to work in a spirit of cooperation.

Your opinion is quite false in nature. What proof do you have of this? URONode
and my other projects are quite alive and in the various repositories. What
projects do you have? Besides my own projects I also contribute to the LinFBB
project. I pulled my projects off sourceforge until such time as the kernel
bugs are fixed. I'm simply tired with receiving emails asking me why my stuff
"doesn't work" when I have the only node project available that works on old
IBM emulation systems! When the critical kernel issues are resolved they'll
be back on sourceforge as I have upgrades for them all to release.

te> But he didn't actually describe the problem.  There was a comment
te> saying something about freeing up resources; that was it.  No
te> description of how the problem manifests itself, what goes wrong,
te> the failure mode, etc.  There's a one-line patch that was apparently
te> never sent to LKML in an older version of the kernel on a random
te> web site.

No you obviously did not comprehend the NetRom bug issue at all. When a box
boots up as fresh, and no users/robots have used the NetRom stack in said
box, it will await the 1st connection to which an underlaying ax.25 VIRTUAL
CIRCUIT is then created for the NetRom socket to transport through on. That
1st and only that 1st connection will appear to work and be valid. When the
session is completed, the underlaying ax.25 layer stays open thus causing
the underlaying NetRom socket to be open and available for a remote attacker
to attach to and own the box. Marius clearly spells this out in his patches
and unlike a 1 line fix as you claim, it's a 4 line patch to insure that
the ax.25 virtual circuit gets closed when NetRom is used. Understand now?
And if axip/axudp is used, this leaves the IP socket open awaiting any outside
resource to connect to it.

In your NetStat you'd see something like:
N1URO-4    KE6I-10    N1URO-4    nr2     LISTENING    000/000  0       0

How can an established connection be in listening or waiting for a connect
mode? With such an easy way for a non-ham to attach themself to a box perhaps
now you may understand why such bugs are NOT published for the whole world
to search. We take tests for our licenses... not to  have some packet kiddie
take them from us.

This is simply one of many that need attention to.

N1> However considering what you appear to keep yourself blinded to, might I
N1> suggest Windows and BPQ32?

te> Nah.  I'm good.

*raises a vulcan eyebrow*

... MultiMail, the new multi-platform, multi-format offline reader!
--- MultiMail/Linux v0.52
* Origin: Carnage - risen from the dead now on SBBS (21:4/107)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.