Look at his follow-up post replying to me. What you claim happened clearly isn't what happened. You can certainly disagree with me considering what happened dishonest but you're just making up a completely false narrative about what happened without actually looking into it.
Conversation
It's the same issue. Jumping to a conclusion and claiming to provide a meaningful assessment without having a clue what's actually going on, and not because of an inability to understand it, but simply laziness and a desire to push a narrative without actually looking into it.
2
No one /owes/ you the time it takes to study the very subtle points of your security claims to the point they present them in a way you fully agree with, least of all Tor and Mozilla devs with very rare amounts of experience defending endpoint users from organized attackers
3
If you’re going to cry “unfair” the first time someone merely underestimates the benefits of your design, how are you going to react when an actual malicious actor pwns it?
Have you even systematically fuzzed it?
1
Once again, you're making a completely dishonest misrepresentation of what I've said. You just come out with one strawman argument and false narrative after another. It's exactly what I'm talking about. That isn't what happened, and you could at least read their follow-up email.
1
My issue with their post is that they're jumping into a thread speaking as an expert but they're talking about something they clearly didn't look into at all. It's not criticism but rather lazily spreading misinformation / assumptions to push a narrative they already had in mind.
1
They didn't read a few paragraphs about it let alone looking at the code and actually criticizing it. There are actual reasons for them not to use it. The design decisions have disadvantages. It's not a very mature project. That isn't what they said. They posted some nonsense.
1
They made a post to promote something else. You portray it as if I'm the one who made security claims when they're the person posting to a mailing list promoting hardening bolted onto jemalloc in Firefox misrepresenting what it accomplishes and downplaying using anything else.
1
They clearly didn't look into it in particular and they weren't making an attempt to criticize it. What they were doing is downplaying the advantages of a hardened allocator design in general. The thread could have been someone bringing up OpenBSD malloc or something else.
1
As part of them dismissing it and downplaying it, they gave an inaccurate overview / comparison and bogus security claims about Firefox jemalloc changes. I had 0 participation in the thread before jumping in to defend even the basic concept of my work and other projects like it.
1
They posted a follow-up reply to me, and I would recommend actually looking at that. Call me rude or undiplomatic for how I just laid out how I felt about it, fine, but don't try to come up with these false narratives about what happened and your own nonsense attacks on me.
Got to love how this thread is just a perfect example of what I had a problem with on that mailing list though. The entire thing confirms for me that I don't want to be part of the security community. I'll do my research/development work and defend myself when needed, that's it.
1
The good thing about security is that if you can consistently implement a hardened /anything/ in C, you don’t need to worry about whether you ‘belong’ to any ‘community’, or whether your ideas are being under-sold in a mailing list discussion.
Take care :-)
1
Show replies