[Deleted by author.]Redditors cope and seethe when stockfish chads refuse to address esoteric buffer overflow exploit
- 14
- 27
Top Poster of the Day:
cyberdick
Current Registered Users: 27,502
tech/science swag. 
Guidelines:
What to Submit
On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.
Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.
Help keep this hole healthy by keeping drama and NOT drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!
In Submissions
Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.
Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.
Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA
If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.
If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.
Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"
Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.
If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.
Please don't post on SN to ask or tell us something. Send it to [email protected] instead.
If your post doesn't get enough traction, try to delete and repost it.
Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.
Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.
In Comments
Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.
Comments should get more enlightened and centrist, not less, as a topic gets more divisive.
If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"
Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.
Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.
Please post shallow dismissals, especially of other people's work. All press is good press.
Please use Slacker News for political or ideological battle. It tramples weak ideologies.
Please comment on whether someone read an article. If you don't read the article, you are a cute twink.
Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.
Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.
Sockpuppet accounts are encouraged, but please don't farm dramakarma.
Please use uppercase for emphasis.
Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.
Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.
Please seethe about how your posts don't get enough upvotes.
Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.
Miscellaneous:
We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to read them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. Be funny, or at least compelling, and pretty much anything legal is welcome provided it's on-topic, and even then.
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
/h/slackernews SETTINGS /h/slackernews LOG /h/slackernews MODS /h/slackernews EXILEES /h/slackernews FOLLOWERS /h/slackernews BLOCKERS
Live commit: 7578145
Jump in the discussion.
No email address required.
I don't get what any of this means
Jump in the discussion.
No email address required.
If Stockfish runs from an illegal position, it can crash from a buffer overflow. This is potentially unsafe, but it would be extremely difficult, and practically impossible to find an illegal position that it would crash in a way that would be exploitable.
If anyone really cares about this they can just validate the input before running stockfish and problem solved.
The stockfish devs don't want to fix it because they only care about legal chess. Patching all the ways it could crash from illegal positions for security reasons would harm performance and bloat the software.
Redditors in /r/programming aren't professional codecels so they only see it as Buffer Overflow -> Insecure Application ->
.
Jump in the discussion.
No email address required.
This dude has a point. However, at the end of the day, it's the maintainer's call and their time going into supporting the software. Devs just don't like being politely told to frick off because their over-engineering might not be worth the time or effort.
Edit: The maintainer's responses were also pretty spergtastic.
Jump in the discussion.
No email address required.
More options
Context
Thanks kind stranger, have this reddit gold
Jump in the discussion.
No email address required.
More options
Context
also what is stockfish
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Snapshots:
undelete.pullpush.io
archive.org
ghostarchive.org
archive.ph (click to archive)
Jump in the discussion.
No email address required.
More options
Context
Don't fix it! It's not remotely exploitable! It's too hard to exploit!
Meanwhile...
Jump in the discussion.
No email address required.
Meanwhile what? Has it been exploited? Has anyone even created a proof of concept for an exploit?
Jump in the discussion.
No email address required.
If a vulnerability has been discussed on a forum it's my opinion that an exploit for that vulnerability exists.
Jump in the discussion.
No email address required.
To quote one of the Redditors going against the hive mind:
Having taken some time to read through the GitHub issue thread, I can sympathize with the guy who raised the issue and I think the maintainer was being a bit of an butt in response. However, I think all the people ragging on this issue are significantly overestimating the risk factor of this vulnerability because they want to be smug and sneer at someone who won't entertain their pedantry.
The one issue I saw that I think needs to be addressed is the fact that the software continues running after the overflow occurs. The quickest fix would be to have the software fail loudly if the buffer is exceeded. I cannot imagine simple moveset size check would have a meaningful impact on peformance.
Jump in the discussion.
No email address required.
If you think that militaries don't have supercomputers the size of small islands 24/7 cranking out solutions to 'we know a theoretical buffer overflow exists here, find the inputs that cause it' type questions then, well, why do you think that?
That's literally their job. They research new conventional weapons 24/7, why do you think the same doesn't extend to cyber?
Jump in the discussion.
No email address required.
Yes, all those military supercomputers devoting millions of dollars worth of cycles to analyzing illegal moveset inputs for an obscure chess program. This is exactly the kind of pedantry I was talking about.
Jump in the discussion.
No email address required.
Stockfish isn't obscure and the type of people that spend a lot of time playing chess are likely to be people with interesting stuff on their computers.
Agree to disagree it seems we must
Jump in the discussion.
No email address required.
How many running instances of Stockfish are public-facing? Again, I don't think it's a complete non-issue and I think that the maintainer should just insert a conditional to crash the program immediately when the moveset size exceeds 256, but the maintainer's stance is not as unreasonable as Redditors want to believe.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context