[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backport of the integer overflow in the brk system call

On Thu, Dec 04, 2003 at 02:23:54PM -0500, Matt Zimmerman wrote:
> On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:

> You must be joking.  If the developer's system is compromised, and he logs
> into another system after that time, that system can be easily compromised
> also.

Yes, but the reason it would have been efficiacious in this *particular* 
instance is the hacker sniffed the password, and then logged on to 
Debian's servers later at his leisure from a different PC.  With a 
smartcard, he would have had to done it *on* the Dev's infected PC 
*while* the smartcard was plugged in.  In theory the smartcard would not 
be plugged in all the time, thus diminishing the attack surface.

Reply to: