Re: Backport of the integer overflow in the brk system call
On Thu, Dec 04, 2003 at 02:23:54PM -0500, Matt Zimmerman wrote:
> On Tue, Dec 02, 2003 at 05:19:22PM -0800, Tom wrote:
> You must be joking. If the developer's system is compromised, and he logs
> into another system after that time, that system can be easily compromised
> also.
Yes, but the reason it would have been efficiacious in this *particular*
instance is the hacker sniffed the password, and then logged on to
Debian's servers later at his leisure from a different PC. With a
smartcard, he would have had to done it *on* the Dev's infected PC
*while* the smartcard was plugged in. In theory the smartcard would not
be plugged in all the time, thus diminishing the attack surface.
Reply to: