Re: Backport of the integer overflow in the brk system call
On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
> Yes, but the reason it would have been efficiacious in this *particular*
> instance is the hacker sniffed the password, and then logged on to
> Debian's servers later at his leisure from a different PC. With a
> smartcard, he would have had to done it *on* the Dev's infected PC *while*
> the smartcard was plugged in. In theory the smartcard would not be
> plugged in all the time, thus diminishing the attack surface.
Not really; he just has to set things up ahead of time. This is like
claiming the attacker has to be present in order to sniff your password from
a telnet session (he doesn't; he just has to have been around at any time
before then in order to set up a sniffer).