[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backport of the integer overflow in the brk system call

On Thu, Dec 04, 2003 at 11:55:26AM -0800, Tom wrote:
> instance is the hacker sniffed the password, and then logged on to 
> Debian's servers later at his leisure from a different PC.  With a 

Instead of a smartcard/token/whatever physical device, this incident
could possibly have been thwarted by requiring developers to pre-register
their machine with the project (using ssh host key for example).  The
attacker would have the user's account information, but project machines
would have refused access since the host id did not match the user's
registered hosts.  Then the project machine could have alerted both the
project's admin team and the owner of the compromised account.

The initial compromise would have been detected sooner, and project
machines protected *without* any additional hardware or money being


Patrick Ouellette
Amateur Radio: KB8PYM 

Reply to: