Re: Backport of the integer overflow in the brk system call
On Sun, Dec 07, 2003 at 09:16:58PM -0500, Patrick Ouellette wrote:
> Instead of a smartcard/token/whatever physical device, this incident
> could possibly have been thwarted by requiring developers to pre-register
> their machine with the project (using ssh host key for example). The
> attacker would have the user's account information, but project machines
> would have refused access since the host id did not match the user's
> registered hosts. Then the project machine could have alerted both the
> project's admin team and the owner of the compromised account.
Given that the easiest way to get a developer's password is to compromise a
machine that person logs into Debian systems from, I doubt this well help
that much. :-) The only exception I can see would be if the user uses the
same password for his/her Debian account and some other system, and the
attacker is smart enough (read: wants to go specifically after Debian) to
test that password on d.o as well.
/* Steinar */