[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backport of the integer overflow in the brk system call

On Sun, Dec 07, 2003 at 09:16:58PM -0500, Patrick Ouellette wrote:
> Instead of a smartcard/token/whatever physical device, this incident
> could possibly have been thwarted by requiring developers to pre-register
> their machine with the project (using ssh host key for example).  The
> attacker would have the user's account information, but project machines
> would have refused access since the host id did not match the user's
> registered hosts.  Then the project machine could have alerted both the
> project's admin team and the owner of the compromised account.

Given that the easiest way to get a developer's password is to compromise a
machine that person logs into Debian systems from, I doubt this well help
that much. :-) The only exception I can see would be if the user uses the
same password for his/her Debian account and some other system, and the
attacker is smart enough (read: wants to go specifically after Debian) to
test that password on d.o as well.

/* Steinar */
Homepage: http://www.sesse.net/

Reply to: