[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Hardened project (question about use of the "Debian" trademark)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Lorenzo Hernandez Garcia-Hierro wrote:

[...]

Good, at least you understand that :)

|>
|>Yes and then the program halts and gets SIGABRT.  Do you not know what a
|>DoS attack is?
|>
|>[...]
|
|
| Duty of Shame ?
| OK, leaving the Fun Mode off...
| (here, Spain, it's 23:00 and 'm tired, i've started the school this week
| and its the last course to get in the "high school", two years more and
| then the university...i must work harder! ;-D )
| ProPolice sends messages to /var/log/messages and also to the last
| 4kbytes of dmesg, or whatever you have selected to be used by syslogd.
| The idea is simple: ANY package will be more secure compiled with PIE &
| SSP/PPolice than compiled itself without any other extension (in this
| case, security related).
|

Yes but the point is that while you deflect the intrusion, I can still
rape the program raw and continually force it to terminate.

Also, in cases such as Apache, which populates the system with fork()s
of itself, the address space isn't rerandomized; the SSP canary isn't
rerandomized; and overall it's very difficult to prevent an attacker
from rabidly drilling into the skin of these daemons and going until he
hits both of these.  This can be done in probably an hour or so.  In
these events, SSP and ASLR become like passwords:  They deflect attacks
nicely, but can be directly exploited by an attacker with enough time.

Imagine having a vulnerable Xchat too.  Attacker can't come in; but you
can NOT stop some jackass from just {DCC SEND "@*Y^!!!!!"" 1999999999999
! ! ! ! ! ! ! } and taking you down whenever he wants.

It's less pressing when you have these; but you do still need to get up
to date with security patches.

|

[...]
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBS2MUhDd4aOud5P8RArSMAJ9YB5zV2Ps2vGWrdxrRyV17KO6teACfc6bF
mzY9u1B4AGpNuAgL34V2/B4=
=iR76
-----END PGP SIGNATURE-----
Reply to: