On Mon, Apr 19, 2004 at 11:18:41AM -0700, Matt Zimmerman wrote: > On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote: > > > Come on, Matt: Virtually all terminal emulators are vulnerable, and the > > vulnerability is a common knowledge. The abovementioned paper was on > > Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do > > something about it themselves (filing RC bugs at least)? > > You are part of a community, not somebody purchasing a service. Take some > initiative and contribute. And as a part of this community, I am saying right now: We have a big problem, and the problem is we don't deal with security issues known for decades, while happily convincing newcomers our system is fairly secure. It's not. Haha, I can feel the free spirit of the computer labs of the late sixties: /usr/src/linux/drivers/char/console.c: >>> case 12: /* bring specified console to the front */ >>> if (par[1] >= 1 && vc_cons_allocated(par[1]-1)) >>> set_console(par[1] - 1); >>> break; % ssh kh jan@kh's password: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 % while :; do echo -e '\033[12;63]' > /dev/tty63; done > The security team does not have the resources to audit Debian, and can > barely keep up with new issues as they become known. Pointing and whining > doesn't help. This is a *known issue*. It just seems there is no will to fix this... for over a decade. If Debian is going to be as insecure as this, why don't all the Security Team take a long pleasurable holiday, after all? -- Q: To prece nejde nekoho zastrelit jen tak. Kazdy ma sva nezadatelna lidska prava, i ten zlocinec. Bylo fakt nutne strilet? A: To urcite nebylo. Mohli ho chytit a ukopat.
Attachment:
pgp8VmT9GfpPf.pgp
Description: PGP signature