Hi John,
El sáb, 18-09-2004 a las 00:20, John Richard Moser escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Lorenzo Hernandez Garcia-Hierro wrote:
>
> [...]
>
> Good, at least you understand that :)
>
> |>
> |>Yes and then the program halts and gets SIGABRT. Do you not know what a
> |>DoS attack is?
> |>
> |>[...]
> |
> |
> | Duty of Shame ?
> | OK, leaving the Fun Mode off...
> | (here, Spain, it's 23:00 and 'm tired, i've started the school this week
> | and its the last course to get in the "high school", two years more and
> | then the university...i must work harder! ;-D )
> | ProPolice sends messages to /var/log/messages and also to the last
> | 4kbytes of dmesg, or whatever you have selected to be used by syslogd.
> | The idea is simple: ANY package will be more secure compiled with PIE &
> | SSP/PPolice than compiled itself without any other extension (in this
> | case, security related).
> |
>
> Yes but the point is that while you deflect the intrusion, I can still
> rape the program raw and continually force it to terminate.
>
> Also, in cases such as Apache, which populates the system with fork()s
> of itself, the address space isn't rerandomized; the SSP canary isn't
> rerandomized; and overall it's very difficult to prevent an attacker
> from rabidly drilling into the skin of these daemons and going until he
> hits both of these. This can be done in probably an hour or so. In
> these events, SSP and ASLR become like passwords: They deflect attacks
> nicely, but can be directly exploited by an attacker with enough time.
>
> Imagine having a vulnerable Xchat too. Attacker can't come in; but you
> can NOT stop some jackass from just {DCC SEND "@*Y^!!!!!"" 1999999999999
> ! ! ! ! ! ! ! } and taking you down whenever he wants.
>
> It's less pressing when you have these; but you do still need to get up
> to date with security patches.
>
Yes, you're right, anyway, ETDYN, etc, there's life out of PIE & SSP.
In words of Alan Cox..."Obscurity does not bring security" ;-)
I must go to sleep...good night!
Cheers,
PS:We will continue with this tomorrow,maybe, but i want to know what do
you think about DH, and also, if you would mind collaborating with it.
I'm having no replies from the Debian Security guys (referring to this
mail, i'll send an email to Steve tomorrow, possibly he is busy or out
of "office"), i would like to talk with jfs, he is spanish and i think
we can talk clearly and then communicate the decisions in the best way.
--
Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
Attachment:
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente