lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3F3D2AEE.5000007@immunix.com>
Date: Fri, 15 Aug 2003 11:48:14 -0700
From: Crispin Cowan <crispin@...unix.com>
To: Shaun Clowes <shaun@...urereality.com.au>
Subject: Re: Buffer overflow prevention


Shaun Clowes wrote:

>Perhaps I'm the only one who feels this way, but I believe that the vast
>majority of the exploitation of systems is being performed by people
>with no knowledge of how to write an exploit and that the vast majority
>of exploits are fragile. Doing anything that makes you different from
>every other installation of Linux/HPUX/Solaris/InsertOSHere will
>drastically decrease the changes of any point and click exploit working
>against you.
>
>Could a determined (and knowledgable) attacker still get through? Sure.
>But if we're talking protections that take very little effort to
>implement, have a minor performance impact and will save your
>skin some of the time, it's obvious that it's worth deploying them. As
>long as you're not kidding yourself that you're then totally secure.
>
Exactly: trivial changes will protect you from script kiddies. 
Non-bypassability is required to protect you from determined attackers. 
It depends on your threat model: how much will a penetration event cost 
you? What is it worth to someone to hack you?

>Its kind of reminiscent of that old joke about the two guys running away
>from the lion. You don't have to beat the lion, just the other person. 
>
But if you taste better (you are a bank and he is a basement RH box) 
then the lion may choose to chase you anyway.

Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ