lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 9 Jul 2004 01:47:34 -0400 (EDT)
From: devnull@...ents.Montreal.QC.CA
To: BUGTRAQ@...urityfocus.com
Subject: Re: Suggestion: erase data posted to the Web


[I am so thoroughly sick of broken-bounces cluttering up my mailbox
every time I mail to bugtraq that I'm posting with a From: address that
accepts mail and completely discards it.  Use the address in my
signature if you want to actually reach me.]

> Of course, it's trivial to memset over a sensitive area when you're
> done with it, so programs ought to do so.  Locking pages to prevent
> them from being written to disk may be more difficult: if it doesn't
> require special privilege then it's a potential DOS against physical
> memory resources, and if it does, then you may have to grant programs
> more privilege than they should have, creating a worse security hole.

The only security hole you'd create would be that DOS you mention.

Unless, of course, you're using an OS with a severely broken privilege
system, like the all-or-nothing model most Unix variants use.  But
nobody would be silly enough to try to write secure code under
something like that, surely?

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@...ents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ