lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041221152221.A15438@dougal.mew.co.uk>
Date: Tue, 21 Dec 2004 15:22:21 -0500
From: Stephen Harris <bugtraq@...ddy.org>
To: bugtraq@...urityfocus.com
Subject: Re: DJB's students release 44 *nix software vulnerability advisories


On Mon, Dec 20, 2004 at 05:14:22PM -0600, Jonathan T Rockway wrote:
> Two points.
> 
> Regarding local versus remote, look at it this way:  You have a 100%
> secure system.  Then you install NASM.  Now a user FROM THE NETWORK can
> send you some tainted assembly code for you to assemble and he can
> compromise your account.  That is why it is considered remote.  Local

And so we have a distinction without meaning.

I could take a machine with no external connectivity beyond a single
keyboard and monitor and by typing in a listing from a piece of paper
use a command to reformat the system and lose all data.  Remote exploit?
By your usage of the term it is.

In your example, a local user MUST take action in order to perform
the exploit, therefore the exploit is local.  Your "FROM THE NETWORK"
is meaningless; it could be sent on floppy or printout or via psychic
rays and get the same result.

> Now in regards to full disclosure, I think you should all be happy that we
> bothered to tell you all about these exploits.  We could have selfishly

And thus years of discussion on this, and other, lists about responsibility
and concern goes out of the window.  But that's a matter between you and
your conscience.  Be happy!

-- 

rgds
Stephen


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ