lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <21CEFB435C61D411B7B500E04C684D360C92FB@brdntpdc>
From: JGommers at gfo.nl (Gommers, Joep)
Subject: RE: remote kernel exploits?

Ola

Couldn't agree more, if indeed such a exploit (and therefor a bug) exist it
must be brought to the surface. Maybe notifying our friends at honeypots@
would be a good idea, finding ways to detect such a attack.

Joep


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi again

A number of people have pointed out to me that ~el8 is a group,
not an individual. My bad on that point. It's also apparent
that many are afraid to stick their necks out when mentioning
this group, judging by the number of emails sent to me that
weren't CC'd to the lists.

I really don't understand what the problem is. Isn't it in our
best interests to openly discuss these remote kernel
vulnerabilities? Or is everyone content with this group of
kids being able to gain access to almost anything they
choose just because of someone's choice of operating system? And
what kind of researcher would've given them these tools before
notifying the rest of us anyway? I really think it's time
to let the cat out of the bag on this issue.

It's been reported to me that if the vulnerability rumours are
true, then even most firewall setups would be completely futile.
So am I just supposed to remain quiet about this like everyone
else and hope I'm not attacked?

My friend told me that there is no guarantee that any source
tree fixes actually fix the bugs that these kids have access
to. So in other words, unless one of these brats comes forward
or the irresponsible security professional who was reckless
with the information, we can never be sure that we have an
operating system with these bugs fixed.

If they don't deface websites with these exploits, then what
do they do? Steal credit card information? Makes little
difference to my argument.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ