lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20040330181441.GC12787@umich.edu>
From: marius at umich.edu (marius aamodt eriksen)
Subject: Re: systrace silently patches full local bypass vulnerability on Linux

what's up with brad spengler?

brad has told me in person that he would not do security commercially
since he believed that would change the motivation for doing security
work; that it would become competitive, and thus "unpure."  brad -
what is your motivation now?

do you consider systrace a competitor now?  why are your motivations
now seemingly not pure?

as a member of the PHC, brad is credited with contributing to text
such as

   --[ 3.1.1 PHC-switch-a-w00

   This is an idea spawned off many, many hours of television from
   warez mullah. He suggested that you create a fake identity by
   creating a paper trail to your whitehat or w00w00 member because
   they make so much money for selling out. I suggest using someone
   like Dug Song because I'm sure Arbornet pays him pretty well for
   writing _shit_. Although I hear Niels Provos author of systrace
   (most useless and bug ridden security tool EVER) is now employed at
   Google. I would basically rely on using their credit card
   information to fund your jihad. So when the police go and track
   down serial numbers and shit like that. Their cc# connects to the
   shit you bought. Great for buying illegal hardware to store images
   monkey.org's user accounts! 

as you can see, brad uses his awesome interpersonal skills to make
friends with respected members of the computer security community.
people who have made real contributions, both academic and in
important software.

brad, isn't it funny we all presented projects, side-by-side, and had
fruitful discussions about computer security?  what happened?

   http://lsm.abul.org/program/topic02/topic02.php3

this attitude of yours seems to be consistent,

   http://www.monkey.org/openbsd/archive/misc/0304/msg01399.html

and even through artistic expression

   http://www.grsecurity.net/~spender/dsc18910.jpg

archived at

   http://monkey.org/~marius/tmp/spender-art-dsc18910.jpg

in case he changes it.

so brad -- what's up?

and for the record -- the reason i did not make a big fuss about the
ptrace issue is that in order to actually escape systrace protection
with this, the user would have to ehtier ptrace the process themselves
and/or explicitly allow sys_ptrace in the respective policy/ies.

marius.

-- 
marius a eriksen <marius@...ch.edu> | http://www.citi.umich.edu/u/marius/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ