| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 17 Sep 2006 11:23:36 -0400 From: "Brandon S. Allbery KF8NH" <allbery@....cmu.edu> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: AFS - The Ultimate Sulution? -- What is the point? On Sep 17, 2006, at 10:03 , Valdis.Kletnieks@...edu wrote: > Go back and re-read the last few batches of AFS updates, and ask > youself > for each bugfix "Could this *potentially* have been leveraged by a > clued > hacker?". I haven't noticed many issues beyond potential denial of service attacks --- which are mitigated to some extent by replication (of course, someone could go after *all* the servers...). The biggest problems at this point are: - if you get the afs/cell@...LM key, you've got the entire cell - no data encryption to speak of (fcrypt? it is to laugh) Work is being done on both fronts, although I'm not the right person to speak to about either. In any case, you need to lock up your DB and file servers as tight as you can if you want the cell to be at all secure. (Unfortunately, I don't think anyone has, other than inadvertently, tested how AFS reacts to invalid packets. One of those things I'd love to do if I ever got a few round tuits....) -- brandon s. allbery [linux,solaris,freebsd,perl] allbery@...nh.com system administrator [openafs,heimdal,too many hats] allbery@....cmu.edu electrical and computer engineering, carnegie mellon university KF8NH _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists