lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <A9BEFE55-3307-4F3E-BFBF-AE57724EA58A@ece.cmu.edu>
Date: Sun, 17 Sep 2006 11:23:36 -0400
From: "Brandon S. Allbery KF8NH" <allbery@....cmu.edu>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: AFS - The Ultimate Sulution? -- What is the
	point?


On Sep 17, 2006, at 10:03 , Valdis.Kletnieks@...edu wrote:
> Go back and re-read the last few batches of AFS updates, and ask  
> youself
> for each bugfix "Could this *potentially* have been leveraged by a  
> clued
> hacker?".

I haven't noticed many issues beyond potential denial of service  
attacks --- which are mitigated to some extent by replication (of  
course, someone could go after *all* the servers...).  The biggest  
problems at this point are:

- if you get the afs/cell@...LM key, you've got the entire cell
- no data encryption to speak of (fcrypt?  it is to laugh)

Work is being done on both fronts, although I'm not the right person  
to speak to about either.

In any case, you need to lock up your DB and file servers as tight as  
you can if you want the cell to be at all secure.

(Unfortunately, I don't think anyone has, other than inadvertently,  
tested how AFS reacts to invalid packets.  One of those things I'd  
love to do if I ever got a few round tuits....)

-- 
brandon s. allbery    [linux,solaris,freebsd,perl]     allbery@...nh.com
system administrator [openafs,heimdal,too many hats] allbery@....cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ