[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4513E7CE.8090309@kennedyinfo.com>
Date: Fri, 22 Sep 2006 09:40:30 -0400
From: Troy Cregger <tcregger@...nedyinfo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Linux kernel source archive vulnerable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I mentioned that the gentoo kernel does not have this problem, other
distros have been shown to have safe file permissions in the kernel
tree, so there is a way to have permissions 'fixed' on distribution. But
before that, and ultimately, it's up to us to ensure that our systems
are secure...
> So if a car is designed with a steering wheel that punctures your chest
> if you get in a crash and you are not wearing a seatbelt, that is not a
> disgn flaw because you should wear a seatbelt?
Correct.
The point I think, that's been made in this thread already, it's a
matter of dogma, and best practices. To use the car analogy again, most
cars have airbags, but there's still plenty of them out there that don't
and it's up to the people who drive them to fasten the seat belt.
Personally, I have an airbag AND wear a seatbelt.
T.
Schanulleke wrote:
> Chris Umphress wrote:
>>> That assumes a proper umask. The kernel source should not depend on
>>> the end user's umask being setup properly.
>> Is it the kernel developers' fault if your umask is extremely lax for
>> a normal user? If it is lax, security of the kernel source isn't your
>> only problem.... Security in general is.
>>
>
> So what you say is.
> If there is a fault in a system that you could mitigate by certain
> behaviour, then it is your own responcibility to take that behaviour and
> the fault should not be fix.
>
> So if a car is designed with a steering wheel that punctures your chest
> if you get in a crash and you are not wearing a seatbelt, that is not a
> disgn flaw because you should wear a seatbelt?
>
> Ever heard of defense in depth????
>
> Schanulleke
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
- --
Troy Cregger
Lead Developer, Technical Products.
Kennedy Information, Inc
One Phoenix Mill Ln, Fl 3
Peterborough, NH 03458
(603)924-0900 ext 662
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFE+fOnBEWLrrYRl8RAqbVAJ9mtuOfLaprYFjyVX9UZ+dQOq4+9wCeNow+
2o7gSb4Shtdyex9qqnXxZK8=
=1CKh
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists