| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Sep 2006 09:40:30 -0400 From: Troy Cregger <tcregger@...nedyinfo.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Linux kernel source archive vulnerable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I mentioned that the gentoo kernel does not have this problem, other distros have been shown to have safe file permissions in the kernel tree, so there is a way to have permissions 'fixed' on distribution. But before that, and ultimately, it's up to us to ensure that our systems are secure... > So if a car is designed with a steering wheel that punctures your chest > if you get in a crash and you are not wearing a seatbelt, that is not a > disgn flaw because you should wear a seatbelt? Correct. The point I think, that's been made in this thread already, it's a matter of dogma, and best practices. To use the car analogy again, most cars have airbags, but there's still plenty of them out there that don't and it's up to the people who drive them to fasten the seat belt. Personally, I have an airbag AND wear a seatbelt. T. Schanulleke wrote: > Chris Umphress wrote: >>> That assumes a proper umask. The kernel source should not depend on >>> the end user's umask being setup properly. >> Is it the kernel developers' fault if your umask is extremely lax for >> a normal user? If it is lax, security of the kernel source isn't your >> only problem.... Security in general is. >> > > So what you say is. > If there is a fault in a system that you could mitigate by certain > behaviour, then it is your own responcibility to take that behaviour and > the fault should not be fix. > > So if a car is designed with a steering wheel that punctures your chest > if you get in a crash and you are not wearing a seatbelt, that is not a > disgn flaw because you should wear a seatbelt? > > Ever heard of defense in depth???? > > Schanulleke > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ - -- Troy Cregger Lead Developer, Technical Products. Kennedy Information, Inc One Phoenix Mill Ln, Fl 3 Peterborough, NH 03458 (603)924-0900 ext 662 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFE+fOnBEWLrrYRl8RAqbVAJ9mtuOfLaprYFjyVX9UZ+dQOq4+9wCeNow+ 2o7gSb4Shtdyex9qqnXxZK8= =1CKh -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists