| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEJizbYD-WjEEU2wJciW=QzwodRVbCuY2xm9gNVEvtv1e5vSDA@mail.gmail.com>
Date: Sat, 10 Nov 2012 18:49:29 +0000
From: Benji <me@...ji.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: TTY handling when executing code in
lower-privileged context (su, virt containers)
The advice weakens your system from a local perspective granted, but if an
attacker has a local user on your box already, it's already game over.
Yes, if you were a user with intelligence. I must've forgot that everyone
that uses a computer does so with sense.
On Sat, Nov 10, 2012 at 6:30 PM, Michal Zalewski <lcamtuf@...edump.cx>wrote:
> > I think you've taken that far too literaly. My understanding of it is to
> > protect against a) brute force retardation b) dumb attackers.
>
> The advice weakens the security of your system, because it means I
> just need to compromise your unprivileged account (in which you run
> your browser, mail client, and so on) to own the entire box.
>
> As for the benefits, care to elaborate? I'm not sure what a) and b)
> really mean. If you're worried about brute-force, don't use trivial
> passwords. If you worry about opportunistic attacks, do that and then
> patch your stuff every now and then.
>
> /mz
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists