lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Sep 2013 18:23:53 -0400
From: Jeffrey Walton <>
To: Valdis Kletnieks <>
Cc: full-disclosure <>,
 Steve Wray <>
Subject: Re: Internet has vuln.

On Thu, Sep 12, 2013 at 3:23 PM,  <> wrote:
> On Thu, 12 Sep 2013 08:57:55 +0800, Steve Wray said:
>> In some cases it could be quite difficult to disengage from NSA-influenced
>> projects, eg selinux. So far as I can tell this is pretty much everywhere
>> now. Redhat embraced it ages ago, its been integrated in the kernel since
>> 2.6, so how do we opt out of selinux?
> Well, given that SELinux *did* come out of the NSA, but has had tons of code
> review of the base code (which isn't really all that much) and the actual
> policy files (which is where I'd hide a backdoor, they're a lot more obscure
> than the actual kernel code), by lots of people who would have *loved* to be
> the one who caught the NSA doing something underhanded, I think you're barking
> up an entirely incorrect tree.
They ignored my comments on fixed size arrays based on MAX_PATH and
the subsequent overflows and silent truncations due to use of sprintf
and snprintf....


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists