lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Sep 2013 18:23:53 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Valdis Kletnieks <Valdis.Kletnieks@...edu>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
 Steve Wray <stevedwray@...il.com>
Subject: Re: Internet has vuln.

On Thu, Sep 12, 2013 at 3:23 PM,  <Valdis.Kletnieks@...edu> wrote:
> On Thu, 12 Sep 2013 08:57:55 +0800, Steve Wray said:
>
>> In some cases it could be quite difficult to disengage from NSA-influenced
>> projects, eg selinux. So far as I can tell this is pretty much everywhere
>> now. Redhat embraced it ages ago, its been integrated in the kernel since
>> 2.6, so how do we opt out of selinux?
>
> Well, given that SELinux *did* come out of the NSA, but has had tons of code
> review of the base code (which isn't really all that much) and the actual
> policy files (which is where I'd hide a backdoor, they're a lot more obscure
> than the actual kernel code), by lots of people who would have *loved* to be
> the one who caught the NSA doing something underhanded, I think you're barking
> up an entirely incorrect tree.
They ignored my comments on fixed size arrays based on MAX_PATH and
the subsequent overflows and silent truncations due to use of sprintf
and snprintf....

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists