lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <55FC2F69.9030609@gmail.com>
Date:	Fri, 18 Sep 2015 11:36:09 -0400
From:	Austin S Hemmelgarn <ahferroin7@...il.com>
To:	Ortwin Glück <odi@....ch>,
	Drew DeVault <sir@...wn.com>,
	Richard Weinberger <richard@....at>
Cc:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: Failover root devices

On 2015-09-18 11:04, Ortwin Glück wrote:
>> If you have physical access then the machine is yours to do with as
>> you please.
>
> Thinking of ATMs or voting machines that is a bold statement :-)
Many voting machines already have known ACE exploits already (I 
distinctly remember a while back some CS students demonstrated a 
'modern' voting machine playing PAC-Man without modifying any of the 
hardware at all), and those that have network access or other accessible 
peripheral connections are inherently insecure, period.

And most ATM's (at least in the US) run Windows (_shivers_) XP or 
eCommStation (the current commercial version of OS/2 (yes it still lives 
on), neither of which is particularly secure even when it comes to 
remote access to the system, and even then, the kind of access you need 
would involve3 directly tampering with the system.

Irrespective of that, neither one should be configured to work like 
that.  The intent is for custom setups primarily, if some company 
decides to use this in an insecure way, that's their problem, not ours 
(it's really easy to use a wide number of kernel features in ways that 
compromise security, that doesn't mean we should just rip those out).
>
> Thinking of mobile phones it depends on your jurisdiction.
This isn't a legal ruling, it's a simple statement of fact, if someone 
has physical access to a system, they effectively have root access, 
period.  While this is not probably what the above comment was directly 
referring to, it is an established fact.



Download attachment "smime.p7s" of type "application/pkcs7-signature" (3019 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ