lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Feb 2013 03:35:44 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Any "large verifiers" on the panel?

On Sun, Feb 17, 2013 at 09:04:33PM -0800, Jeremi Gosney wrote:
> On 2/17/2013 8:24 PM, Daniel Franke wrote:
> > If the attacker can obtain a shell under the same uid as the webapp
> > process and go undetected for a while, then he can ptrace the webapp and
> > see the passwords as they're being passed into the hashing function.
> 
> It does not work this way anymore. At least not on modern Linux
> distributions that enable the Yama LSM, which I'm pretty sure all
> distributers started doing ~ 3 years back.

This is wishful thinking.  I'm only aware of Ubuntu doing it.

Alexander

Powered by blists - more mailing lists