 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
I agree with Bill.... 100% no excuses. rek2 On Tuesday 06 August 2002 16:22, Bill Bogstad wrote: > Derek Kramer wrote: > > On Tue, 6 Aug 2002, Derek D. Martin wrote: > >> If you're relying on Windows privileges to secure your network, you're > >> basically screwed. A whitepater was released today detailing how to > >> gain localsystem privileges on any Win32-based platform. And the > >> kicker is, because it takes advantage of a fundamental flaw in the > >> design of Windows, it's basically unpatchable, requiring a complete > >> overhaul of the Windows messaging system to fix. > >> > >> And the best part is, if you're providing terminal services via a > >> Citrix server, anyone can own your server, and you'll never be able to > >> stop them... > >> > >> http://security.tombom.co.uk/shatter.html > > > >I read this in detail, and I hate to admit that I agree with Microsoft. > >Once bad people are sitting logged onto your machine, you should already > >considered it compromised, regardless of what techniques the bad person > >has at their disposal. > > So a command line overflow exploit in a setuid-root ps binary on a > UNIX machine is unimportant because you shouldn't ever let 'bad > people' have a login on your machine? I thought security was about > being able to limit the resources that a user could access on a > machine even when they had some level of legal access. You seem to be > advocating a security model of 'good' and 'bad' users where 'good > users' can do anything and 'bad users' can do nothing. Maybe you > missed the part where this worked via terminal services as well. You > don't need physical access, apparently you only need the equivalent of > a UNIX login. I believe that any operating system vendor who claims > that something isn't a security issue because you have to have some > level of valid access to exploit it should be condemmed. PERIOD. > > Bill Bogstad > bogstad at pobox.com > > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://www.blu.org/mailman/listinfo/discuss
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
