 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
When I mean Bill I dint meat Bill gates but Bill Bogstad Just in case.. LOL ReK2 On Tuesday 06 August 2002 15:27, ReK2WiLdS wrote: > I agree with Bill.... 100% no excuses. > > rek2 > > On Tuesday 06 August 2002 16:22, Bill Bogstad wrote: > > Derek Kramer wrote: > > > > On Tue, 6 Aug 2002, Derek D. Martin wrote: > > >> If you're relying on Windows privileges to secure your network, you're > > >> basically screwed. A whitepater was released today detailing how to > > >> gain localsystem privileges on any Win32-based platform. And the > > >> kicker is, because it takes advantage of a fundamental flaw in the > > >> design of Windows, it's basically unpatchable, requiring a complete > > >> overhaul of the Windows messaging system to fix. > > >> > > >> And the best part is, if you're providing terminal services via a > > >> Citrix server, anyone can own your server, and you'll never be able to > > >> stop them... > > >> > > >> http://security.tombom.co.uk/shatter.html > > > > > >I read this in detail, and I hate to admit that I agree with Microsoft. > > >Once bad people are sitting logged onto your machine, you should already > > >considered it compromised, regardless of what techniques the bad person > > >has at their disposal. > > > > So a command line overflow exploit in a setuid-root ps binary on a > > UNIX machine is unimportant because you shouldn't ever let 'bad > > people' have a login on your machine? I thought security was about > > being able to limit the resources that a user could access on a > > machine even when they had some level of legal access. You seem to be > > advocating a security model of 'good' and 'bad' users where 'good > > users' can do anything and 'bad users' can do nothing. Maybe you > > missed the part where this worked via terminal services as well. You > > don't need physical access, apparently you only need the equivalent of > > a UNIX login. I believe that any operating system vendor who claims > > that something isn't a security issue because you have to have some > > level of valid access to exploit it should be condemmed. PERIOD. > > > > Bill Bogstad > > bogstad at pobox.com > > > > _______________________________________________ > > Discuss mailing list > > Discuss at blu.org > > http://www.blu.org/mailman/listinfo/discuss > > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://www.blu.org/mailman/listinfo/discuss -------------------------------------------------------
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
