Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

djberg96 (2603)

djberg96
  (email not shown publicly)

Journal of djberg96 (2603)

Tuesday June 01, 2004
12:49 PM

Thoughts on security

[ #19033 ]
Every now and then on IRC you here a conversation about security. It usually starts off with someone from the Linux camp griping about Windows security. This is often followed by someone from the FreeBSD camp stating that Linux isn't much better, statistically speaking. The Linux camp then retorts that there may be bugs, but they're nowhere as severe as Windows, etc, etc.

The recent CVS hack (you *have* upgraded to 1.11.16, right?) reminds me of something - your system is only as secure as your weakest 3rd party app.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Your weakest 3rd-party setuid app is the danger point; a non-setuid weak app is far more limited in the amount of damage it can do. It can still wreak havoc on your personal files (which is the most important part of a personal computer) but it can't subvert the system.

    (This is the standard complaint about Windows - outside of well-administered [usually business] environments, virtually every Windows user has Admin capability.)

    • You might think that, but a weakness in a non-root app usually just slows a dedicated attacker, not stops them. Most people pay a lot less attention to "local" vulnerabilities such as /tmp file mishandling, but when you've got an attacker in your system who wants to be root, they suddenly take on a much greater role.

      Don't be underrating security problems. :)

      -Dom

      • Slowing them, and possibly stopping them, is better than letting them go full speed.

        A non-suid app exploit can be a step towards a breakin, but a suid-app exploit is an accomplished breakin.

        Don't be underrating one facet of a security defense strategy because it is not the entire solution. :-)