LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security quotes of the week

[Posted February 22, 2012 by jake]

I used to provide detached GnuPG signatures alongside my uploaded source tarballs but nobody cared or even noticed if I inadvertently broke the signature. (This is for packages which regularly got downloaded for inclusion into Fedora, ArchLinux, Gentoo and numerous other distros other than Debian/Debian-based ones which get the source directly from me.)

Honestly, nobody cares.

-- Neil Williams

ICANN has plowed ahead with their extortive get-rich-quick gTLD expansion scheme. The U.S. has turned the DNS into a mechanism for unilaterial actions over entities in other countries, without such [niceties] as due process being required. The list goes on and on.

So no wonder the rest of the world pushes for changes -- and threatens network fragemention -- even as their proposed regulatory regimes could do enormous damage to the Net.

-- Lauren Weinstein

This book marks another chapter in my career’s endless series of generalizations. From mathematical security — cryptography — to computer and network security; from there to security technology in general; then to the economics of security and the psychology of security; and now to — I suppose — the sociology of security. The more I try to understand how security works, the more of the world I need to encompass within my model.
-- Bruce Schneier on his new book Liars and Outliers

While everyone else was focused on the normal patch specific vuln/update/forget cycle, our focus with these high-profile vulnerabilities has always been to look at tangential issues that are unlikely to be resolved upstream: exploitation techniques that either made certain strategies easier or possible in the first place. In the case of CVE-2012-0056, that issue revealed itself during a discussion on the full-disclosure mailing list on how to reliably exploit systems that changed the permission of the suid root binaries to deny reading. While such a permission change prevented the use of objdump in initial exploits, it was mentioned that a ptrace followed by an exec of the suid root binary allows one to effectively read the contents of the mapped binary. This might be surprising, as a ptrace of an existing suid root process would be denied. When execing a privileged binary while ptracing though, the binary is run without the extra privileges. When the goal is reading out the binary, however, this is irrelevant.
-- Brad Spengler on "How We Learn From Exploits"
(Log in to post comments)

Security quotes of the week

Posted Mar 1, 2012 14:02 UTC (Thu) by ovitters (subscriber, #27950) [Link]

Neils observation is very true. I know that on ftp.gnome.org, *loads* of checksums do not match up with the tarball (small percentage, but at least 50+ tarballs in total). This is not even a GPG signature, just a simple checksum. They aren't checked at all.

For Mageia, I made a script to check them. But the reason that the checksum is wrong is because the maintainer notices some kind of build problem in the tarball, and then uploads a new version using the existing version (is more difficult once I noticed; but -at the moment- cannot be prevented from happening). So though the checksum might be valid once downloaded, it might be invalid a bit later.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds