LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Local vs remote exploits

Local vs remote exploits

Posted Jun 25, 2004 20:59 UTC (Fri) by giraffedata (subscriber, #1954)
In reply to: Local vs remote exploits by RobSeace
Parent article: Long-lived security holes

And, I don't think your bizarre interpretation of the terms is particularly useful or widespread

That's almost word for word what I said, so we agree there. Except that I don't think you can call "bizarre" an interpretation that takes the words "local" and "remote" to mean what they mean in every other context under the sun.

This is just a semantics argument

Exactly. It's important to use the right terminology because people derive a lot of meaning from the bare words. I assure you that if you classify exploits as "remote" or "local," some people will think you mean it in the conventional sense of those words. That would result in less than optimal classification of security exposures.

there most definitely IS a valid and very major distinction between the two

So the only question is, what are the two types you're distinguishing? Calling them by conventional English words would go a long way toward nailing that down. Arbitrarily labelling exploits by partially authorized people "local" and exploits by total strangers as "remote," especially since those words already have meanings ("near" and "far") in other contexts, is just inviting misunderstanding.

(Log in to post comments)

Local vs remote exploits

Posted Jun 25, 2004 21:19 UTC (Fri) by RobSeace (subscriber, #4435) [Link]

Even if I were to buy your claim that the terms were technically wrong in
this context (which I don't), I'd still think your argument was silly...
It's on par with people who complain about the usage of "kilobyte" and
"megabyte" and such, because they're power-of-two based rather than
power-of-ten based, when used in a computing context... Words can mean
different things in different contexts; it happens all the time; people
handle it just fine... Does my grandmother know the difference between a
power-of-two "megabyte" and a power-of-ten "megabyte"? No, but she also
doesn't care... The people that NEED to know, WILL know, from the context...

And, "local" and "remote" in regards to vulnerabilities have been used for
many years in this way, with no one that I've ever seen (until now) confused
or annoyed about them... (The same way kilobyte/megabyte/etc. worked just
fine with no confusion for anyone for years, until some uptight, humorless
party-poopers came along and made up the silly "kibibyte", "mebibyte", etc.
nonsense, and tried to force it down everyone's throats...)

But, even arguing on technical correctness of the terms, I don't think you
have a case... The user IS local to that machine; even if they're loggging
in from a remote machine! They're still a LOCAL user on that destination
machine... Local, as in local to that machine... As in, listed in that
machine's local "/etc/passwd", with a home directory on its local disk,
and with privileges to run programs on its local CPU... I don't think
calling them "local users" is out of line with reality...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds