User: Password:
Subscribe / Log in / New account



Posted Jan 7, 2011 0:34 UTC (Fri) by drag (subscriber, #31333)
In reply to: "eventually" by mjg59
Parent article: Spengler: False Boundaries and Arbitrary Code Execution

> So there's no benefit in strong passwords, because they only extend the time taken to guess them when compared to weak passwords?

Isn't this like begging the question, strawman, or some other sort of logical fallacy?

The difference between a weak password (puppy) versus strong password (rE$l1^=^)vCQzI,m>M\m) is several orders of magnitude difference versus what we are discussing here. So much so that it does not have any relevance at all.

> Security isn't a binary decision.

I am glad I never said it was.

> A capability-based system may still be insecure, and some capabilities are trivially equivalent to root and therefore pretty much useless.

It depends on what capabilities your actually enabling. The benefits over 'setuid 0' can range from 'none' to 'everything in the world'.

(Log in to post comments)


Posted Jan 7, 2011 0:35 UTC (Fri) by drag (subscriber, #31333) [Link]

(depending on the situation)


Posted Jan 7, 2011 2:11 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

You said "The difference of a few cycles to get UID0 to a few days to sniff root password is not really a big deal when faced with a exploitable vulnerability", which I think oversimplifies. Whether it's a big deal or not is context dependent, whereas if the daemon were running as uid 0 it'd be guaranteed to be a big deal.


Posted Jan 7, 2011 6:25 UTC (Fri) by dlang (subscriber, #313) [Link]

a weak password vs a strong password sounds like a similar difference to wha tyou would have between a fraction of a second (clock cycles) and a few days (waiting for someone to login and sniffing their password)

1 second to one day is four orders of magnatude.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds