|
|
Subscribe / Log in / New account

"eventually"

"eventually"

Posted Jan 7, 2011 3:38 UTC (Fri) by tialaramex (subscriber, #21167)
In reply to: "eventually" by spender
Parent article: Spengler: False Boundaries and Arbitrary Code Execution

You've substantially changed the post since I read it. Since I can't expect you to provide anything to cite, I will remember in future to cite third party screenshots, as is done for Andy Schlafly, the Awful Poo Lady and other people who try to put their mistakes into the memory hole.

When I read it, your post listed several "and then we wait for the user to enter the root password" type tricks. These can't be sped up using someone else's code, you can only wait for the user to fall into your trap. This might happen in a few minutes, a few days or never at all. There are obvious scenarios where it simply can't work (not to mention you seemed to embarrassingly forget how SSH does its thing)

But the current version of the post is more circumspect, retracting some such examples entirely and replacing others with vaguer claims. I, of course, only found this out when I went back to quote some of the relevant bits and found they were gone.

[ It is generally a truism in security research that flaws only get worse. So imagine my surprise to discover that while yesterday Brad had found 20 out of 35 capabilities to be root-equivalent, today the same code has only 18 root-equivalent capabilities. By the time you read it may be even less ]

to post comments

"eventually"

Posted Jan 7, 2011 4:41 UTC (Fri) by spender (guest, #23067) [Link]

It said (and has always said) in the first sentence that I intended it to be a reference. I mention in the comments how I've updated the post and given credit to each person that's sent in suggestions/changes either through the site comments or via email.

I didn't "embarrassingly forget how SSH does its thing" -- I still believe the listed attack, now generalized to network services, would be successful in many cases (to deny this is to deny that anyone would click on malicious links or open suspicious attachments, would visit websites that give SSL certificate errors, etc). The only thing that changed was I moved those specific entries into their own section since the immediate example of sshd gives a warning on connect, so listing it wasn't fair. When I first posted the article, it was only 15/35 -- so what's your point? I shouldn't be accurate?

As the PaX Team and I both mentioned already, in the real world, attackers *do not care* if it takes a few minutes or a few days. I assure you they can speed up that process as well (i.e. they don't have to wait for you to feel like connecting on your own). If you had an imagination, you'd be able to figure this out, but it's not common among armchair experts.

-Brad

"eventually"

Posted Jan 7, 2011 22:34 UTC (Fri) by PaXTeam (guest, #24616) [Link]

> It is generally a truism in security research that flaws only get worse.

the truism isn't about the flaws but the attacks (think bugs vs. exploits). in the original attributed to the NSA by Schneier: "Attacks always get better; they never get worse".


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds