[RC5] My head is going to explode...

Joe Zbiciak j-zbiciak1 at ti.com
Tue Nov 18 13:21:08 EST 1997


'Greg Apessos' said previously:
| 
|         On a stupider note, are you guys morons?  

Nope.

I'm a paranoid Unix system administrator.  (So happens, I currently
only administrate my own personal machines, but that doesn't stop me 
from being paranoid.  I once worked at an ISP, where I had to deal
with *real morons*.  My current job thankfully has nothing to do with
Unix administration. :-)

I believe I'm not the only member of this list that sees the wisdom
of running untrusted code in a privilege-less account as a security
measure.  It's the same reason a web server should run as a different
UID than its config file, and CGI scripts as still a different UID.
So that if there is a security hole, it can't be exploited.

How are we to know there's not a buffer overflow in the Bovine
networking code, such that a creative soul could pull a
man-in-the-middle attack on you, spoof a packet down to you, and start
up /bin/sh bound to some arbitrary high-numbered port?  You'd never
notice probably.  You'd just see "Network::Open Error 1 - sleeping for
3 seconds" and think nothing of it.  That is, until all your files
start disappearing to make room for a new WaReZ site.

(Sound farfetched?  It isn't.  Smarter guys than me could reverse 
engineer the Bovine networking code just as easily as they could the
Internet Explorer URL parsing code to find holes in it.  I'm not 
talking fiction.)

Granted, the odds of it happening to any one of us in particular is
fairly low.  But 11,000+ machines, many behind corporate firewalls, all
running the exact same program trusting some round-robin DNS on an
inherently flaky internet is a fairly large, open, and likely
vulnerable target.

| ps.  I would like to take this time to apologize for my actions, i got about 
| 2 hours of sleep last night and my patients for stupid people is at an all 
| time low!!  Thank you and have a good day!

I haven't slept at all in the last 24+ hours or so...  No excuse for 
rudeness.  The order of events is "think", "post"... not vice versa.

--Joe

-- 
 +------------ Joseph Zbiciak -----------+ 
 |- - - - -  j-zbiciak1 at ti.com  - - - - -|   You have the capacity to 
 | - http://www.primenet.com/~im14u2c/ - |   learn from mistakes.
 |- - - -Texas Instruments, Dallas- - - -|   You will learn alot today.
 +------#include <std_disclaimer.h>------+ 
--
To unsubcribe, send 'unsubscribe rc5' to majordomo at llamas.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list