From: Rodney Thayer (rodneycanola-jones.com)
Date: Wed Mar 03 2004 - 13:35:42 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 02:12 PM 3/3/2004 -0500, Dave Aitel wrote:

>Yes, it's time for another "advisory". As I don't believe advisories
>really accomplish anything

Well, for one thing, if you point out you do in fact know how
to issue advisories it might help get companies listen when
you file bug reports. Might, of course.

> RealSecure, NAI, etc - do bugs in security
>software products make everyone else laugh?

Well, one certainly wonders what they do with all that
bloody scanning kit if they don't run it against their own gear.
I assume all of EEye's products are being scanned at the submolecular
level by vast teams in suburban Atlanta, as we speak ;-)

Philosophical question:

  suppose a box ships with no shell access by default, but with
  a linux kernel and a shell installed, and with a mechanism available
  to get to the shell. Are local shell-based exploits then a realistic
  attack path?

I think that, if the vendor shipped BASH on the box, then someone, someday,
is going to run BASH. I think that's the line. If you don't want people
running a shell, ever, then don't ship a shell.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]