Dailydave mailing list archives

Re: Advisory Day!

From: Rodney Thayer <rodney () canola-jones com>
Date: Wed, 03 Mar 2004 11:35:42 -0800

At 02:12 PM 3/3/2004 -0500, Dave Aitel wrote:

Yes, it's time for another "advisory". As I don't believe advisories
really accomplish anything


Well, for one thing, if you point out you do in fact know how
to issue advisories it might help get companies listen when
you file bug reports.  Might, of course.

RealSecure, NAI, etc - do bugs in security
software products make everyone else laugh?


Well, one certainly wonders what they do with all that
bloody scanning kit if they don't run it against their own gear.
I assume all of EEye's products are being scanned at the submolecular
level by vast teams in suburban Atlanta, as we speak ;-)

Philosophical question:

  suppose a box ships with no shell access by default, but with
  a linux kernel and a shell installed, and with a mechanism available
  to get to the shell.  Are local shell-based exploits then a realistic
  attack path?

I think that, if the vendor shipped BASH on the box, then someone, someday,
is going to run BASH.  I think that's the line.  If you don't want people
running a shell, ever, then don't ship a shell.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Advisory Day! Dave Aitel (Mar 03)
- Re: Advisory Day! Rodney Thayer (Mar 03)
  - Re: Advisory Day! Tiago Assumpção (Mar 04)
    - Re: Advisory Day! Rodney Thayer (Mar 04)
- <Possible follow-ups>
- Re: Advisory Day! arlen (Mar 04)
  - Re: Advisory Day! Rodney Thayer (Mar 04)
  - Re: Advisory Day! Nahual (Mar 04)
    - Re: Advisory Day! david maynor (Mar 04)
    - Dave Barry on computer security Tri Huynh (Mar 06)