Re: Internet has vuln.

[Jeffrey Walton <noloader () gmail com>]

On Thu, Sep 12, 2013 at 3:23 PM,  <Valdis.Kletnieks () vt edu> wrote:
> On Thu, 12 Sep 2013 08:57:55 +0800, Steve Wray said:
>
> > In some cases it could be quite difficult to disengage from NSA-influenced
> > projects, eg selinux. So far as I can tell this is pretty much everywhere
> > now. Redhat embraced it ages ago, its been integrated in the kernel since
> > 2.6, so how do we opt out of selinux?
>
> Well, given that SELinux *did* come out of the NSA, but has had tons of code
> review of the base code (which isn't really all that much) and the actual
> policy files (which is where I'd hide a backdoor, they're a lot more obscure
> than the actual kernel code), by lots of people who would have *loved* to be
> the one who caught the NSA doing something underhanded, I think you're barking
> up an entirely incorrect tree.
They ignored my comments on fixed size arrays based on MAX_PATH and
the subsequent overflows and silent truncations due to use of sprintf
and snprintf....

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/