Re: Linux Grinch attack

["Boyd, Daniel" <dboyd () BERRY EDU>]

My observation after reading what materials I have found is this - exploiting this requires the equivalent of dropping 
dominoes on the floor, and all of them landing upright and within range of each other to allow the "hacker" to touch 
the first one and bring them all tumbling down.

Our Linux systems do not have packagekit (which IMO is a piece of software looking for a use case - why would you mix 
up packages from different Linux systems - you are begging for something to break) installed by default, so this is 
mostly a nonissue for us.

The other question is:  Why would you by default allow a user who does not have root privilege to install system 
software without some kind of authentication/verification?  Sounds like a hack waiting to happen.

The headlines I have seen have been over-hyped and sensational in nature - feels like a publicity stunt.

Dan


Daniel H. Boyd (94C)
Senior Network Architect
Security Governance and Documentation Committee Chair
Network Operations
Berry College
Phone: 706-236-1750
Fax:     706-238-5824

There are two rules to follow with your account passwords:
1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
2. If unsure, consult rule #1



-----Original Message-----
From: Lisciotti, Kevin [mailto:klisciotti () UMASSP EDU] 
Sent: Wednesday, December 17, 2014 10:04 AM
Subject: Linux Grinch attack

Has anyone picked up on this Grinch attack that was announced yesterday?

http://www.scmagazine.com/impact-of-linux-bug-grinch-spans-servers-workstations-android-devices-and-more/article/388689/