WebApp Sec mailing list archives
Re: Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory
From: Markus Vervier <markus.vervier () redteam-pentesting de>
Date: Fri, 20 Jan 2006 12:50:35 +0100
Hi there. Andrew van der Stock wrote: [...]
I'd like to hear from the original vulnerability disclosure writers (Red Team Pentesting, http://www.redteam-pentesting.de) for how their correspondence on December 4th - December 6th with Theo went. Maybe there's more to this than is noted in the opinion piece.
You are right there, we discussed about securelevels with Theo for a while and his oppinion boiled down to the sentence we quoted in our advisory. (Acutually this was a the whole content of a single mail) Of course this statement was not the only response we got from him. He actually wrote several very long and detailed mails before, explaining his distaste for securelevels, why they are useless and should be removed. We did not want to start any Theo-Bashing by quoting his single statement, it just clearly recapitulates what he said before. No fix was sensible for securelevels because they are broken by design.
Let's see if the next release of OpenBSD will still contain securelevels.In my oppinion things would be much better if there was any proper documentation about securelvels available, clearly stating what they can do and most important: what not.
Securelevels are no catch-all for root-compromise.Better Documentation was also suggested by the FreeBSD Security Team, yet doing "man securelevel" still shows things like:
"The kernel runs with five different levels of security." Cool, I run Security 5. Now I'm really secured, am I? [...] Best regards, Markus Vervier -- RedTeam Pentesting Tel.: +49-(0)241-963 1300 Dennewartstr. 25-27 Fax : +49-(0)241-963 1304 52068 Aachen http://www.redteam-pentesting.de ------------------------------------------------------------------------- This List Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- Fwd: SF new column announcement: How not to respond to a security advisory Andrew van der Stock (Jan 18)
- [SPAM] Re: SF new column announcement: How not to respond to a security advisory Kurt Seifried (Jan 19)
- Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory Andrew van der Stock (Jan 19)
- Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory Byron Sonne (Jan 19)
- Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory Byron Sonne (Jan 19)
- [SPAM] Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory Kurt Seifried (Jan 19)
- Re: Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory Markus Vervier (Jan 21)
- Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory Andrew van der Stock (Jan 19)
- [SPAM] Re: SF new column announcement: How not to respond to a security advisory Kurt Seifried (Jan 19)