On Thursday 07 February 2008 14:58, Wolfgang Woehl wrote:
Donnerstag, 7. Februar 2008 Randall R Schulz:
On Thursday 07 February 2008 14:07, Wolfgang Woehl wrote:
Randall, for brevity's sake, it can do whatever an ELF LSB executable chooses to in your backyard.
No, that is not so. Can you point me to a known exploit on Firefox (e.g.) that allows execution of arbitrary code? 'Cause that's what you're claiming.
I'm saying any app could. Minus app-armored (or the likes) stuff. ...
That is manifestly false. It takes an explicit vulnerability for this to happen. The classic one is unchecked overflow of a buffer allocated on the stack, making possible _in principle_ the crafting of an exploit that allows execution of arbitrary code. But a number of things have to happen just wrong to even allow the possibility of doing anything other than making the application crash outright.
... Why do you think app-armor came about in the first place?
And don't ask me why someone wants to invent a big complicated piece of software to try to secure programs after the fact. Security cannot come from outside and it cannot be achieved as an afterthought.
The question is, what's the good of repeating over and over again that Linux is as vulnerable as Windows (a near-absolute falsehood)?
Randall? Almost noone is saying anything like that over and over. Quite the contrary. Which is what got me into this thread.
Then you're not following this thread and the statements made herein and to which I was referring (I thought obviously enough).
Linux is safe when used intelligently.
"I'm a linux user, I click on anything i feel like" sounds intelligent to you? Get out of here :)
Again, you're not really following what's been said here. That was stated explicitly in reference to URLs in a browser, not any arbitrary piece of script or binary executable that someone might have managed to send you via email.
If that's too complicated for someone, they shouldn't be using a computer at all.
True. But -- reality check -- not done.
SEP!
Actually I think we're not far apart in the assessment of linux security. Strong, responsive security communities, good upstream links, peer-review, all that.
In that light it leaves me baffled though that people keep on downsizing this huge effort by saying "It's safe anyway".
Wolfgang
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org