Mailinglist Archive: opensuse (3031 mails)
| < Previous | Next > |
Re: [opensuse] OpenSuse 11
- From: Randall R Schulz <rschulz@xxxxxxxxx>
- Date: Thu, 7 Feb 2008 15:32:15 -0800
- Message-id: <200802071532.15812.rschulz@xxxxxxxxx>
On Thursday 07 February 2008 14:58, Wolfgang Woehl wrote:
That is manifestly false. It takes an explicit vulnerability for this to
happen. The classic one is unchecked overflow of a buffer allocated on
the stack, making possible _in principle_ the crafting of an exploit
that allows execution of arbitrary code. But a number of things have to
happen just wrong to even allow the possibility of doing anything other
than making the application crash outright.
And don't ask me why someone wants to invent a big complicated piece of
software to try to secure programs after the fact. Security cannot come
from outside and it cannot be achieved as an afterthought.
Then you're not following this thread and the statements made herein and
to which I was referring (I thought obviously enough).
Again, you're not really following what's been said here.
That was stated explicitly in reference to URLs in a browser, not any
arbitrary piece of script or binary executable that someone might have
managed to send you via email.
SEP!
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
Donnerstag, 7. Februar 2008 Randall R Schulz:
On Thursday 07 February 2008 14:07, Wolfgang Woehl wrote:
Randall, for brevity's sake, it can do whatever an ELF LSB
executable chooses to in your backyard.
No, that is not so. Can you point me to a known exploit on Firefox
(e.g.) that allows execution of arbitrary code? 'Cause that's what
you're claiming.
I'm saying any app could. Minus app-armored (or the likes) stuff.
...
That is manifestly false. It takes an explicit vulnerability for this to
happen. The classic one is unchecked overflow of a buffer allocated on
the stack, making possible _in principle_ the crafting of an exploit
that allows execution of arbitrary code. But a number of things have to
happen just wrong to even allow the possibility of doing anything other
than making the application crash outright.
... Why do you think app-armor came about in the first place?
And don't ask me why someone wants to invent a big complicated piece of
software to try to secure programs after the fact. Security cannot come
from outside and it cannot be achieved as an afterthought.
The question is, what's the good of repeating over and over again
that Linux is as vulnerable as Windows (a near-absolute falsehood)?
Randall? Almost noone is saying anything like that over and over.
Quite the contrary. Which is what got me into this thread.
Then you're not following this thread and the statements made herein and
to which I was referring (I thought obviously enough).
Linux is safe when used intelligently.
"I'm a linux user, I click on anything i feel like" sounds
intelligent to you? Get out of here :)
Again, you're not really following what's been said here.
That was stated explicitly in reference to URLs in a browser, not any
arbitrary piece of script or binary executable that someone might have
managed to send you via email.
If that's too complicated for someone, they shouldn't be using a
computer at all.
True. But -- reality check -- not done.
SEP!
Actually I think we're not far apart in the assessment of linux
security. Strong, responsive security communities, good upstream
links, peer-review, all that.
In that light it leaves me baffled though that people keep on
downsizing this huge effort by saying "It's safe anyway".
Wolfgang
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |