Can we please stop this thread( or at least take this to private email )?
Thanks!
donald
On Fri, Aug 11, 2000 at 04:03:03PM -0400, Greg A. Woods wrote:
> [ On Friday, August 11, 2000 at 10:30:09 (-0400), Justin Wells wrote: ]
> > Subject: Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)
> >
> > And the risk that I'll be attacked by a bug in the auth code is much less
> > than the risk that I'll be attacked by a properly authorized user.
>
> This would be true if it were completely true, but without SSH you do
> not have a properly authorised user -- you've only authorised a virtual
> identity, an in an insecure manner I might add, so you still have no
> accountability and thus no way of even beginning to know for sure who
> you've authorised, at least not without a search warrant for the login
> and caller-id records of the dial-up IP that the connection appeared to
> arrive from!
>
> It also depends on the goal of the attacker. If they want to covertly
> subvert your project then they're extremely unlikely to attack your auth
> code, no matter how bug-ridden it might be. They'll directly spoof
> another user and hide their little changes amongst legitimate ones.
>
> If the attacker simply wants to cause you grief then they might go for
> the most bang for their buck and thus go directly for your auth code
> where they can gain root access and do the most damage in the quickest
> way possible (and also in the most likely way they can hide even the
> misleading tracks they've left behind!).
>
> Please don't make blatantly false claims about security related issues!
>
> --
> Greg A. Woods
>
> +1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
> Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
>
