regarding KPF
Ryan Cumming
bodnar42 at phalynx.dhs.org
Fri Apr 19 00:07:41 BST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On April 18, 2002 13:11, Martijn Klingens wrote:
> Well... do you know anything _better_ for KPF? :-)
>
> Besides, I misunderstood Rik's problem, see his reply. I don't know how to
> make a secure server app in that respect though. I'd say that it doesn't
> make too much difference whether a readonly or a read/write app has a
> buffer overflow vulnerability though. Both can execute arbitrary code and
> do equal harm, so I am tempted to say that a simple authentication scheme
> over an encrypted connection should suffice for most people, or otherwise
> an RSA key that can be imported as 'trusted', just like SSH does it.
Er, think filling up a partition with random files and watching all non-root
services start to mysteriously fail as they can no long write to that
partition. Or creating a bunch of zero-length files until the user's inode
quota is exceeded.
Yes, there are ways around those problems. And no, we can't expect a normal
KDE user to be aware of them. Data snooping and buffer overruns are
non-issues versus any number of simple DoS attacks that can be launched
through an unprotected public upload area.
- -Ryan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8v1HALGMzRzbJfbQRApkNAJ9NbBnm7r/0lxvWi/mWk95lX3GiAwCfR/UK
VDj9irfOh5D8Y6Q/QDGCPZA=
=5Kc+
-----END PGP SIGNATURE-----
More information about the kde-core-devel
mailing list