regarding KPF

[Ryan Cumming]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On April 18, 2002 13:11, Martijn Klingens wrote:
> Well... do you know anything _better_ for KPF? :-)
>
> Besides, I misunderstood Rik's problem, see his reply. I don't know how to
> make a secure server app in that respect though. I'd say that it doesn't
> make too much difference whether a readonly or a read/write app has a
> buffer overflow vulnerability though. Both can execute arbitrary code and
> do equal harm, so I am tempted to say that a simple authentication scheme
> over an encrypted connection should suffice for most people, or otherwise
> an RSA key that can be imported as 'trusted', just like SSH does it.

Er, think filling up a partition with random files and watching all non-root 
services start to mysteriously fail as they can no long write to that 
partition. Or creating a bunch of zero-length files until the user's inode 
quota is exceeded. 

Yes, there are ways around those problems. And no, we can't expect a normal 
KDE user to be aware of them. Data snooping and buffer overruns are 
non-issues versus any number of simple DoS attacks that can be launched 
through an unprotected public upload area.

- -Ryan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8v1HALGMzRzbJfbQRApkNAJ9NbBnm7r/0lxvWi/mWk95lX3GiAwCfR/UK
VDj9irfOh5D8Y6Q/QDGCPZA=
=5Kc+
-----END PGP SIGNATURE-----