Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: [SPAM] Re: SF new column announcement: How not to respond to a s

from [Markus Vervier] Network Security [Permanent Link]
Subject: Re: Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory
Date: Fri, 20 Jan 2006 12:50:35 +0100 

Hi there.

Andrew van der Stock wrote:

[...]
I'd like to hear from the original vulnerability disclosure writers (Red Team Pentesting, http://www.redteam-pentesting.de) for how their correspondence on December 4th - December 6th with Theo went. Maybe there's more to this than is noted in the opinion piece.


You are right there, we discussed about securelevels with Theo for a while and his oppinion boiled down to the sentence we quoted in our advisory. (Acutually this was a the whole content of a single mail)
Of course this statement was not the only response we got from him. He actually wrote several very long and detailed mails before, explaining his distaste for securelevels, why they are useless and should be removed. We did not want to start any Theo-Bashing by quoting his single statement, it just clearly recapitulates what he said before. No fix was sensible for securelevels because they are broken by design.

Let's see if the next release of OpenBSD will still contain securelevels.

In my oppinion things would be much better if there was any proper documentation about securelvels available, clearly stating what they can do and most important: what not.
Securelevels are no catch-all for root-compromise.

Better Documentation was also suggested by the FreeBSD Security Team, yet doing "man securelevel" still shows things like:

"The kernel runs with five different levels of security."

Cool, I run Security 5. Now I'm really secured, am I?

[...]



Best regards,

Markus Vervier

--

RedTeam Pentesting            Tel.: +49-(0)241-963 1300
Dennewartstr. 25-27           Fax : +49-(0)241-963 1304
52068 Aachen           http://www.redteam-pentesting.de



-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  sql comment in access, Robin Wood
Next by Date:  (SiteGenerator) re: benchmarking the web app scanners, Dinis Cruz
Previous by Thread:  [SPAM] Re: [SPAM] Re: SF new column announcement: How not to respond to a security advisory, Kurt Seifried
Next by Thread:  Administrivia: Faulty censorware and faulty anti-virus software, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]