Slashdot Article - BSD

This is a discussion on Slashdot Article - BSD ; Anybody seen this yet? http://it.slashdot.org/it/07/08/09/138224.shtml...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Slashdot Article

  1. Slashdot Article


  2. Re: Slashdot Article

    Steve Pointer wrote:
    > Anybody seen this yet?
    >
    > http://it.slashdot.org/it/07/08/09/138224.shtml


    At first glance, it looks like a valid technique. Exploit hinges on
    racing on timing holes in assumed "atomic" operations.

    Looks like the sudo example uses a non-standard version of the app, not
    the shipped sudo, but I admit I don't have time beyond a quick look.

    Yes, concurrency bugs are hard: hard to find and hard to fix. (He says
    as he closes up a hole just found in a /years-old/ release.
    --
    clvrmnky

    Direct replies will be blacklisted. Replace "spamtrap" with my name to
    contact me directly.

  3. Re: Slashdot Article

    Clever Monkey wrote:
    > Steve Pointer wrote:
    >> Anybody seen this yet?
    >>
    >> http://it.slashdot.org/it/07/08/09/138224.shtml


    Yes, on misc@. And it appears Niels Provos, who write systrace, just
    posted something as well (marc had it before I saw it):
    http://marc.info/?l=openbsd-misc&m=118667372903670&w=2.

    > At first glance, it looks like a valid technique. Exploit hinges on
    > racing on timing holes in assumed "atomic" operations.


    Apparently, it is - at least Provos is convinced...

    Joachim

  4. Re: Slashdot Article

    Joachim Schipper wrote:
    > Clever Monkey wrote:
    >> Steve Pointer wrote:
    >>> Anybody seen this yet?
    >>>
    >>> http://it.slashdot.org/it/07/08/09/138224.shtml

    >
    > Yes, on misc@. And it appears Niels Provos, who write systrace, just
    > posted something as well (marc had it before I saw it):
    > http://marc.info/?l=openbsd-misc&m=118667372903670&w=2.
    >
    >> At first glance, it looks like a valid technique. Exploit hinges on
    >> racing on timing holes in assumed "atomic" operations.

    >
    > Apparently, it is - at least Provos is convinced...
    >

    A good "what does this mean for me" over on undeadly:


    Bottom line: most of us need not care.
    --
    clvrmnky

    Direct replies will be blacklisted. Replace "spamtrap" with my name to
    contact me directly.

+ Reply to Thread