Date: Thu, 17 Nov 2016 17:50:17 +0000 From: Jason Cooper <osssecurity@...edaemon.net> To: oss-security@...ts.openwall.com Subject: Re: CVE-2016-4484: - Cryptsetup Initrd root Shell Hi John, On Thu, Nov 17, 2016 at 04:56:06PM +0000, John Haxby wrote: > On 17/11/16 16:39, Jason Cooper wrote: > > However, the golden rule still applies. Physical access trumps all > > defensive measures. The absolute best you can do is detect that > > physical access occurred. From there, you're hoping there are no > > hardware implants or other devices outside the scope of software > > security. > > I agree. However, it ought be to be harder than leaning on the enter > key to break into a system. You lock your doors even though it doesn't > stop a determined burglar? Yes, as I said before, non-deterministic failure modes are bad. This CVE is a bug in the initrd script and needs to be fixed. What I disagree with, and still do, is the "sky is falling!" nature of the alert. thx, Jason.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ