Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)

[Greg A. Woods]

[ On Friday, August 11, 2000 at 10:30:09 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)
>
> And the risk that I'll be attacked by a bug in the auth code is much less
> than the risk that I'll be attacked by a properly authorized user.

This would be true if it were completely true, but without SSH you do
not have a properly authorised user -- you've only authorised a virtual
identity, an in an insecure manner I might add, so you still have no
accountability and thus no way of even beginning to know for sure who
you've authorised, at least not without a search warrant for the login
and caller-id records of the dial-up IP that the connection appeared to
arrive from!

It also depends on the goal of the attacker.  If they want to covertly
subvert your project then they're extremely unlikely to attack your auth
code, no matter how bug-ridden it might be.  They'll directly spoof
another user and hide their little changes amongst legitimate ones.

If the attacker simply wants to cause you grief then they might go for
the most bang for their buck and thus go directly for your auth code
where they can gain root access and do the most damage in the quickest
way possible (and also in the most likely way they can hide even the
misleading tracks they've left behind!).

Please don't make blatantly false claims about security related issues!

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <[EMAIL PROTECTED]>      <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>