From owner-freebsd-security@FreeBSD.ORG Mon Jun 19 15:17:00 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A40D16A4DE for ; Mon, 19 Jun 2006 15:17:00 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30301.mail.mud.yahoo.com (web30301.mail.mud.yahoo.com [68.142.200.94]) by mx1.FreeBSD.org (Postfix) with SMTP id 0471C43DEF for ; Mon, 19 Jun 2006 15:16:36 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 10433 invoked by uid 60001); 19 Jun 2006 15:16:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=oTs54LalpxBwSE0DP3/tw10njGXiJ5F+AyyU0Q6BgRDXDwUNWvp9+Aw6cicLk7+D2AOZeYcWPcwwlmNRMYYCeLYJyIF5e22gFuKOrrs2CoxNNsdHSmHyRgSSOBmzecrIVdMPRwJxAxZ9S8LpI/5z6uN7RQwFK/Ca3ISzcZXRDfI= ; Message-ID: <20060619151636.10431.qmail@web30301.mail.mud.yahoo.com> Received: from [213.54.84.110] by web30301.mail.mud.yahoo.com via HTTP; Mon, 19 Jun 2006 08:16:36 PDT Date: Mon, 19 Jun 2006 08:16:36 -0700 (PDT) From: "R. B. Riddick" To: Nick Borisov , freebsd-security@freebsd.org In-Reply-To: <3bcb4e3f0606190728m29b67270mda8088eab2ff0ba1@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: memory pages nulling when releasing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 15:17:00 -0000 --- Nick Borisov wrote: > [...] Allowing an intrunder to deal with your > system even one extra minute may lead to tremendous losses depending > [...] > :-) OK.. Let's see, if I understood this right: 1 minute <-could be-> 1 tremendous loss 50 minutes <-could be-> 50 tremendous losses But what if a system just contains 5 tremendous chunks of secrets? Then it would not matter if we catch the attacker after 50 minutes or after 51 minutes... Even if we had a preparation time (before the loss starts) of 10 minutes (e. g. to install an evil kernel)... According to my experience attackers are not caught so quickly (and how should one do it? if the software is bad, than every connection could be evil; and of course even unusal connections (e. g. IP was never seen before or very high traffic to a single IP) could be good). I know personally of a case where somebody (mis(?))configured a NFS service (maybe it was a honey-pot, or so?), so that everyone had read/write access as _root_. It was possible to transfer about 20MB of data over about one hour from a single IP, that was never seen there before... The carrier of the system was a research centre (that works for several departments of the federal GERM government) with its own specially trained network/security administrators and a little nuclear power plant... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com