Re: Hurdish applications for persistence

[Jonathan S. Shapiro]

On Thu, 2005-10-13 at 00:41 +0200, Alfred M. Szmidt wrote:

> If you can put a random program in a chroot, you will _always_ find a
> way to break out of it.  And it is simply not worth fixing it.

You have said words to this effect a couple of times now. Your position
seems to be that security has to be "good enough", but not very good. In
the end, the problem with this is that there are guys in eastern russia
right now earning $1M/week to crack your machine. There is a reasonable
limit to the appropriate effort on security, but I need to show you our
web server logs. My lab gets 100 penetration attempts a minute on a
*slow* day.

I'm particularly puzzled by what you said above, though. Wouldn't
running a browser applet qualify as running random code inside a jail?
And isn't the whole point of a jail to run hostile code safely?

I'm obviously not connecting the points in your argument. I do not
expect that we will agree on the right answer, but I would at least like
to understand your position and rationale.


shap