[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] AFS - The Ultimate Sulution? -- What is the point?
- To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] AFS - The Ultimate Sulution? -- What is the point?
- From: "Brandon S. Allbery KF8NH" <allbery@xxxxxxxxxxx>
- Date: Sun, 17 Sep 2006 11:23:36 -0400
On Sep 17, 2006, at 10:03 , Valdis.Kletnieks@xxxxxx wrote:
> Go back and re-read the last few batches of AFS updates, and ask
> youself
> for each bugfix "Could this *potentially* have been leveraged by a
> clued
> hacker?".
I haven't noticed many issues beyond potential denial of service
attacks --- which are mitigated to some extent by replication (of
course, someone could go after *all* the servers...). The biggest
problems at this point are:
- if you get the afs/cell@REALM key, you've got the entire cell
- no data encryption to speak of (fcrypt? it is to laugh)
Work is being done on both fronts, although I'm not the right person
to speak to about either.
In any case, you need to lock up your DB and file servers as tight as
you can if you want the cell to be at all secure.
(Unfortunately, I don't think anyone has, other than inadvertently,
tested how AFS reacts to invalid packets. One of those things I'd
love to do if I ever got a few round tuits....)
--
brandon s. allbery [linux,solaris,freebsd,perl] allbery@xxxxxxxxx
system administrator [openafs,heimdal,too many hats] allbery@xxxxxxxxxxx
electrical and computer engineering, carnegie mellon university KF8NH
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/