[1418] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Tiger team.

daemon@ATHENA.MIT.EDU (Rogier Wolff)
Tue Feb 4 12:07:55 1997

To: linux-security@redhat.com
Date: Mon, 3 Feb 1997 17:28:04 +0100 (MET)
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com


Hi,

I'm back. :-)

Alex and a few others have expressed concerns about the legal
implications of forming a tiger team. Maybe the term "tiger team"
doesn't officially represent what we meant. But I don't mind
redefining established terms if I feel like it :-)

What we here call a "tiger team" is a team of people that try to beat
the bad guys to finding security holes. To prevent the legal hassles,
you can only attempt an exploit on a system where you are explicitly
allowed to muck with security issues.

The main "plan of attack" is to 

1) Create a few documents:  
    "how to write a secure application".
    "How to verify an existing application".
2) Find all setuid applications and verify their security.
    Maybe we'll come up with "junk XXXXmail, use Xmail" (censored)
    Maybe we'll end up with a secure XXXXmail (Nah...)
3) Find all programs that "root" uses, especially those run from "cron"
   and verify wether they can be fooled into giving away their privileges.


I'll try to get a majordomo server up and running in the next few days
on an easy to remember address. I'll announce the address once it's up.

				Roger.


home help back first fref pref prev next nref lref last post