[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: bittorrent in core? what frontend?



On Sat, December 17, 2005 4:17 pm, Jesse Keating said:
> On Sat, 2005-12-17 at 16:04 -0500, Sean wrote:
>> It's a low risk feature that adds signficant ease of use for the user.
>> You haven't shown at all how it could be exploited.
>
> If I knew how it could, I would have alerted upstream and vendors to get
> a CVE assigned and a fix coordinated.  Unfortunately not all folks who
> discover flaws act in this way.
>
> With a port forward, any traffic at all can be pushed to the client.
> Who knows what kind of overflows or whatnot may be in the client
> software, that could lead to something which the client has rights to
> do, such as 'remove your temp files, which are ~/*'.  My point is that
> forwarding ports is a risk.  Sure it could just wipe your user files,
> but maybe it could do more.  I don't know, I am not a security expert.
> Forwarded ports are much different than established/related packets.
> Unassociated traffic can come in at will.  This kind of risk needs to be
> something a USER assumes, not a distribution.
>

That's a pretty weak argument.   Many users are connected directly to the
internet and thus when they start the application they assume the risk.  
It's the exact same thing if they install a router that has UPnP enabled
on it; they've assumed the risk.

But so long as you're happy to include the feature if its disabled by
default we really have no reason to argue.

Sean


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]