[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: The best way to run a hidden service: one or two computers?
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: The best way to run a hidden service: one or two computers?
- From: Robert Ransom <rransom.8774@xxxxxxxxx>
- Date: Mon, 20 Sep 2010 02:00:13 -0700
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Mon, 20 Sep 2010 04:58:39 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type; bh=l2lm89H4qcjayy74YmdlgHtjcpipI8NvLiEgYSzRTDE=; b=W7yvZVp7mRWWz0RwCI1Kw8ss2zLDNzh7HEVGMdO5e/dVP5qjUOmHLU9pXhgKTBNR0/ zfw6fbk/TS/mZjQ344chBL4mB7s3Xa/4eYeo4a94+loDPxH4swW1GxleDwPwDuQybMQ5 ze/U2WDSENaTk1KQwL+o+pZSkarGsHoZ4PNBc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type; b=E1v7h6uUctl0GB837ov0YQ/Hye03xqh+R6C/IrCCifVrbLYE9GPX/YCJn9jMFnQemY zIk89Xj0bXXwJTE6JuW59V3mSbZDAQTxWrCJ6EjaUG0y9vlMXS2G6BtvCjNY2NpA2Jas ssGPtinpYDQ+4TnnLbfRzWiwox91b4NDtVggQ=
- In-reply-to: <N1-TyH4x2epUg@xxxxxxxxxxxxx>
- References: <N1-TyH4x2epUg@xxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
On Sun, 19 Sep 2010 07:11:21 -0400
hikki@xxxxxxxxxxxxx wrote:
> Robert Ransom:
>
> > The VM is optional *if* and *only if* an attacker cannot possibly get
> > root on your hidden service.
>
> How do external attackers get root access on a Linux system, and how do they
> then communicate with the system as root, like listing directories and
> changing configuration files as you would have done in a shell, when they're
> basically limited to a hidden website with the browsers address bar and
> maybe a few input forms? It gets more sensible when we're talking about
> default and open websites with the server's true IP addresses and ports out
> in the public, and exploitation of SSH servers. I'm just curious about that.
If your web server and all of the interpreters and programs it runs are
competently written, there is no way for an attacker to get root
access, or even run a shell command. Web applications and the
special-purpose interpreters they run on are often incompetently
written.
> BTW how do you reply to specific posts? All I'm doing here is replying to
> my own original post. Thanks.
I select the message I want to reply to, and then I click the âReplyâ
button in my mail client's toolbar.
Robert Ransom
Attachment:
signature.asc
Description: PGP signature