On Wed, May 27, 2015 at 5:18 AM, Simon <openbsd.li...@whitewinterwolf.com> wrote: > So do you confirm that random PID is actually not a security measure? > > It is often presented as is, but it would not be the first time that some > wrong rumors get widespread enough to become accepted as a truth by most > people.
language isn't an exact thing. words can mean different things to different people, or different things to the same people in different contexts. I would consider PID randomization to be a security "measure", although I would not consider it a "solution" or "fix" to the problem it addresses. rather, it is a "mitigation" that reduces the severity of a problem without actually fixing it. whether you think of it as a security "measure" depends on whether you define a "measure" as a "fix", or a "mitigation", or as either/both. where we get into trouble is when people mistake it for a "fix" and believe that they no longer need to worry about this problem. that is false. -ken
