[mhandley]

I'm not sure I'd place much faith in ASLR these days. Bittau's Blind Return Oriented Programming (BROP) http://www.scs.stanford.edu/brop/ makes that only a speedbump, not a real obstacle, for any server that suffers from a stack overflow vulnerability and respawns after a crash. Basically, you can read the return address off the stack a byte at a time by detecting the difference between a crash (you got the overflowed byte wrong) and no-crash (you got the overflowed byte correct). Doesn't take long to recover the return address, and hence find the text location. Their paper is a really fun read!

[unluckier]

We all know that exploit mitigations aren't perfect. But to not even bother using them... that's just ridiculous. There are plenty of scenarios where ASLR helps prevent exploitation. And the fact that FreeBSD doesn't even have it is pretty damning.

[mhandley]

I didn't say not to bother; I just said the protection provided by ASLR is weaker, even on 64-bit systems, than most of us believed a couple of years ago.

[unluckier]

It's the FreeBSD folks that didn't bother. Not you.