From owner-freebsd-security@FreeBSD.ORG Mon Apr 14 12:07:23 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C4B9DC0B for ; Mon, 14 Apr 2014 12:07:23 +0000 (UTC) Received: from chronos.org.uk (vps.chronos.org.uk [IPv6:2001:470:1f09:cbf::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "chronos.org.uk", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4423D1FC5 for ; Mon, 14 Apr 2014 12:07:22 +0000 (UTC) Received: from workstation1.local.chronos.org.uk (workstation1.local.chronos.org.uk [IPv6:2001:470:1f09:12b::20]) (authenticated bits=0) by chronos.org.uk (8.14.7/8.14.7) with ESMTP id s3EC7IvT085450 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Mon, 14 Apr 2014 13:07:19 +0100 (BST) (envelope-from matt@chronos.org.uk) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.1 at vps.chronos.org.uk DKIM-Filter: OpenDKIM Filter v2.8.3 chronos.org.uk s3EC7IvT085450 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=chronos.org.uk; s=mail; t=1397477239; bh=xDwl8BuWmEXUUrrnXJImSF48Cp1cKF467+1w7ekBhBc=; h=Date:From:To:Subject:In-Reply-To:References; b=Cupt6UiOSBZrfYcpswOrYvpniqgo1/11fyZmTCyXWJs9Y9fOIZNON7QgkKtOYCCTQ kCLfGB8Y7F5S7dDx/Zm4L5pFbAUXBKJWJXG5uWxvKrMVe8uI/YtSieeBuevgNNgSOt vTrcFDjqfKfFKd+PBrB729kE86XUaDZriJIwRU/w= Message-Id: <201404141207.s3EC7IvT085450@chronos.org.uk> Date: Mon, 14 Apr 2014 13:07:11 +0100 From: Matt Dawson To: freebsd-security@freebsd.org Subject: Re: De Raadt + FBSD + OpenSSH + hole? In-Reply-To: <534B11F0.9040400@paladin.bulgarpress.com> References: <534B11F0.9040400@paladin.bulgarpress.com> X-Face: ZC(F49t2uSJE}/7#!TBN:A\3:0wCZNx7YbLr6|9~$^!V&Q, q&]T:H>?\|ZZUt:{]iKK'f.( g-{z6!F@Wt#^bC-X8J4ZW2}RKBA"ak_zQMGw\YT"R%aL+?kk_mnXchE8VSy^<7I5]Z@p/\B. h"4xoqXS)n^eTJL4BeAz1&b`_Jwb\s3M626%1{X4s>A>56]Sn$b0nRFhfrTk]]Njd|!O MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-99.5 required=3.0 tests=BAYES_00, DATE_IN_FUTURE_48_96,MISSING_MID,RP_MATCHES_RCVD,USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on vps.chronos.org.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 12:07:23 -0000 On Mon, 14 Apr 2014 01:38:40 +0300 Todor Todorov wrote: > Oh now I sense some angst. Please ask Kirk McKusick, he knows the > story about why this is not being disclosed to FreeBSD. Sometimes I > feel a bit sorry for them (and for him), but then the next minute I > don't feel sorry because there's damn good reasons they won't be > told about what I found. My first thought when I saw this was "ego over ethics," which says more about Theo than FreeBSD. *If* there's an issue it'll come out eventually regardless of any little games the pseudo-deities wish to play. In the meantime, follow best practice, lock down your SSH, use keys rather than passwords, password protect the private key, ensure that only trusted people who need it get shell access and disable anything that isn't absolutely necessary. -- Safer alternative to smoking under threat from over-regulation due to pseudo-science and puritanism. Please help keep personal vapourisers available for ex and potential ex-smokers at http://www.efvi.eu/ by showing your support for this citizens' initiative.