From owner-freebsd-security Thu Jun 27 0:43:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 53C9B37B400 for ; Thu, 27 Jun 2002 00:43:09 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.5/8.12.1) with ESMTP id g5R7hswj029148; Thu, 27 Jun 2002 01:43:55 -0600 (MDT) Message-Id: <200206270743.g5R7hswj029148@cvs.openbsd.org> To: Wincent Colaiuta Cc: freebsd-security@freebsd.org Subject: Re: Wow (or, How Theo should have handled it) In-reply-to: Your message of "Thu, 27 Jun 2002 13:36:59 +0930." <53E21546-8983-11D6-BE6B-003065C60B4C@mac.com> Date: Thu, 27 Jun 2002 01:43:54 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Seriously, Theo, the best thing you could've done would have been to > fully disclose the original bug in the challenge/response code and the > one-line fix (turn off challenge/response auth), and told people two > things: firstly, that patches were being worked on; and secondly, that > 3.4 was on the way soon and that it would be desirable to upgrade to > that and activate priv separation so as to better cope with future > potential holes. The first half of what you say is completely insane; The second half is exactly what we did. Fact is, you ranting assholes are complete idiots. Let me explain. I alerted many people by saying "Take a security stance now". MANY MANY people were saved by this. The important people; the alert ones. You have no idea how many very important institutions have mailed me with a thanks. Fortune 100 companies did the right thing, and filtered their port 22 access corporation wide a matter of minutes after I said so. But you, some little home-boy I suspect, are clearly different than them (mostly, by being long winded loudmouths who don't understand). I could not say it was ChallengeResponse, because then it is a lot less code to check. I could not say what version it happened in, because 2.9 -> 2.9.9 was largely a ChallengeResponse rewrite. I could not say it was protocol 2 vs protocol 1. And we had very little information ISS about exactly which systems were vulnerable. Note how ISS has posted it is *BSD only? I am not alone; many vendors and CERT being that they are going to be proven very very wrong. Even saying it is *BSD only, or Linux only, to some of the exploit authors means things like "Hmm, malloc trampoline... GOT table modification"... and they know better what kind of thing to look for. I'm not stupid: I know that any of the above details would have resulted in an exploit. I still do not believe ISS that this thing was wild. If it was, we would already have seen it on BUGTRAQ, because wild does not mean that someone has an exploit. Wild means it is being distributed in an out of control fashion, and people are starting to use it. As of the posting time -- it was not wild. I estimate that in more than half of the cases, as soon as a bug goes wild, it gets posted because whoever wrote it wants their credit. Therefore, we had a a timeframe of opportunity, to alert, and have people take a ready stance, whether that be by changing software, by changing their filters, by disabling, whatever. I'm not stupid. I understand the situation very well. BUT YOU GUYS ARE STUPID. YOU DO NOT UNDERSTAND THE SITUATION. I made an educated guess and largely the evidence is still that I was right. You guys turned into a bunch of ranting raving assholes, wasting my time, and attempting via your noise to slow the spread of the good word that something was coming. AND YOU GUYS TRIED TO SLOW PEOPLE'S ACCEPTANCE OF NEW CODE, without knowing a SINGLE THING about what it was. You're the worst kind of uneducated idiots, trying to prevent people from taking a ready stance against an upcoming problem. "Naw, Theo is just crying wolf", they said. Instead of saying a simple workaround and resulting in immediate exploit development commencing, I alerted that something unknown was coming. We wrote a patch in the first 3 minutes of becoming aware of it. And we went into overdrive to attack two other possible class of bugs that we became aware of during the same week, resulting in 5600 lines of changes. I did this right. But some meddling idiots attempted to foil the efficiency of the warning. That said, I'll remind people that I have been one of the STRONGEST proponents for full disclosure, just go read what I've written on BUGTRAQ over the last 7 years. And this WAS fully disclosed, in a rapid fashion. It just had a little warning ahead because I was convinced that it was at least partially controlled. Just telling the entire world that the 2nd most common TCP port number they let through their firewall has this specific easily exploitable hole, all at once... you're just so out of touch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message