Date: Thu, 27 Jun 2002 01:37:24 -0700 From: Dragos Ruiu <dr@kyx.net> To: freebsd-security@freebsd.org Subject: re: Meta Wow SSHD has a hole and CERT put out a lot of good info in a very timely fashion. Message-ID: <0206270232160C.09037@smp.kyx.net>
next in thread | raw e-mail | index | archive | help
Ok baiting Theo into being defensive doesn't seem like a good use of this list. In reality, given the past history you can't really fault him if he says nothing at all to this list. Admittedly he gets somewhat heated and pointed in his remarks when he seems to be getting attacked and yelled at from all corners for trying TO HELP YOU! It's preatty easy to shut up and say nothing and let you discover the bug the hard way on your own :-) He worked with CERT and many individuals (including myself) to distribute information about this vulnerability. I found him very helpful even when it was obvious that he had been working a long time without rest to assist all of our sorry asses to secure our machines. With assitance from the unpaid OpenSSH team CERT rapidly put out a throroughly comprehensive advisory to correct a some omissions in other posts on lists such as Bugtraq and some incorrect info from various Linux vendors as well as rampant gossip mills spinning up on Slashdot and elsewhere. CERT covered the issue, beat it soundly to death and put a few bullets into it to make sure it was dead, so there is a lot of info there for the people who are looking for it. Look at the CERT advisory - they collated excellent information. Bottom line for me is that the Chalenge/Response malloc issue (which is not the only issue fixed in 3.4) was introduced in 2.31 and may or may not be exploitable on various code builds and options, and is definitely mitigated by Niels' very cool Privilege Separation mod - and I don't really care which vendors may or may not claim any moral high ground by not being vulnerable. You should upgrade to the latest and best codebase if at all possible. Anything else seems like mitgatable risk. Nitpicking the disclosure timing or process seems to be missing the point which is just upgrade you code base already... Any Linux vendors or other high profile individuals who claim not to trust OpenSSH/Niels/Markus/Theo/whomever obviously hasn't seen the intense passion and energy these individuals devote (without reward!) in principle to galantly develop more secure solutions for them. Stop bitching at them and thank them, for they owe YOU nothing... you are in their debt. (Or else the you are just proving the stance of a certain large organization which claim that Linux/opensource are just giant trojans in themselves :-). I for one have nothing but the highest respect for the coders on OpenSSH and think they are some of the finest programming minds around (they sure kick my ass in coding) as well as immensely trustworthy persons and feel glad that there are such smart, dedicated, individuals with a high enough moral fiber and dedication to look out for all of us. Honestly, these folks are doing their best to do the right thing, and I have not seen anything in this incident that rates any of this alarm or any form of allegation of wrong doing or improper procedure. If there are any charges to be leveled of crying wolf they should be leveled at the ISS management, who claimed the exploit was in circulation, though one of their engineers wrote it... go figure. They jumped the gun on the slated Monday release for whatever reason and caught a lot of people off guard, (and I'm sure some NIPC folks who had planned to have leave this week before a long weekend are cursing now :-). IMHO the usual IRC/gossip/whatever that I monitor as a course of daily security work had no prewarning about this. The usual candidates like w00w00 etc... were not rampantly distributing exploits before the surprise disclosure this morning. 7350 seems to have known about the exploit but was properly sitting on it so I have some doubts about the "circulation". The claimed GOBBLES Linux exploit which I haven't seen yet was coded after disclosure afaik, but I'm sure GOBBLES will let us know in their imitable style. (I dunno I find that stuff funny and look forward to the latest GOBBLES jokes and slags :-). If you can't laugh.... So folks please let's stop with the finger pointing and lets focus that energy on getting all those machines upgraded to 3.4 and turn on priviledge separation because it's a major security improvement (thanks again Niels). It will be difficult enough to get all those "marginally administered" machines upgraded so they won't be nice launch points for the next DDoS attack when somer kiddie needs his nick back or wants to take over some channel with their bots - without all this needless complaining. Oh and thank you to OpenSSH for providing and strongly maintaining an excellent and innovative code base that I can use to affordably make sure I don't have to use telnet. Additionally a big thank you to all the other derivative code maintainers who watch their work and update their respective platforms. At the end of the day none of these people are getting money to do this work for us or notify _anyone_ so we should all stop criticizing and try to see how we can help them... Now we should all cut them some slack because all the critical posts are in the wrong, and I'm appalled at the level of criticism being leveled at laudable volunteers, I daresay even computer/network security heroes... Cheers, --dr -- --dr http://dragos.com/dr-dursec.asc 0 = 1; for small values of one and large values of zero To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0206270232160C.09037>