From owner-freebsd-security Tue Jun 25 0: 0:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns2.austclear.com.au (ns2.austclear.com.au [192.43.185.70]) by hub.freebsd.org (Postfix) with ESMTP id A695037BA6F for ; Mon, 24 Jun 2002 23:59:05 -0700 (PDT) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.166.65]) by ns2.austclear.com.au (8.11.2/8.11.3) with ESMTP id g5P6x4t27120; Tue, 25 Jun 2002 16:59:04 +1000 (EST) (envelope-from ahl@austclear.com.au) Received: from tungsten (tungsten [192.168.166.65]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id QAA09566; Tue, 25 Jun 2002 16:59:04 +1000 (EST) Message-Id: <200206250659.QAA09566@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Darren Reed Cc: ahl@austclear.com.au (Tony Landells), freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-Reply-To: Message from Darren Reed of "Tue, 25 Jun 2002 16:25:18 +1000." <200206250625.QAA01010@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 25 Jun 2002 16:59:04 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org avalon@coombs.anu.edu.au said: > This *is* what they claim to do. Just because it's what they claim it doesn't mean you have to believe them. > Personally, I think their claims are unrealistic and all the hype > about "software audit" is just that - hype. If the OpenSSH team are > working with ISS on a fix then it seems to me that ISS found this > problem, not the OpenSSH team. Why did the audit by the OpenSSH team > miss this problem ? Isn't this what their code audits are meant to > find - security bugs ? What benefit are we *really* getting from > their "code audits" ? One would have thought that was a reasonable goal in performing an audit on a security product. However, if the exploit is based on semantic rather than syntactic errors, then it may have snuck through the audit. As a legal friend of mine says when someone asks for free advice "this will be worth exactly what you pay for it..." I apply the same grain of salt to free software. I had the option of performing my own code audit on OpenSSH. I chose not to. I understand that a lot of people are unhappy at the state of play. Here's a perfect opportunity to choose a different path. Show your displeasure by not using the software. Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message