From owner-freebsd-security Tue Jun 25 1:41:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 5055237B403 for ; Tue, 25 Jun 2002 01:41:52 -0700 (PDT) Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 3.36 #1) id 17MluO-000JAx-00; Tue, 25 Jun 2002 10:42:44 +0200 Date: Tue, 25 Jun 2002 10:42:44 +0200 From: Sheldon Hearn To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625084244.GC73283@starjuice.net> Mail-Followup-To: Mike Silbersack , freebsd-security@FreeBSD.ORG References: <20020625041946.GA6840@edgemaster.zombie.org> <20020624233910.V55382-100000@patrocles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020624233910.V55382-100000@patrocles.silby.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On (2002/06/24 23:45), Mike Silbersack wrote: > I think this thread needs to die very soon. Theo's solution to this bug > is unorthodox, but it should serve to protect those who are willing to > upgrade. He does not deserve all the bashing you're giving him. Thank you, Mike. :-) It seems to me that a number of people have chosen to use this situation as an opportunity for some Theo-bashing. Very poor show, I think. The facts are: 1) Theo has warned that the details of a vulnerability will be published this coming Monday. This disclosure will constitute full disclosure. 2) This disclosure will open a race between the blackhats and administrators. 3) Theo's warning offers two ways for administrators to avoid the race: change your software or disable the software until disclosure. The disclosure of these avoidance methods does not assist the blackhats. Personally, I don't think adminsitrators could ask for more. I'm _very_ glad that the OpenSSH team hasn't told anyone else about a hole I can't patch against yet. I'm equally glad that, until the hole and patch are disclosed, there's a way for me to cover the hole up. Those of you who thought "Theo is well-hated, nobody will look down on me for pissing on him", you were wrong. You just ended up looking stupid. Shame on you! Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message