From owner-freebsd-security Wed Jun 26 9:36:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.seattleFenix.net (sense-sea-MegaSub-1-501.oz.net [216.39.145.247]) by hub.freebsd.org (Postfix) with ESMTP id 872B537B42B for ; Wed, 26 Jun 2002 09:34:53 -0700 (PDT) Received: (from roo@localhost) by mail.seattleFenix.net (8.11.6/8.11.6) id g5QGZcm08435; Wed, 26 Jun 2002 09:35:38 -0700 (PDT) (envelope-from roo) Date: Wed, 26 Jun 2002 09:35:38 -0700 From: Benjamin Krueger To: Brett Glass Cc: Mike Tancsa , Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626093538.B8071@mail.seattleFenix.net> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 10:23:14AM -0600 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Brett Glass (brett@lariat.org) [020626 09:26]: > Mike: > > It is clear that Theo was attempting to have people apply the workaround > which had the least chance of revealing the nature of the bug in advance, > lest it be discovered by others and exploited. > > It's truly sad that ISS, which knew about Theo's advisory, released this > information today, instead of next week as Theo asked them to. If Theo's > roadmap for disclosure had been followed, more administrators could have > been informed about the bug, and they would have had time to take > preventive measures through the weekend before the skript kiddies began > their race to exploit the bug. Now, the race has begun. In fact, the > problem has been exacerbated because administrators who *could* have > secured their systems thought they'd have time to do so over the weekend. > > Theo made a worthy attempt to minimize harm (which should be the goal of > any security policy). It's a shame that ISS sought the spotlight instead > of doing the same. > > --Brett Glass Minimized harm? The great majority of systems are (were) not vulnerable. As for the start of the race? It started the minute Theo's notice hit bugtraq. Had he said "Use PrivSep or disable ChallengeResponseAuthentication" anyone who *was* vulnerable could have been secured in about 24 seconds. Somehow, I don't think that the script kiddies could can find the vulnerability from such minimal information, write an exploit, distribute it amongst each other, scan the entire internet for the few vulnerable machines around, and exploit them in a period of 24 seconds, or even 24 hours. Call me skeptical. I won't even start on how much industry time (and thus, money) was wasted while administrators upgraded (many needlessly) their servers. In many companies, on the order of hundreds or thousands of servers in a farm. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message