From owner-freebsd-security  Wed Jun 26  9:46:29 2002
Delivered-To: freebsd-security@freebsd.org
Received: from yoda.bph.ruhr-uni-bochum.de (yoda.bph.ruhr-uni-bochum.de [134.147.196.7])
	by hub.freebsd.org (Postfix) with ESMTP id 9BFDD37B413
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 09:45:54 -0700 (PDT)
Received: from gonzo (gonzo [134.147.196.22])
	by yoda.bph.ruhr-uni-bochum.de (8.8.8/8.8.8) with SMTP id SAA09214;
	Wed, 26 Jun 2002 18:44:36 +0200
From: Christoph Wegener <cwe@bph.ruhr-uni-bochum.de>
To: Brett Glass <brett@lariat.org>,
	Benjamin Krueger <benjamin@seattleFenix.net>
Cc: Mike Tancsa <mike@sentex.net>,
	Darren Reed <avalon@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG
Date: Wed, 26 Jun 2002 18:44:35 +0200
X-Priority: 3 (Normal)
Organization: Lehrstuhl fuer Biophysik - Ruhr-Universitaet Bochum 
In-Reply-To: <20020626093538.B8071@mail.seattleFenix.net>
Message-Id: <NHOIMJA61TPM09WR41GBXRJFUQ5YKEN.3d19ef73@gonzo>
Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailer: Opera 6.03 build 1107
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

26.6.2002 18:35:38, Benjamin Krueger <benjamin@seattleFenix.net> wrote:

Sorry to say: but I _TOTALLY_ agree to the words of Benjamin!!!!!!!!!!!!

>  Minimized harm? The great majority of systems are (were) not vulnerable. 
>As for the start of the race? It started the minute Theo's notice hit bugtraq.
>
>  Had he said "Use PrivSep or disable ChallengeResponseAuthentication" anyone
>who *was* vulnerable could have been secured in about 24 seconds. Somehow, I
>don't think that the script kiddies could can find the vulnerability from
>such minimal information, write an exploit, distribute it amongst each other, 
>scan the entire internet for the few vulnerable machines around, and exploit 
>them in a period of 24 seconds, or even 24 hours. Call me skeptical.
>
>  I won't even start on how much industry time (and thus, money) was wasted
>while administrators upgraded (many needlessly) their servers. In many
>companies, on the order of hundreds or thousands of servers in a farm.
>
>-- 
>Benjamin Krueger
--
    .-.                             Ruhr-Universitaet Bochum
    /v\    L   I   N   U   X        Lehrstuhl fuer Biophysik
   // \\  >Penguin Computing<       c/o Christoph Wegener
  /(   )\                           Gebaeude ND 04/Nord
   ^^-^^                            D-44780 Bochum, GERMANY

Tel: +49 (234) 32-25754             Fax: +49 (234) 32-14626
mailto:cwe@bph.ruhr-uni-bochum.de   http://www.bph.ruhr-uni-bochum.de





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message