From owner-freebsd-security  Wed Jun 26  9:51:20 2002
Delivered-To: freebsd-security@freebsd.org
Received: from scribble.fsn.hu (scribble.fsn.hu [193.224.40.95])
	by hub.freebsd.org (Postfix) with SMTP id ABD8A37B400
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 09:51:12 -0700 (PDT)
Received: (qmail 21558 invoked by uid 1000); 26 Jun 2002 16:51:11 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 26 Jun 2002 16:51:11 -0000
Date: Wed, 26 Jun 2002 18:51:11 +0200 (CEST)
From: Attila Nagy <bra@fsn.hu>
To: Brett Glass <brett@lariat.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: The "race" that Theo sought to avoid has begun (Was:  OpenSSH
 Advisory)
In-Reply-To: <4.3.2.7.2.20020626103956.02291aa0@localhost>
Message-ID: <Pine.LNX.4.44.0206261845200.16380-100000@scribble.fsn.hu>
References: <4.3.2.7.2.20020626101626.02274c80@localhost>
 <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca>
 <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca>
 <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello,

> >As for the start of the race? It started the minute Theo's notice hit
> >bugtraq.
> No, it didn't. The skript kiddies didn't know where the bug was.
Correct me, if I'm wrong, but people, called "script kiddies" can't really
code. They just use tools (scripts) from other people.
Of course there are crackers (black hats if you wish), for whom this
information could be useable.

> He DID say to use PrivSep. He did not say to disable
> ChallengeResponseAuthentication for a reason: it would have clued the
> kiddies into the location of the bug.
Ppl, before you are going crazy, think a little.
Theo did you a favor when he released his letter. Why? Because now all of
you are using privsep, which will hopefully help you if the another 100
exploits will be released/found in OpenSSH...

This is what they call "proactive security" :)

--------[ Free Software ISOs - ftp://ftp.fsn.hu/pub/CDROM-Images/ ]-------
Attila Nagy					e-mail: Attila.Nagy@fsn.hu
Free Software Network (FSN.HU)		  phone @work: +361 210 1415 (194)
						cell.: +3630 306 6758


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message