Date: Wed, 26 Jun 2002 13:24:16 -0400 From: Bosko Milekic <bmilekic@unixdaemons.com> To: Brett Glass <brett@lariat.org> Cc: Mike Tancsa <mike@sentex.net>, Darren Reed <avalon@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626132416.A42340@unixdaemons.com> In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 10:23:14AM -0600 References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 26, 2002 at 10:23:14AM -0600, Brett Glass wrote: > Mike: > > It is clear that Theo was attempting to have people apply the workaround > which had the least chance of revealing the nature of the bug in advance, > lest it be discovered by others and exploited. > > It's truly sad that ISS, which knew about Theo's advisory, released this > information today, instead of next week as Theo asked them to. If Theo's > roadmap for disclosure had been followed, more administrators could have > been informed about the bug, and they would have had time to take > preventive measures through the weekend before the skript kiddies began > their race to exploit the bug. Now, the race has begun. In fact, the > problem has been exacerbated because administrators who *could* have > secured their systems thought they'd have time to do so over the weekend. > > Theo made a worthy attempt to minimize harm (which should be the goal of > any security policy). It's a shame that ISS sought the spotlight instead > of doing the same. > > --Brett Glass I think that what you're saying is reasonable, however, I know (now almost for a fact) that there was an exploit going around already. So, it's better than the information has been released sooner, than later. And, since it appears that the OpenSSH that ships with our -STABLE is not affected, all the easier this is for those of us who were in the middle of implementing "drastic measures" (for fear of the worst), as it allows us to step back, relax, and enjoy the fireworks. -Bosko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020626132416.A42340>