Date: Wed, 26 Jun 2002 14:31:22 -0600 From: Colin Faber <cfaber@fpsn.net> To: Brett Glass <brett@lariat.org> Cc: Benjamin Krueger <benjamin@seattleFenix.net>, Mike Tancsa <mike@sentex.net>, Darren Reed <avalon@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was:OpenSSH Advisory) Message-ID: <3D1A249A.28B3C57D@fpsn.net> References: <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
I was under the impression that "Security through Obscurity" was no way to secure a system. Has this changed at some point in the last month or so? Brett Glass wrote: > > At 10:35 AM 6/26/2002, Benjamin Krueger wrote: > > > Minimized harm? The great majority of systems are (were) not vulnerable. > > Not true at all. OpenBSD, NetBSD, and most recent Linux distributions were > and are vulnerable. > > >As for the start of the race? It started the minute Theo's notice hit bugtraq. > > No, it didn't. The skript kiddies didn't know where the bug was. > > > Had he said "Use PrivSep or disable ChallengeResponseAuthentication" anyone > >who *was* vulnerable could have been secured in about 24 seconds. > > He DID say to use PrivSep. He did not say to disable > ChallengeResponseAuthentication for a reason: it would have clued the kiddies > into the location of the bug. > > >Somehow, I > >don't think that the script kiddies could can find the vulnerability from > >such minimal information, > > Mentioning ChallengeResponseAuthentication would have been a big hint. > > > I won't even start on how much industry time (and thus, money) was wasted > >while administrators upgraded (many needlessly) their servers. > > Most needed to upgrade. FreeBSD's releases appear to have dodged the bullet > by sheer luck. > > --Brett > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D1A249A.28B3C57D>