From owner-freebsd-security  Wed Jun 26 13:44: 6 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57])
	by hub.freebsd.org (Postfix) with ESMTP id C48E737CDD9
	for <freebsd-security@FreeBSD.ORG>; Wed, 26 Jun 2002 13:31:31 -0700 (PDT)
Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60])
	(authenticated)
	by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g5QKVGV71603;
	Wed, 26 Jun 2002 14:31:16 -0600 (MDT)
Message-ID: <3D1A249A.28B3C57D@fpsn.net>
Date: Wed, 26 Jun 2002 14:31:22 -0600
From: Colin Faber <cfaber@fpsn.net>
Organization: fpsn.net, Inc. (http://www.fpsn.net)
X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Brett Glass <brett@lariat.org>
Cc: Benjamin Krueger <benjamin@seattleFenix.net>,
	Mike Tancsa <mike@sentex.net>,
	Darren Reed <avalon@coombs.anu.edu.au>, freebsd-security@FreeBSD.ORG
Subject: Re: The "race" that Theo sought to avoid has begun (Was:OpenSSH 
 Advisory)
References: <4.3.2.7.2.20020626101626.02274c80@localhost>
	 <200206261452.AAA26617@caligula.anu.edu.au>
	 <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca>
	 <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca>
	 <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I was under the impression that "Security through Obscurity" was no
way to secure a system.

Has this changed at some point in the last month or so?


Brett Glass wrote:
> 
> At 10:35 AM 6/26/2002, Benjamin Krueger wrote:
> 
> >  Minimized harm? The great majority of systems are (were) not vulnerable.
> 
> Not true at all. OpenBSD, NetBSD, and most recent Linux distributions were
> and are vulnerable.
> 
> >As for the start of the race? It started the minute Theo's notice hit bugtraq.
> 
> No, it didn't. The skript kiddies didn't know where the bug was.
> 
> >  Had he said "Use PrivSep or disable ChallengeResponseAuthentication" anyone
> >who *was* vulnerable could have been secured in about 24 seconds.
> 
> He DID say to use PrivSep. He did not say to disable
> ChallengeResponseAuthentication for a reason: it would have clued the kiddies
> into the location of the bug.
> 
> >Somehow, I
> >don't think that the script kiddies could can find the vulnerability from
> >such minimal information,
> 
> Mentioning ChallengeResponseAuthentication would have been a big hint.
> 
> >  I won't even start on how much industry time (and thus, money) was wasted
> >while administrators upgraded (many needlessly) their servers.
> 
> Most needed to upgrade. FreeBSD's releases appear to have dodged the bullet
> by sheer luck.
> 
> --Brett
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Colin Faber
(303) 736-5160
fpsn.net, Inc.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message