[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISS: OpenSSH Remote Challenge Vulnerability

To: "Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: ISS: OpenSSH Remote Challenge Vulnerability
From: Nick Holland <nick@holland-consulting.net>
Date: Wed, 26 Jun 2002 11:07:01 -0400
References: <20020626161344.C4633@outpost.zedz.net> <20020626162048.E4633@outpost.zedz.net>

Alex de Joode wrote:

> So one config option seems could have saved the day ..
> 
> Than why so much fuss, tech-push ?

Depends on your definition of "saved the day"

The point was to give people warning so they could UPDATE before the
bad guys found out why.

Say "Here's the problem and here is a quick fix", you basicly tell the
bad guys where to look, and they feed the script kiddies.  

Keep in mind, the OpenBSD philosophy is PROACTIVE security.  Rather
than waiting for problems to come to us, they look for them.  It
seems, they found this one before the bad guys did.  To go to instant
full-disclosure would have been very bad, as OpenBSD still had the
jump on the bad guys.

If you use the traditional Windows/Linux philosophy of bug reporting
here, things look "wrong", perhaps.  Denying/hiding a known exploit is
dangerous.  Here, however, things were different -- they weren't
hiding a known _exploit_, they were hiding a known _bug without an
exploit_ until people had a chance to implement a fix for it.  There
is a huge difference there.

Nick.
-- 
http://www.holland-consulting.net

References:
- ISS: OpenSSH Remote Challenge Vulnerability
  - From: Alex de Joode <usura@zedz.net>
- Re: ISS: OpenSSH Remote Challenge Vulnerability
  - From: Alex de Joode <usura@zedz.net>

Prev by Date: Patches on Older Versions
Next by Date: Re: UsePrivilegeSeparation, 2.9/sparc?
Prev by thread: Re: ISS: OpenSSH Remote Challenge Vulnerability
Next by thread: Re: ISS: OpenSSH Remote Challenge Vulnerability
Index(es):
- Date
- Thread