[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSH: What went wrong?

To: kjell@pintday.org
Subject: Re: OpenSSH: What went wrong?
From: Darren Reed <avalon@coombs.anu.edu.au>
Date: Sat, 29 Jun 2002 04:26:23 +1000 (Australia/ACT)
Cc: misc@Openbsd.org

In some mail from kjell@pintday.org, sie said:
> 
> > So what are you doing to prevent this sort of thing from reoccuring ?
> 
> Nothing, Darren. We're gonna sit here on our hands. I mean,
> the remote vulnerability record is gone. Why should we bother anymore?

That's not what I was looking for and that's not what lots of other
people are looking to hear either.  I'm not particularly interested
in sarcasm either - the humour of it is not appreciated at this point
in time.

This question was about openssh - ok, so it's on an openbsd list.

There have been lots of shouting and so forth in the past about how
OpenSSH/BSD is auditted and how the team of coders is so security
conscious, etc, but then something like this happens.

What I was really looking for was some sort of statement saying that
all new code would be checked more closely, not some cop-out about
how this was a new kind of problem or anything else.

What I expect is to hear about how the process of getting (new) code
into OpenSSH becomes tougher and must be reviewed by at least 1 other
person before being committed and then maybe another after commit.

Ok, the software might be for free and it might be a case of you get
what you pay for, BUT, you are "selling" it with a lot of hype and
building a lot of expectation in the user community.  Does anyone
actually plan to deliver on that or is just lies, like those you get
from a politican in a lead-up to an election ?

Lots of people's security depends on this (openssh) so it's important
for me and a lot of others that someone gets it right.

> > I don't particularly like the idea that this is a "new type of overflow".
> 
> Yeah. And I was sort of annoyed when format string vulnerabilities
> came on the scene. What is your point?

A proper code audit would have picked it up.

> > What that says to me is that you aren't really auditting software
> > properly if these kinds of things have slipped through previous audits.
> 
> And you aren't auditing software at all.

What makes you say that?

Darren

Follow-Ups:
- Re: OpenSSH: What went wrong?
  - From: kjell@pintday.org
- Re: OpenSSH: What went wrong?
  - From: Sean Cavanaugh <seanc@sagecomputers.com>
- Re: OpenSSH: What went wrong?
  - From: Theo de Raadt <deraadt@cvs.openbsd.org>
- Re: OpenSSH: What went wrong?
  - From: Markus Friedl <markus@openbsd.org>
- Re: OpenSSH: What went wrong?
  - From: Scott Balneaves <sbalneav@legalaid.mb.ca>
- Re: OpenSSH: What went wrong?
  - From: Lars Hansson <lars@unet.net.ph>
- Re: OpenSSH: What went wrong?
  - From: Chuck Yerkes <chuck+obsdrants@snew.com>

Prev by Date: Re: need help with 3c905b card on sparc64
Next by Date: dhcp/cable modem
Prev by thread: Re: need help with 3c905b card on sparc64
Next by thread: Re: OpenSSH: What went wrong?
Index(es):
- Date
- Thread