SSH - are you nuts!?!
by Jesus Monroy, Jr.
I'm too tired to get this out, but i promised it would
be available, so here it is.
The Offical Part
On Jan. 4, 2001, a talk entitled "ssh - are you nuts!?!"
will be given at
On 29 Dec, Wes Peters wrote:
Bill Fumerola wrote:
On Wed, Dec 27, 2000 at 04:04:36PM -0800, [EMAIL PROTECTED] wrote:
Bill Fumerola, who states that security policy
information is un-available. However, I might
refer his comment to the Security Officer instead,
On 28 Dec, Mark Murray wrote:
Okay, can you be specific about what you mean by
"There was a time that we were very lax".
If there was a change of server identity, then we did not necessarily
announce what the new identity was in a way that people could trust.
These days, a member of
Bill Fumerola wrote:
On Wed, Dec 27, 2000 at 04:04:36PM -0800, [EMAIL PROTECTED] wrote:
Bill Fumerola, who states that security policy
information is un-available. However, I might
refer his comment to the Security Officer instead,
if Bill feels this
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 28, 2000 1:05 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Thread DIES [Re: ssh - are you nuts?!? ]
On 26 Dec, Mike Smith wrote
On Wed, Dec 27, 2000 at 04:04:36PM -0800, [EMAIL PROTECTED] wrote:
Bill Fumerola, who states that security policy
information is un-available. However, I might
refer his comment to the Security Officer instead,
if Bill feels this appropriate.
for the public record:
On 28 Dec, Bill Fumerola wrote:
On Wed, Dec 27, 2000 at 04:04:36PM -0800, [EMAIL PROTECTED] wrote:
Bill Fumerola, who states that security policy
information is un-available. However, I might
refer his comment to the Security Officer instead,
if Bill feels this
On Tue, Dec 26, 2000 at 07:45:36AM -0800, [EMAIL PROTECTED] wrote:
If I read what you are saying, and please correct me if I'm wrong,
you are saying "the original keys were never .".
Which original keys are you talking about?
Are you saying that the original SSH Public Keys for the
On 26 Dec, Wes Peters wrote:
[EMAIL PROTECTED] wrote:
On 25 Dec, David O'Brien wrote:
On Fri, Dec 22, 2000 at 11:28:07PM -0800, Kris Kennaway wrote:
Incorrect..the problems with SSH come down to flaws in the human
operator who ignore the warnings SSH gives them, and tell it
On 26 Dec, Mark Murray wrote:
Which original keys are you talking about?
SSH public server keys. (Sometimes called "server identities").
Are you saying that the original SSH Public Keys for the servers
were always sent in the clear, without PGP signature or anything?
David was saying
On 25 Dec, David O'Brien wrote:
On Mon, Dec 25, 2000 at 06:34:09PM -0800, Mike Smith wrote:
No, in several particulars. "The FreeBSD Project" doesn't change the SSH
keys on the FreeBSD.org machines.
Not changed for change sake, but failure to do anything to preserve them.
David
On 26 Dec, Mike Smith wrote:
If it is FUD as you claim, then the call should be made
by the SO. This would seem to be prudent policy.
Jesse, Kris *is* the Security Officer.
Now, please let this thread die.
Mike,
You and I don't often agree, but this time is worth noting.
I agree.
Okay Wes, This is your original message.
You state:
"This is exactly the sort of problem we need to solve..."
In the context of this message I must assume that since
the subject is SSH, then you are referring to SSH.
If not, there is nothing in the message that would
lead me to believe
Okay, can you be specific about what you mean by
"There was a time that we were very lax".
If there was a change of server identity, then we did not necessarily
announce what the new identity was in a way that people could trust.
These days, a member of the Security Officer team sends out an
On Mon, Dec 25, 2000 at 09:27:49PM -0800, David O'Brien wrote:
On Mon, Dec 25, 2000 at 08:29:01PM -0800, Kris Kennaway wrote:
Umm, are you actually talking about real incidents here, or just
spreading FUD?
REAL incidents. Please remember I've been a committer longer you have.
This
On Tue, Dec 26, 2000 at 04:22:59AM -0800, David O'Brien wrote:
On Tue, Dec 26, 2000 at 04:02:52AM -0800, Kris Kennaway wrote:
REAL incidents. Please remember I've been a committer longer you have.
This has nothing to do with it, since both of the times you are
referring to are well
On 25 Dec, Warner Losh wrote:
In message [EMAIL PROTECTED] [EMAIL PROTECTED] writes:
: JKH, DG, CORE respond.
Core does not respond to mail not directed to it.
Posting rules do not allow me to send to more than to
groups. Can you recommend a course of action?
To Unsubscribe: send
On 25 Dec, Warner Losh wrote:
In message [EMAIL PROTECTED] [EMAIL PROTECTED] writes:
: JKH, DG, CORE respond.
Core does not respond to mail not directed to it.
Posting rules do not allow me to send to more than to
groups. Can you recommend a course of action?
Short of intensive
On 25 Dec, Mike Smith wrote:
And we, the FreeBSD Project, don't do a thing to help this situation.
We change the SSH keys on the freebsd.org machines left and right w/o
*ANY* notice to committers that they have been changed. So we've trained
our own committers to have sloppy habits
On 25 Dec, Peter Wemm wrote:
"David O'Brien" wrote:
And the best we've
ever done is in the "HEADS UP: New host key for freefall!" thread started
by Peter Wemm on Tue, 16 May 2000 23:26:33.
... which the thread and FUD was a total load of shit, because the original
keys were never
On 26 Dec, Kris Kennaway wrote:
On Mon, Dec 25, 2000 at 09:27:49PM -0800, David O'Brien wrote:
On Mon, Dec 25, 2000 at 08:29:01PM -0800, Kris Kennaway wrote:
Umm, are you actually talking about real incidents here, or just
spreading FUD?
REAL incidents. Please remember I've been a
If it is FUD as you claim, then the call should be made
by the SO. This would seem to be prudent policy.
Jesse, Kris *is* the Security Officer.
Now, please let this thread die.
--
... every activity meets with opposition, everyone who acts has his
rivals and unfortunately opponents also.
On 26 Dec, Kris Kennaway wrote:
On Tue, Dec 26, 2000 at 04:22:59AM -0800, David O'Brien wrote:
If you feel I've given the wrong impression, fine. Just say that, and
I'll clear up that I'm not saying it is intentionally done if that is
what people think. But admit to the lack of care of
Which original keys are you talking about?
SSH public server keys. (Sometimes called "server identities").
Are you saying that the original SSH Public Keys for the servers
were always sent in the clear, without PGP signature or anything?
David was saying that, but he's wrong. There was a
On Tue, Dec 26, 2000 at 08:04:20AM -0800, [EMAIL PROTECTED] wrote:
You are complaining to the wrong audience. Talk to [EMAIL PROTECTED],
not the FreeBSD user community.
I disagree with your statement.
From what I'm reading, it seems that "the enforcement of policy"
has been lacking
[EMAIL PROTECTED] wrote:
This is one of the stupidest trolls I've ever found, and is completely
inappropriate for freebsd-security. Try over on -chat.
I'm not sure of this. SSH is about Secure SHell. It's this
where I might get technical answers about security?
This mailing list is
On Tue, Dec 26, 2000 at 04:43:37AM -0800, Kris Kennaway wrote:
P.S. Please stop dropping the mailing list from the CC list of your
responses..
Thank you for taking away my right to take a discussion private, and
posting my *private* response to a public mailing list.
To Unsubscribe: send
On Tue, Dec 26, 2000 at 06:09:26PM +0200, Mark Murray wrote:
Are you saying that the original SSH Public Keys for the servers
were always sent in the clear, without PGP signature or anything?
David was saying that, but he's wrong.
How I enjoy when someone tries to put words in my mouth.
[EMAIL PROTECTED] wrote:
On 25 Dec, David O'Brien wrote:
On Fri, Dec 22, 2000 at 11:28:07PM -0800, Kris Kennaway wrote:
Incorrect..the problems with SSH come down to flaws in the human
operator who ignore the warnings SSH gives them, and tell it
explicitly to do insecure things like
On Tue, Dec 26, 2000 at 11:20:34AM -0800, David O'Brien wrote:
On Tue, Dec 26, 2000 at 04:43:37AM -0800, Kris Kennaway wrote:
P.S. Please stop dropping the mailing list from the CC list of your
responses..
Thank you for taking away my right to take a discussion private, and
posting my
On Sat, Dec 23, 2000 at 02:16:51AM -0800, [EMAIL PROTECTED] wrote:
Incorrect..the problems with SSH come down to flaws in the human
operator who ignore the warnings SSH gives them, and tell it
explicitly to do insecure things like connect to a server which is
suddenly not the one you're
On Fri, Dec 22, 2000 at 11:28:07PM -0800, Kris Kennaway wrote:
Incorrect..the problems with SSH come down to flaws in the human
operator who ignore the warnings SSH gives them, and tell it
explicitly to do insecure things like connect to a server which is
suddenly not the one you're used to
David O'Brien wrote:
On Fri, Dec 22, 2000 at 11:28:07PM -0800, Kris Kennaway wrote:
Incorrect..the problems with SSH come down to flaws in the human
operator who ignore the warnings SSH gives them, and tell it
explicitly to do insecure things like connect to a server which is
suddenly
On Mon, Dec 25, 2000 at 03:37:38PM -0700, Wes Peters wrote:
David O'Brien wrote:
our own committers to have sloppy habits that could lead a malicious code
added to the FreeBSD CVS source repository.
This is exactly the sort of problem we need to solve in a usable and secure
manner, so
On 24 Dec, Dan Langille wrote:
On 23 Dec 2000, at 2:00, [EMAIL PROTECTED] wrote:
On 23 Dec, Dan Langille wrote:
On 23 Dec 2000, at 13:25, David Preece wrote:
At 15:37 22/12/00 -0800, you wrote:
The question asked is: why you believe ssh is beter
than say telnet. Or what
Your comments noted.
thanks
Jessem.
On 23 Dec, Christian Weisgerber wrote:
[EMAIL PROTECTED] wrote:
I've already circulated this message to the OpenBSD
'tech' mailing list and the NetBSD 'security' mailing
list.
Indeed. Please ignore him, he's a troll.
To
Your comments noted.
Jessem.
On 23 Dec, Bill Fumerola wrote:
On Sat, Dec 23, 2000 at 02:00:54AM -0800, [EMAIL PROTECTED] wrote:
It is possible. It is not trivial.
What leads you to believe that it's not trival?
A functioning brain.
To Unsubscribe: send mail to [EMAIL
On 23 Dec, Bengt Richter wrote:
You are clueless as to the effect of your word choices.
Thank you for reading that.
I would beg to differ.
Please note that I am not writing this to flame, but in
an attempt to be helpful ;-)
I appreciate all person with the intent to help.
At 15:37
On 23 Dec, Wes Peters wrote:
[EMAIL PROTECTED] wrote:
Thank you for your attention.
Next month I'm giving a talk about the evils of SSH.
The talk schedule is posted on:
http://www.svbug.com/events/
I've already circulated this message to the OpenBSD
'tech' mailing list and the NetBSD
On Mon, 25 Dec 2000 [EMAIL PROTECTED] wrote:
I've re-read this sentence many times. I've made no
"implict" assertions. I you believe I have please
feel free to email me personally. Perhaps I could
have balace the statement with:
"about the goods and evils of SSH."
But again, that
On 25 Dec, Kris Kennaway wrote:
On Sat, Dec 23, 2000 at 02:16:51AM -0800, [EMAIL PROTECTED] wrote:
Incorrect..the problems with SSH come down to flaws in the human
operator who ignore the warnings SSH gives them, and tell it
explicitly to do insecure things like connect to a server
On 25 Dec, David O'Brien wrote:
On Fri, Dec 22, 2000 at 11:28:07PM -0800, Kris Kennaway wrote:
Incorrect..the problems with SSH come down to flaws in the human
operator who ignore the warnings SSH gives them, and tell it
explicitly to do insecure things like connect to a server which is
In message [EMAIL PROTECTED] [EMAIL PROTECTED] writes:
: JKH, DG, CORE respond.
Core does not respond to mail not directed to it.
Warner
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
In message [EMAIL PROTECTED], Warner Losh writes:
In message [EMAIL PROTECTED] [EMAIL PROTECTED] writes
:
: JKH, DG, CORE respond.
Core does not respond to mail not directed to it.
Not to mention the basic problem of J Random Luser *demanding* a response.
-s
To Unsubscribe: send mail to
And we, the FreeBSD Project, don't do a thing to help this situation.
We change the SSH keys on the freebsd.org machines left and right w/o
*ANY* notice to committers that they have been changed. So we've trained
our own committers to have sloppy habits that could lead a malicious code
In message [EMAIL PROTECTED] Peter Seebach writes:
: In message [EMAIL PROTECTED], Warner Losh writes:
: In message [EMAIL PROTECTED] [EMAIL PROTECTED] writes
: :
: : JKH, DG, CORE respond.
:
: Core does not respond to mail not directed to it.
:
: Not to mention the basic problem of J Random
On Mon, Dec 25, 2000 at 11:46:16AM -0800, David O'Brien wrote:
On Fri, Dec 22, 2000 at 11:28:07PM -0800, Kris Kennaway wrote:
Incorrect..the problems with SSH come down to flaws in the human
operator who ignore the warnings SSH gives them, and tell it
explicitly to do insecure things like
On Mon, Dec 25, 2000 at 06:34:09PM -0800, Mike Smith wrote:
No, in several particulars. "The FreeBSD Project" doesn't change the SSH
keys on the FreeBSD.org machines.
Not changed for change sake, but failure to do anything to preserve them.
David has probably been drinking too much; it's
On Mon, Dec 25, 2000 at 08:29:01PM -0800, Kris Kennaway wrote:
Umm, are you actually talking about real incidents here, or just
spreading FUD?
REAL incidents. Please remember I've been a committer longer you have.
The last two times a freebsd.org host key has been changed, that I am
-BEGIN PGP SIGNED MESSAGE-
In message [EMAIL PROTECTED] "David O'Brien" writes:
: Uh no. Both of those times that a message was sent out, it wasn't even
: signed (Internet on 10 May 2000 and Freefall on 16 May 2000). Hop on
: over the the archives on hub.freebsd.org and get your facts
"David O'Brien" wrote:
And the best we've
ever done is in the "HEADS UP: New host key for freefall!" thread started
by Peter Wemm on Tue, 16 May 2000 23:26:33.
.. which the thread and FUD was a total load of shit, because the original
keys were never announced or signed or anything. The new
LOL :)
On Sun, Dec 24, 2000 at 06:55:40PM +, void wrote:
On Sat, Dec 23, 2000 at 02:00:54AM -0800, [EMAIL PROTECTED] wrote:
On 23 Dec, Dan Langille wrote:
It is possible. It is not trivial.
What leads you to believe that it's not trival?
Eliza, is that you?
--
void wrote:
On Sat, Dec 23, 2000 at 02:00:54AM -0800, [EMAIL PROTECTED] wrote:
On 23 Dec, Dan Langille wrote:
It is possible. It is not trivial.
What leads you to believe that it's not trival?
Eliza, is that you?
god that takes me back!
--
__--_|\ Julian
On Fri, Dec 22, 2000 at 07:42:20PM -0500, Chris BeHanna wrote:
(At least one large company I know of has stated flatly, for example, that
sending a root password over the wire in the clear is grounds for immediate
termination.)
This is a very security consious company, but I think they are
* Giorgos Keramidas [EMAIL PROTECTED] [001224 13:39] wrote:
On Fri, Dec 22, 2000 at 07:42:20PM -0500, Chris BeHanna wrote:
(At least one large company I know of has stated flatly, for example, that
sending a root password over the wire in the clear is grounds for immediate
termination.)
On Sun, Dec 24, 2000 at 02:35:30PM -0800, Alfred Perlstein wrote:
* Giorgos Keramidas [EMAIL PROTECTED] [001224 13:39] wrote:
On Fri, Dec 22, 2000 at 07:42:20PM -0500, Chris BeHanna wrote:
(At least one large company I know of has stated flatly, for example, that
sending a root password over the
* Giorgos Keramidas [EMAIL PROTECTED] [001224 19:28] wrote:
On Sun, Dec 24, 2000 at 02:35:30PM -0800, Alfred Perlstein wrote:
* Giorgos Keramidas [EMAIL PROTECTED] [001224 13:39] wrote:
On Fri, Dec 22, 2000 at 07:42:20PM -0500, Chris BeHanna wrote:
(At least one large company I know of has
On 23 Dec, Dan Langille wrote:
On 23 Dec 2000, at 13:25, David Preece wrote:
At 15:37 22/12/00 -0800, you wrote:
The question asked is: why you believe ssh is beter
than say telnet. Or what advantages SSH has in general.
Sorry, don't have time to reply to this properly.
The main
On 22 Dec, Chris BeHanna wrote:
On Sat, 23 Dec 2000, David Preece wrote:
At 15:37 22/12/00 -0800, you wrote:
The question asked is: why you believe ssh is beter than say
telnet. Or what advantages SSH has in general.
Sorry, don't have time to reply to this properly.
The main evil
On 22 Dec, Garance A Drosihn wrote:
At 3:37 PM -0800 12/22/00, [EMAIL PROTECTED] wrote:
Thank you for your attention.
Next month I'm giving a talk about the evils of SSH.
The talk schedule is posted on:
http://www.svbug.com/events/
I've already circulated this message to the OpenBSD
'tech'
Mr Clark,
Could I trouble you to use your comments in my talk?
Jessem.
On 22 Dec, Crist J. Clark wrote:
||_
| PLEASE DO | | |
| NOT FEED | | THANK |
| THE TROLLS | | YOU
On 22 Dec, Kris Kennaway wrote:
On Sat, Dec 23, 2000 at 01:25:11PM +1300, David Preece wrote:
At 15:37 22/12/00 -0800, you wrote:
The question asked is: why you believe ssh is beter
than say telnet. Or what advantages SSH has in general.
Sorry, don't have time to reply to this
On 23 Dec 2000, at 2:00, [EMAIL PROTECTED] wrote:
On 23 Dec, Dan Langille wrote:
On 23 Dec 2000, at 13:25, David Preece wrote:
At 15:37 22/12/00 -0800, you wrote:
The question asked is: why you believe ssh is beter
than say telnet. Or what advantages SSH has in general.
On Sat, Dec 23, 2000 at 02:00:54AM -0800, [EMAIL PROTECTED] wrote:
It is possible. It is not trivial.
What leads you to believe that it's not trival?
A functioning brain.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROTECTED] / [EMAIL PROTECTED]
PS.
You are clueless as to the effect of your word choices.
Thank you for reading that.
Please note that I am not writing this to flame, but in
an attempt to be helpful ;-)
At 15:37 2000-12-22 -0800 [EMAIL PROTECTED] wrote:
Thank you for your attention.
Your subject line got my attention,
of all conversations.
The tone of your initial post will more likely set the tone of this
conversation. Try to be more objective when you find technical
problems with security software that people trust. Saying "ssh - are
you nuts?!?" is kind of like yelling "fire" in a th
At 2:11 AM -0800 12/23/00, [EMAIL PROTECTED] wrote:
On 22 Dec, Garance A Drosihn wrote:
People in the "FreeBSD community" are invited to read the
rambling and pointless discussions that this sparked in
the OpenBSD and NetBSD communities before repeating all
those arguments in all the
[EMAIL PROTECTED] wrote:
Thank you for your attention.
Next month I'm giving a talk about the evils of SSH.
The talk schedule is posted on:
http://www.svbug.com/events/
I've already circulated this message to the OpenBSD
'tech' mailing list and the NetBSD 'security' mailing
list. Now,
Thank you for your attention.
Next month I'm giving a talk about the evils of SSH.
The talk schedule is posted on:
http://www.svbug.com/events/
I've already circulated this message to the OpenBSD
'tech' mailing list and the NetBSD 'security' mailing
list. Now, I've like to hear from the FreeBSD
On Friday, December 22, 2000, [EMAIL PROTECTED] wrote:
Thank you for your attention.
Next month I'm giving a talk about the evils of SSH.
If you don't know anything about it, why do you claim it's
evil?
--
+---+--+
| Chris Costello| I
In message [EMAIL PROTECTED], Chris Costello writes:
On Friday, December 22, 2000, [EMAIL PROTECTED] wrote:
Next month I'm giving a talk about the evils of SSH.
If you don't know anything about it, why do you claim it's
evil?
I think it's safe to assume that anything you don't understand is
On Friday, December 22, 2000, [EMAIL PROTECTED] wrote:
Next month I'm giving a talk about the evils of SSH.
...
p.s.: That said, I'm not going to the talk, because I'm not sure I know
who this guy is who wants to give it, so I distrust him.
http://www.svbug.com/events/ reports the name
At 15:37 22/12/00 -0800, you wrote:
The question asked is: why you believe ssh is beter
than say telnet. Or what advantages SSH has in general.
Sorry, don't have time to reply to this properly.
The main evil of ssh is that server authentication is not enforced, making
mounting a
* Dan Langille [EMAIL PROTECTED] [001222 16:33] wrote:
On 23 Dec 2000, at 13:25, David Preece wrote:
At 15:37 22/12/00 -0800, you wrote:
The question asked is: why you believe ssh is beter
than say telnet. Or what advantages SSH has in general.
Sorry, don't have time to reply to
At 3:37 PM -0800 12/22/00, [EMAIL PROTECTED] wrote:
Thank you for your attention.
Next month I'm giving a talk about the evils of SSH.
The talk schedule is posted on:
http://www.svbug.com/events/
I've already circulated this message to the OpenBSD
'tech' mailing list and the NetBSD 'security'
||_
| PLEASE DO | | |
| NOT FEED | | THANK |
| THE TROLLS | | YOU |
|| |_|
|| | || |
|| | || |
|| | || |
|| | ||
On Sat, Dec 23, 2000 at 01:25:11PM +1300, David Preece wrote:
At 15:37 22/12/00 -0800, you wrote:
The question asked is: why you believe ssh is beter
than say telnet. Or what advantages SSH has in general.
Sorry, don't have time to reply to this properly.
The main evil of ssh is that
77 matches
Mail list logo