Re: [LUAU] so much for OpenBSD

Mon, 06 Aug 2007 14:09:14 -0700

So, let me get this straight. What are we talking about here? ONE security 'hole' or exploit every FIVE YEARS? As opposed to ONE "hole" punched in Windows OS every FIVE MINUTES? (Or less?)
No brainer if you ask me. I think they're making way too much of such a little thing comparatively speaking. (actually there is no comparison) :) 

Whatdayathink Jim? :)

Bully



Jim Thompson wrote:


On Aug 6, 2007, at 1:09 PM, 808blogger wrote:


well.... Keep in mind no other OS has even a close record  to what the
openbsd team has done.


Please.


And dont forget that the ssh you use everyday is

written by the openbsd team, thats right. Theo and co. have done a 
HUGE job

improving security the unix world at large.



So what?  There were RSA-keyed, encrypted telnets in-existence before 
ssh got written.
(Under my watch, by Doug Barnes, at Tadpole, circa 1994. Doug later of 
'C2' fame.)



and on the topic of this particular exploit, you would actaully have 
to be
on the same physical LAN segment to use this exploit. this is a not 
an "over

the internet" hack that can occur

to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html


"However, in order to exploit a vulnerable system an attacker needs 
to be
able to inject fragmented IPv6 packets on the target system's local 
network.
This requires direct physical/logical access to the target's local 
network

-in which case the attacking system does not need to have a working IPv6

stack- or the ability to route or tunnel IPv6 packets to the target 
from a

remote network."



"logical"... if your router manages to create a tunnel for you, you're 
hosed.


Its **SPIN**, get it?


99% of users will not even have a a problem with this and
you dont even have to patch the system if you dont want to  simply put
'block in quick inet6' in your pf.conf



Right, but the claim is "default installation", and they didn't want 
to lose that.


(and let us not forget that the other bug was in (drumroll) ssh)


dont dump on the openbsd guys..... their product rocks.


their process for security bugs appears to be quite badly borked.

and FreeBSD rocks much, much harder.

Jim
_______________________________________________
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau


















































































































































































_______________________________________________
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau






















					Reply via email to