On Fri, Sep 12, 2008 at 05:42:08PM -0700, johan beisser wrote: > It's just a improbable attack. One that's easily defended against by > maintaining the interactive shell/echoback and simply push additional
Was it you who said earlier that you weren't a cryptanalyst? Well, neither am I, but I have come away with one lesson from them: be on the attack. You are on the defense, and always putting forward reasons why this isn't a quick total penetration. Instead, try thinking of what information you can get by snooping, and what you might do with it. It's a whole different mindset. You can see this in Damien Miller's messages. Rather than pooh-pooh this like you, he's considering the problems and trying to think of ways to break openssh. This attitude of Damien (and other obsd devs) is why openssh is so strong. If they thought only of defense then openssh would have a track record similar to so many other programs. Back when I did financial software we played a game of thinking of ways to steal money. We found several ways and plugged those holes, and related holes. Most of the holes were never tried but some of them were (and people went to prison). If we had not played our game we *never* would have found some of the holes. You should try this game. Not only can it be rewarding for your own security, it can be fun as well. -- Darrin Chandler | Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation [demime 1.01d removed an attachment of type application/pgp-signature]
