Re: OpenSSH hole, April 9
There is no really good reason why security-relating problems should be a secret - acceptable reasons for this behaviour never existed. The most harmful behaviour I have ever seen since I browse the web.
Re: OpenSSH hole, April 9
On 2014-04-11 Fri 08:58 AM |, Bob Beck wrote: sponsors having privileged access to the information (in other words they aren't donors, they are paying for early access.) Benefits with strings attached are not donations, ... more like bribes. Respect for freedom fighting and staying open!
Re: OpenSSH hole, April 9
There is no really good reason why security-relating problems should be a secret - acceptable reasons for this behaviour never existed. Then you should work very very hard to go find the bugs and publish them. The most harmful behaviour I have ever seen since I browse the web. The nastiest behaviour is sense of entitlement. Noone is entitled to know anything about something I find with my time spent reading software, unless I choose to give that away. Most things, I give away. This one, I won't. In the same way, I am not entitled to all the money in your bank account. You are the type of people who create these situations.
Re: OpenSSH hole, April 9
Exactly as I said - no real good reasons. Security through Obscurity is a reason for me for never trying out the related Operating System - so I have a reason to never install a *BSD ;)
Re: OpenSSH hole, April 9
Wonderful - so why are you on this mailing list. Go troll somewhere else. On Fri, Apr 11, 2014 at 12:21 PM, Sascha Mester sascha.mes...@gmx.de wrote: Exactly as I said - no real good reasons. Security through Obscurity is a reason for me for never trying out the related Operating System - so I have a reason to never install a *BSD ;)
Re: OpenSSH hole, April 9
On 9 Apr 2014 15:46, Bob Beck b...@obtuse.com wrote: On Wed, Apr 09, 2014 at 02:49:21PM -0600, Devin Reade wrote: Quoting Theo de Raadt dera...@cvs.openbsd.org: If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? Would you mind clarifying this a bit? Was the post strictly a (justified) comment about the lack of funding, or should we be anticipating another announcement in addition to the existing OpenSSL mess? The former. While nothing's ever for sure, OpenSSH does not normally attempt to include exploit mitigation technique circumvention mechanisms. -Bob And just so we're clear on this. Since people on hacker news seem to be mildly challenged at understanding English, I'm saying heartbleed has nothing to do with OpenSSH. It doesn't even link the library. I also know that Devin is smart enough to be running OpenBSD where it matters since I know him personally. I am making no claims about whatever any other operating systems that value speed and complexity over safety. Heck there probably are holes in what they bring to the table..
Re: OpenSSH hole, April 9
Quoting Theo de Raadt dera...@cvs.openbsd.org: If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? Would you mind clarifying this a bit? Was the post strictly a (justified) comment about the lack of funding, or should we be anticipating another announcement in addition to the existing OpenSSL mess? Devin
Re: OpenSSH hole, April 9
On Wed, Apr 09, 2014 at 02:49:21PM -0600, Devin Reade wrote: Quoting Theo de Raadt dera...@cvs.openbsd.org: If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? Would you mind clarifying this a bit? Was the post strictly a (justified) comment about the lack of funding, or should we be anticipating another announcement in addition to the existing OpenSSL mess? The former. While nothing's ever for sure, OpenSSH does not normally attempt to include exploit mitigation technique circumvention mechanisms. -Bob
Re: OpenSSH hole, April 9
Thanks for the clarification. I would also like to thank whomever for the extra descriptive text on the openssl patch issued the other day. Having the clarification on the (non)impact on OpenSSH right in the patch was good ... Devin
Re: OpenSSH hole, April 9
On 04/09/14 16:49, Devin Reade wrote: Quoting Theo de Raadt dera...@cvs.openbsd.org: If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? Would you mind clarifying this a bit? Was the post strictly a (justified) comment about the lack of funding, or should we be anticipating another announcement in addition to the existing OpenSSL mess? Devin That was a rhetorical question.
Re: OpenSSH hole, April 9
Thanks for the clarification. I would also like to thank whomever for the extra descriptive text on the openssl patch issued the other day. Having the clarification on the (non)impact on OpenSSH right in the patch was good ... You are welcome. Stuart Henderson wrote the draft, but he forgot that part, and Damien Miller and I realized it was needed. We sensed there might be some ambiguity... we'll take care the next time an OpenOffice problem also. ... as long as you aren't using FreeBSD or a derivative (hint: Jupiper), you are fine. That's the only place I know of an OpenSSH hole. Oh now I sense some angst. Please ask Kirk McKusick, he knows the story about why this is not being disclosed to FreeBSD. Sometimes I feel a bit sorry for them (and for him), but then the next minute I don't feel sorry because there's damn good reasons they won't be told about what I found. Does that answer help? Hope so.
OpenSSH hole, April 9
If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? What do you think.. are people using telnet or RDP to get to the machines they need to repair? No, people are relying on OpenSSH, which noone pays for. Please read the bottom paragraph: http://openssh.org And please think about this: http://www.openbsdfoundation.org/campaign2014.html Please pass this on so that the greater community sees the picture. If the OpenBSD Foundation was flush, maybe we could ask them to fund an audit or replacement effort ...