Friday, September 19, 2003
Why the net rocks, and at the same time is damn scary....
So its been a bad week to be in the opensource world. I don't think I can remeber doing so many patches in a single week. But its always good to end a week on an up beat. The following post to bugtraq made my week seem worth it.:
How fricking cool is that? You can't get away with anything in the opensource world. Your coding talent is on full public display and the masses are just waiting to tear your boastful statements to shreads. If only our political system worked the same way. Imagine Mr. Bush declaring that Iran was an immediate threat and by the following day there were 15 reponses that discredited the statement... :)
While on the topic of the openssh hole... It truely amazed me how many dangerously clueless people post "in the know" statements on message boards. While reading the comments on slashdot story I was agast at the amount of completely wrong information that was being spread. In case you are wondering:
1) Having PermitRootLogin No does not mean you aren't vulnerable. The alignment problem is before authentication happens.
2) Privilege seperation also doesn't protect you in this case because the problem is before the seperation occurs.
3) Tcp wrappers also aren't going to help you because they get checked after the protocal init...
Sigh. I hope that people are actually bothering to upgrade even tho they incorrectly think they are safe. You would think after all this time someone would have come up with an automated wait to test for this class of bug...
"After reading about a theoretical remote hole in OpenSSH and many detractors
smugly saying that they weren't vulnerable because they run LSH (a free
alternative), I'd like to present a working remote root exploit against LSH
version 1.4.x...."
How fricking cool is that? You can't get away with anything in the opensource world. Your coding talent is on full public display and the masses are just waiting to tear your boastful statements to shreads. If only our political system worked the same way. Imagine Mr. Bush declaring that Iran was an immediate threat and by the following day there were 15 reponses that discredited the statement... :)
While on the topic of the openssh hole... It truely amazed me how many dangerously clueless people post "in the know" statements on message boards. While reading the comments on slashdot story I was agast at the amount of completely wrong information that was being spread. In case you are wondering:
1) Having PermitRootLogin No does not mean you aren't vulnerable. The alignment problem is before authentication happens.
2) Privilege seperation also doesn't protect you in this case because the problem is before the seperation occurs.
3) Tcp wrappers also aren't going to help you because they get checked after the protocal init...
Sigh. I hope that people are actually bothering to upgrade even tho they incorrectly think they are safe. You would think after all this time someone would have come up with an automated wait to test for this class of bug...
