Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory)

From: Bosko Milekic (bmilekic@unixdaemons.com)
Date: 06/26/02


Date: Wed, 26 Jun 2002 13:24:16 -0400
From: Bosko Milekic <bmilekic@unixdaemons.com>
To: Brett Glass <brett@lariat.org>


On Wed, Jun 26, 2002 at 10:23:14AM -0600, Brett Glass wrote:
> Mike:
>
> It is clear that Theo was attempting to have people apply the workaround
> which had the least chance of revealing the nature of the bug in advance,
> lest it be discovered by others and exploited.
>
> It's truly sad that ISS, which knew about Theo's advisory, released this
> information today, instead of next week as Theo asked them to. If Theo's
> roadmap for disclosure had been followed, more administrators could have
> been informed about the bug, and they would have had time to take
> preventive measures through the weekend before the skript kiddies began
> their race to exploit the bug. Now, the race has begun. In fact, the
> problem has been exacerbated because administrators who *could* have
> secured their systems thought they'd have time to do so over the weekend.
>
> Theo made a worthy attempt to minimize harm (which should be the goal of
> any security policy). It's a shame that ISS sought the spotlight instead
> of doing the same.
>
> --Brett Glass

  I think that what you're saying is reasonable, however, I know (now
 almost for a fact) that there was an exploit going around already. So,
 it's better than the information has been released sooner, than later.
 And, since it appears that the OpenSSH that ships with our -STABLE is
 not affected, all the easier this is for those of us who were in the
 middle of implementing "drastic measures" (for fear of the worst), as
 it allows us to step back, relax, and enjoy the fireworks.

 -Bosko

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages