Upcoming OpenSSH vulnerability [LWN.net]

Upcoming OpenSSH vulnerability

Posted Jun 25, 2002 10:00 UTC (Tue) by BogusUser ((unknown), #2238)
In reply to: Upcoming OpenSSH vulnerability by garloff
Parent article: Upcoming OpenSSH vulnerability

If the details to this vulnerability would have been released (even with patches) just about every Linux box on the planet would have been cracked before the owners would've had time to install the patch. Publishing a fix to this problem will only tell the cracker exactly where the problem is.

So they first work around the bug, without actually fixing the bug and telling what is it and where it is, so crackers can't make an exploit before people are immune (and I repeat, a direct fix would exactly tell the cracker what the bug is.)

A bug like this is what every cracker is dreaming of, a way into just about every unix machine on the planet!

(Log in to post comments)

Upcoming OpenSSH vulnerability

Posted Jun 25, 2002 10:38 UTC (Tue) by BogusUser ((unknown), #2239) [Link]

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=255989+0+current/freebsd-security

I don't know with what agenda the advisory was released,
but one can't call it an innocent one.

I can't refute the statement that a workaround which defuses the
so called hole into nothing more then an unprivilidge accoutn getting
compromised. Is a good in between step.

But a real fix ready monday next week ? that's not an option. today
or tomorrow is.

Furthermore I find the statements made by theo in his release very
dubious.

"Customers can judge their vendors by how they respond to this issue."

Is one of them.

And again there seems to me to be too much old grief and sorrow in
the initial announcements and all reactions.

Sure people can differ in opinion, but when it comes to these kinds
of threats we "the world of free source",both users and developers, need
to stick together.

And "the world of free source" has thrived by sharing ideas and problems.

Upcoming OpenSSH vulnerability

Posted Jun 25, 2002 12:37 UTC (Tue) by BogusUser ((unknown), #2242) [Link]

That's the biggest crock I've ever heard.

"the world of free source" thrives on opinionated stupidity. Nobody
ever really fixes anything well, because the opinionated dickhead who
ends up dong the fix always decides it's "somebody elses problem", and
wastes shitloads more time arguing about why they should not have to
be the person to solve something or other than it would have taken to
just do as they're asked in the first place.

Add to that - when you look at their (usually comment-free) code, it's
always amazing that any fix works at all.

Upcoming OpenSSH vulnerability

Posted Jun 27, 2002 10:58 UTC (Thu) by BogusUser ((unknown), #2239) [Link]

Heh,

Ok can't refute your statement.

I think I should have made my point by stating that
the motive I describe is one to go by.
Or I could throw in responsibility...

But it seems my motives are too naive for a burdend free source
user/developer.

And indeed opinionated stupidity is the basis on which theo released
the "preliminary" advisory and the following I might add.

Upcoming OpenSSH vulnerability

Posted Jun 25, 2002 12:44 UTC (Tue) by BogusUser ((unknown), #2242) [Link]

As for the statement:-

"Customers can judge their vendors by how they respond to this issue."

This is *absolutely* 100% spot-on. Suggesting otherwise has the
identical effect as tattooing "I am the lazy and opinionated stupid
idiot who prefers to argue why it's not my job to fix a problem rather
than just fix a problem" on your forehead.

Grow up kiddies. Shut up and fix it instead of wasting everyones time
and proving you care more for the survival of your own (dumb) opinions
than for the safety of everyone else.