I still don't understand this SSH release fiasco
[Posted July 10, 2002 by corbet]
| From: |
| <felix@crowfix.com> |
| To: |
| letters@lwn.net |
| Subject: |
| I still don't understand this SSH release fiasco |
| Date: |
| Thu, 4 Jul 2002 08:56:53 -0700 |
The rationale for not releasing details (like disable a specific
configuration item) is that this would have alerted the black hats to
500 lines of code in question. Thus it was better to update to the
new version which had separation of powers and at least minimized the
exploit dangers.
Then later, a patched version of the new version was released, and all
distros had very little time in which to cut new packages, sysadmins
had very little time to upgrade systems, and so on, before the black
hats analyzed the patch to see what the bug was in order to design
their exploits in order to release them to script kiddies and so on.
But the release of a specific patch narrows the bug search down much
closer than 500 lines; in fact, it narrows it down to the exact buggy
lines, directly, immediately. no analysis required.
Please also explain how upgrading SSH, new version, new functionality,
maybe new configuration, is a better solution than "Edit this line to
fix the problem".
It still smells fishy. Someone got their knickers in a knot and is
too proud to admit it.
--
... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
GPG = E987 4493 C860 246C 3B1E 6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o
(
Log in to post comments)
