User: Password:
Subscribe / Log in / New account

Re: new OpenSSL flaws

From:  Theo de Raadt <>
To:  Kurt Seifried <>
Subject:  Re: new OpenSSL flaws
Date:  Thu, 05 Jun 2014 22:33:58 -0600
Message-ID:  <>
Cc:  "Martin, Matthew" <>, "" <>, "" <>, "" <>, Solar Designer <>
Archive-link:  Article

> I suggest you talk to Mark Cox who actually handled this stuff. I'm not
> sure why you are asking two people (myself and Solar) who are NOT part  of
> the OpenSSL team about whom the OpenSSL team notified.

Kurt, if Mark Cox is the person who handled this stuff, fine.  Who
cares?  I am hearing claims all over the place regarding a list RUN BY

FACT: Kurt Seifried and Solar Designer are the two primary operators of
the openwall security list, the declared access point for security issues
affecting Linux operating systems.

There are claims being lodged that disclosure of these OpenSSL
problems happened on that list.  There are claims that we did not get
this disclosure because OpenBSD is not on that list.  Particularily
me, Bob, and Todd Miller.

Kurd, is that true?  Is that how you see it?

Were disclosures handled there, or via another platform or method? 

ANSWER THE QUESTION.   If you won't answer this question, noone should
ever trust you again for anything.

> I'm done playing games with you Theo. You were invited to join distros
> publicly and flamed me. I privately emailed Bob Beck inviting him to join,
> and he flamed me (but then apologized), You both said no. I can't do
> anything more. I wish you the best of luck in your future endeavors.

I am not playing any games.  Let's look at the facts.

Kurd Seifried is an official Red Hat security officer (of sorts, but
probably not tomorrow)

Kurt, is Mark Cox your supervisor?

A claim is being made that disclosure to OpenBSD needs to be on a
Russian email list run by you (Kurt Seifried) and Solar Designer (not
going to include his real name) for access to early disclosure of important
security information.


Or else, if you are a wimp, have your Mark Cox answer the fucking

Red Hat and OpenSSL -- answer the fucking question.  Why was the OpenBSD
user community excluded from this information?

Why are there public accusation -- from Red Hat officers -- that
OpenBSD developers only get advance access to information if they join
a Russian located email list?

ps. Who is Mark Cox? I've never heard of him.

(Log in to post comments)

Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds