TLUG Mailing List

Mailing List Archive

tlug.jp Mailing List tlug archive tlug Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] remote

Date: Thu, 27 Jun 2002 09:04:27 -0400

From: Josh Glover <jmglov@example.com>

Subject: Re: [tlug] remote

References: <000901c21e99$21c93820$1500a8c0@example.com> <20020627083116.GT10058@example.com> <3D1AD7FE.8BD2E52E@example.com> <20020627092431.GX10058@example.com> <3D1ADF5E.84A20DD2@example.com> <20020627102040.GY10058@example.com>

Organization: INCOGEN, Inc.

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020606
Matt Doughty wrote:
> On Thu, Jun 27, 2002 at 06:48:14PM +0900, B0Ti wrote:
> 
>>Well, the latest openssh (3.4) is said to be safe, but you never now what's next.
>>Yesterday we had a Theo Bug, tomorrow we might have a Tatu Bug. Open had only one
>>remote hole in six years, afaik Tatu's had more.
> 
> 
> Open what? OpenSSH hasn't been around 6 years more like 2-3.

Yeah, I think he meant OpenBSOD.

> As for that ridiculous claim about the default install. Dude they basically turn
> off all services in the default install [...]

I will not argue that Open has its shortcomings, but I *like* the way a 
default install is carried out. When *I* do a Redhat install, for 
instance, the first thing I do (before even plugging eth0 in, thank you) 
is hunting down and disabling or uninstalling all the crap that runs by 
default. I would rather, a la OpenBSD or Gentoo (there are others, these 
are just the two I am most familiar with), add just what I need and not 
have to worry that I missed something.

> and then say "no remote exploit in blablabla".  Their record isn't
> any better than just about anybody elses.

This is debatable. The OpenBSD team in general and Theo in particular 
*have* done a lot for the Open Source community. Their code audits have 
turned up quite a few things that people have been able to fix proactively.

The catch is, of course, that Theo has brought quite a bit of 'tude 
along with him. And we are not talking about the reasonable, 
constructive type of attitude.[1] We are talking about plain nastiness 
and general antisocial behaviour. Read the archive of the mails that 
flew back and forth between Theo and NetBSD core right after Theo got 
the boot from core and got his CVS access revoked.[2] I did, and even 
presented from Theo's point of view, he comes away looking bad.

> No you have to go through the trouble of downloading a tarball, and compiling it.
> Life is difficult.  As is I have had to upgrade my boxes once in the last year, and
> the bug wasn't even exploitable on my boxen I just did it because it only took 
> like 15 minutes.

Which SSH do you use? I am trying to get away from OpenSSH on my stuff. 
Just too scary recently!


[1] http://turnbull.sk.tsukuba.ac.jp/Tools/Attitude/ (but check this 
out, as well, courtesy of Google: http://www.fineart.com/turnbulls.htm)
[2] http://theos.com/deraadt/coremail


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.
Follow-Ups:

Re: [tlug] remote
From: Matt Doughty

References:

[tlug] remote
From: hatsuhiro

Re: [tlug] remote
From: Matt Doughty

Re: [tlug] remote
From: B0Ti

Re: [tlug] remote
From: Matt Doughty

Re: [tlug] remote
From: B0Ti

Re: [tlug] remote
From: Matt Doughty

Prev by Date: Re: [tlug] remote

Next by Date: Re: [tlug] HELP cannot connect to the sound daemon

Previous by thread: Plan 9 security model [Was: Re: [tlug] remote]

Next by thread: Re: [tlug] remote

Index(es):

Date

Thread

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links