Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Confessions of a closet OpenBSD user




Just one last whack at the dead horse :-)

I think a contributing factor in any swell of anti-Theo/anti-OpenBSD
sentiment that arose was the fact that this wasn't just any vulnerability -
it was a vulnerability in a tool that so many of use depend on for secure
remote access to our systems.  That scares people, and it should.  That
also produces stress, which tends to produce impassioned rhetoric.

But if we step back for a wider view of the situation, we can see that
while neither SSH nor OpenSSH have perfect security histories (what does?)
they both have very good ones.  Moreover, the vulnerability was handled
very well.  A lid was kept on it while work progressed on both a work
around (3.3) and a full fix (3.4).
I have no knowledge of any machine that was rooted via this exploit; does
anybody else know of any confirmed compromises via that whole?

All in all, while a remote root vulnerability is a serious thing and causes
us all to put in some long hours, it wasn't a huge crisis.  Just compare it
to how we (and NT admins) usually find about the latest IIS 'sploit or VB
worm: when it starts spreading like wildfire.  Even now, Code Red and Ida
scans are commonplace, and I see so many emails that want to get my advice.
 And don't even ask how many Klez bounces clog the postmaster mail box. 
Nobody can count that high :-p

Now that the nature of the vulnerability is known, some people will
probably get rooted via that route as the price of not upgrading, but the
worst that can happen is that box then becomes a zombie.  It can't directly
take down anybody else's system after getting owned itself.  Compared to
the way vulnerabilities often go down in the Windows world, this has been a
quiet day at the office :-)

At the end of the day, I'm left counting my blessings that our platform has
as few security vulnerabilities as it does.  Microsoft products seem to
have more trouble in a month or two than we have in a year.  Don't worry,
be happy :-)

Jonathan


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links