Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Confessions of a closet OpenBSD user

Jonathan Byrne wrote:
> Just one last whack at the dead horse :-)
> I think a contributing factor in any swell of anti-Theo/anti-OpenBSD
> sentiment that arose was the fact that this wasn't just any vulnerability -
> it was a vulnerability in a tool that so many of use depend on for secure
> remote access to our systems.  That scares people, and it should.  That
> also produces stress, which tends to produce impassioned rhetoric.

My situation exactly. Once I calmed down a bit, I realised exactly what 
you are about to say:

> But if we step back for a wider view of the situation, we can see that
> while neither SSH nor OpenSSH have perfect security histories (what does?)
> they both have very good ones.  Moreover, the vulnerability was handled
> very well.  A lid was kept on it while work progressed on both a work
> around (3.3) and a full fix (3.4).
> I have no knowledge of any machine that was rooted via this exploit; does
> anybody else know of any confirmed compromises via that whole?

You are very correct, and this is what kept me from simply dropping 
OpenSSH on the spot. Once I thought about it, I realised:

- The vuln is gone now
- No harm was done to my systems
- The fix was handled extremely well
- I had acted in a very alarmist fashion, in public :(

> All in all, while a remote root vulnerability is a serious thing and causes
> us all to put in some long hours, it wasn't a huge crisis.  Just compare it
> to how we (and NT admins) usually find about the latest IIS 'sploit or VB
> worm: when it starts spreading like wildfire.  Even now, Code Red and Ida
> scans are commonplace, and I see so many emails that want to get my advice.
>  And don't even ask how many Klez bounces clog the postmaster mail box. 
> Nobody can count that high :-p

We *do* get to gloat about this, right? Please? ;)

> At the end of the day, I'm left counting my blessings that our platform has
> as few security vulnerabilities as it does.  Microsoft products seem to
> have more trouble in a month or two than we have in a year.  Don't worry,
> be happy :-)

You damned right.

Josh Glover <>

Associate Systems Administrator

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links