[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qmail
Subject:    Re: [OT] Re: DJB - write a new ssh!
From:       Adam McKenna <adam-dated-1025626692.a31ad2 () flounder ! net>
Date:       2002-06-27 16:18:12
[Download RAW message or body]

On Thu, Jun 27, 2002 at 07:26:03AM -0500, Bruno Wolff III wrote:
> > no. I previously explained why.
> 
> I disagree with your reasoning. You estimate of the time involved to deploy
> an exploit based on the release of the fix was low. Since the option was off
> by default, it is likely that only a small fraction of the sites deploying
> openssh were vulnerable. Those that weren't wouldn't have needed have needed
> to do anything immediately. Those that were, could have secured their systems
> very quickly. The upgrade to 3.3p1 solution was time consuming, didn't work
> on many systems and was mostly unneeded.

Yes, I agree 100% with this.  Even if the exploit could have been written in
5 minutes, the sshd_config change could have been done in 10 seconds.  The
people who weren't paying attention would still have had vulnerable SSH
versions installed (and they probably still do now), but the people who 
*were* paying attention could have secured their systems almost 
effortlessly.

Anyway, what's said is said and what's done is done.  I'm more interested in
making sure this sort of thing doesn't happen again.  It seems like a lot of 
people who should have remained calm and followed procedures lost their 
heads on this one.

--Adam
[prev in list] [next in list] [prev in thread] [next in thread]