Re: OpenSSH hole, April 9
Wonderful - so why are you on this mailing list. Go troll somewhere else. On Fri, Apr 11, 2014 at 12:21 PM, Sascha Mester wrote: > Exactly as I said - no real good reasons. Security through Obscurity is a > reason for me for never trying out the related Operating System - so I have > a reason to never install a *BSD ;) >
Re: OpenSSH hole, April 9
Exactly as I said - no real good reasons. Security through Obscurity is a reason for me for never trying out the related Operating System - so I have a reason to never install a *BSD ;)
Re: OpenSSH hole, April 9
Em 11-04-2014 08:54, Sascha Mester escreveu: > There is no really good reason why security-relating problems should be a > secret - acceptable reasons for this behaviour never existed. The most > harmful behaviour I have ever seen since I browse the web. > Sascha, Imagine if this bug was found by someone that wanted nothing else than cause havoc. They would go and take all the private keys of all the big sites there were vulnerable and just post them online. And, the worst part, people wouldn't have a clue where they got the keys. Bugs like these have a serious impact on the peoples lives, even if they don't use a computer. Lots of banks were affected by this bug, I can assure you. If there is no responsible disclosure, giving vendors time to patch things beforehand, then there would be no internet. Things would be too chaotic for the average user, that then would simply not use it. Of course I'm against people sitting on bugs and not solving them because it's overly "complicated", or it would require "major changes". These kind of people inevitably ends up having their faces blown up. I really hope that this specific OpenSSL bug, that affected so many, prompt the developers of it to do a thrill code audition and hopefully, catching and solving a lot more bugs in the process. From what I saw in their development mail list, things aren't moving in that direction, but this could change in the near future. At least, they should completely eliminate their own "memory management", and let the operating system do what it was made to do. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: OpenSSH hole, April 9
> There is no really good reason why security-relating problems should be a > secret - acceptable reasons for this behaviour never existed. Then you should work very very hard to go find the bugs and publish them. > The most harmful behaviour I have ever seen since I browse the web. The nastiest behaviour is "sense of entitlement". Noone is entitled to know anything about something I find with my time spent reading software, unless I choose to give that away. Most things, I give away. This one, I won't. In the same way, I am not entitled to all the money in your bank account. You are the type of people who create these situations.
Re: OpenSSH hole, April 9
On 2014-04-11 Fri 08:58 AM |, Bob Beck wrote: > sponsors having privileged access to the information (in other words > they aren't donors, they are paying for early access.) > Benefits with strings attached are not donations, ... more like bribes. Respect for freedom fighting and staying open!
Re: OpenSSH hole, April 9
Yes, but the fact is that the last 10 years have changed the community - whereas bugs used to be shared ahead of time among a group of peers (including Free operating system authors) who were trusted to, and generally allowed for a certain amount of time for mitigations to happen before announcement, The fact is that now big dollars are spent by all of the players on bug bounties and other such crap, with sponsors having privileged access to the information (in other words they aren't donors, they are paying for early access.) So just as a hypothetical example, 10 years ago, if certain organizations knew about an endemic problem, that would have been shared ahead of time with the security community, (we all know who we are) ahead of time and everyone would work to get their mitigations in place in a controlled manner before disclosure so patches were available immediately - and that used to happen pretty darn fast. That doesn't happen any more now that most of this is monetized - they're too busy being told to sit on it by their "sponsors" so full disclosure actually seems to happen a lot later. So, the short answer is, if you know about a problem and want to monetize it - this is great news for you - there are many places with organizations behind them with deep pockets that will buy your bug. They organizations with the money behind it get early access. Finding bugs in that environment is not about making software better anymore. You probably don't *want* better software - you want more bugs. more bugs equals more money. You probably *want* to keep things like the exploit mitigation countermeasures in OpenSSL in the software - You certainly don't want the code base to be easily auditable, and you certainly don't want the tools that find the bugs automatically and just get them fixed to find them. Who loses? well, the rest of us. So, if you know of a bug in such an organization (that itself sits on bugs), what would you do? Tell the world for free? Monetize it? or Sit on it? I don't have an answer for you. All I can do is tell you the state of the world :) In the immortal words of a recently deceased friend of mine, Life is Hard, Wear a Helmet. -Bob On Fri, Apr 11, 2014 at 5:54 AM, Sascha Mester wrote: > There is no really good reason why security-relating problems should be a > secret - acceptable reasons for this behaviour never existed. The most > harmful behaviour I have ever seen since I browse the web. >
Re: OpenSSH hole, April 9
There is no really good reason why security-relating problems should be a secret - acceptable reasons for this behaviour never existed. The most harmful behaviour I have ever seen since I browse the web.
Re: OpenSSH hole, April 9
On 9 Apr 2014 15:46, "Bob Beck" wrote: > > On Wed, Apr 09, 2014 at 02:49:21PM -0600, Devin Reade wrote: > > Quoting Theo de Raadt : > > > > >If tomorrow Damien or I had to announce a major OpenSSH hole, how > > >screwed would the Internet be? > > > > Would you mind clarifying this a bit? Was the post strictly a > > (justified) comment about the lack of funding, or should we be > > anticipating another announcement in addition to the existing OpenSSL > > mess? > > The former. While nothing's ever for sure, OpenSSH does not normally > attempt to include exploit mitigation technique circumvention mechanisms. > > -Bob And just so we're clear on this. Since people on hacker news seem to be mildly challenged at understanding English, I'm saying heartbleed has nothing to do with OpenSSH. It doesn't even link the library. I also know that Devin is smart enough to be running OpenBSD where it matters since I know him personally. I am making no claims about whatever any other operating systems that value speed and complexity over safety. Heck there probably are holes in what they bring to the table..
Re: OpenSSH hole, April 9
>Thanks for the clarification. > >I would also like to thank whomever for the extra descriptive text on >the openssl patch issued the other day. Having the clarification on >the (non)impact on OpenSSH right in the patch was good ... You are welcome. Stuart Henderson wrote the draft, but he forgot that part, and Damien Miller and I realized it was needed. We sensed there might be some ambiguity... we'll take care the next time an OpenOffice problem also. ... as long as you aren't using FreeBSD or a derivative (hint: Jupiper), you are fine. That's the only place I know of an OpenSSH hole. Oh now I sense some angst. Please ask Kirk McKusick, he knows the story about why this is not being disclosed to FreeBSD. Sometimes I feel a bit sorry for them (and for him), but then the next minute I don't feel sorry because there's damn good reasons they won't be told about what I found. Does that answer help? Hope so.
Re: OpenSSH hole, April 9
On 04/09/14 16:49, Devin Reade wrote: Quoting Theo de Raadt : If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? Would you mind clarifying this a bit? Was the post strictly a (justified) comment about the lack of funding, or should we be anticipating another announcement in addition to the existing OpenSSL mess? Devin That was a rhetorical question.
Re: OpenSSH hole, April 9
Thanks for the clarification. I would also like to thank whomever for the extra descriptive text on the openssl patch issued the other day. Having the clarification on the (non)impact on OpenSSH right in the patch was good ... Devin
Re: OpenSSH hole, April 9
On Wed, Apr 09, 2014 at 02:49:21PM -0600, Devin Reade wrote: > Quoting Theo de Raadt : > > >If tomorrow Damien or I had to announce a major OpenSSH hole, how > >screwed would the Internet be? > > Would you mind clarifying this a bit? Was the post strictly a > (justified) comment about the lack of funding, or should we be > anticipating another announcement in addition to the existing OpenSSL > mess? The former. While nothing's ever for sure, OpenSSH does not normally attempt to include exploit mitigation technique circumvention mechanisms. -Bob
Re: OpenSSH hole, April 9
Quoting Theo de Raadt : If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? Would you mind clarifying this a bit? Was the post strictly a (justified) comment about the lack of funding, or should we be anticipating another announcement in addition to the existing OpenSSL mess? Devin
OpenSSH hole, April 9
If tomorrow Damien or I had to announce a major OpenSSH hole, how screwed would the Internet be? What do you think.. are people using telnet or RDP to get to the machines they need to repair? No, people are relying on OpenSSH, which noone pays for. Please read the bottom paragraph: http://openssh.org And please think about this: http://www.openbsdfoundation.org/campaign2014.html Please pass this on so that the greater community sees the picture. If the OpenBSD Foundation was flush, maybe we could ask them to fund an audit or replacement effort ...
