> >It's completely absurd that the OpenSSH people recommended blind upgrades
> >to a PrivSep version of OpenSSH, rather than just suggesting to people that
> >they disable ChallengeResponseAuthentication.  I guess they're not so "Open"
> >after all.
> 
> 	my guess - ChalRespAuth workaround was not mentioned in the first
> 	"no fix yet" advisory, as disclosing it will disclose how to attack
> 	the daemon.

It would have focused the eyes of the entire exploit community on
approximately 400 lines out of 27000 lines.

As of the time of the announcement, we knew this thing was contained.

As of the time of the bug release, I still believe this thing was
contained within a certain group of people, who I talked to.

This thing is not easy to find.

Now it is out.  Now public exploits are assuredly written.

I know how the information in the community moves, but in this case we
were sure it had not started to move in a wild-fire way yet.  The
people who matter most are who I care about anyways.