Subject: re: rfc2228 in ftpd
To: None <firstname.lastname@example.org>
From: matthew green <email@example.com>
Date: 07/01/2002 10:28:31
>it around like magic dust. Also, given that they sounded a major panic
>unnecessarily, I don't trust them. They made it seem like I had to
>update all 20+ systems on the spot, when there was no need to update
>any of them, except to make a config change on a handful. They just
>happen to be the best choice available at the moment. However, I would
>really really like an alternative.
there were reasons why they couldn't annouce the config file workaround
when 3.3 release was made.
- saying "disabling challenge authenticaiton will make you safe"
will make the location of the bug apparent, letting script kiddies
create attack code in less than a day
(and in fact, did you see posting on bugtraq? in fact attack
code appeared in less than a day)
- ditto for "disabling protocol version 2"
i suggested markus to include the reasoning behind the way 3.3 -> 3.4
upgrade path was annouced. i think it will help a lot of people to
understand why it had to be handled this way.
i will never understand why it had to be handled that way. it was
*SO EASY* for me to go to all my machines and turn off skey. it
had started to prove to be a REAL PAIN IN THE ASS to update them
to a newer version (that STILL included the problem) that i'm not
sure i'd done more than 1 machine before the ISS advisory came out
and the sane workaround became known.
protect the users? this sounds so much like "protect the children"
to me it makes me sick.