Subject: Re: OpenSSH Priv Sep and Remote Exploit?
To: Theo de Raadt <deraadt@cvs.openbsd.org>
From: Jason R Thorpe <thorpej@wasabisystems.com>
List: tech-pkg
Date: 06/27/2002 09:49:52
On Thu, Jun 27, 2002 at 01:47:46AM -0600, Theo de Raadt wrote:

 > It would have focused the eyes of the entire exploit community on
 > approximately 400 lines out of 27000 lines.

Nonetheless, informing the security contact of each vendor through
the appropriate means that "this bug exists, keep it under wraps"
would have let those vendors plan accordingly.  Instead, panic ensued
as people scrambled to find ways to update their systems.  That was
totally unnecessary, as all they needed to do was change a line in
their config files.

Instead, people who, for one reason or another, were not able to update
their systems were sitting ducks for anyone who might have had an exploit
for the problem (in the event of an information leak).  Again, totally
unnecessary, as all they needed to do was change a line in their config
file.

Consider people who ship embedded products that contain OpenSSH (*BSD
based, Linux based, QNX based, whatever) ... these people certainly
can't easily upgrade their systems.  However, they do generally have
contacts w/ CERT, and thus could have been informed in an appropriate
way about this problem and taken appropriate action.

Instead, there was an ad-hoc (and somewhat selective, from the looks
of it) means of disclosing information about the problem to vendors,
resulting in rumor and panic, and a groundswell of distrust for the
OpenSSH software and the people involved in developing it.  People
who use security-sensitive software need to be able to trust the people
who develop security-sensitive software.  The way this particular event
transpired was no way to build that trust.  Is that what you want?

-- 
        -- Jason R. Thorpe <thorpej@wasabisystems.com>