Subject: re: rfc2228 in ftpd
To: None <>
From: matthew green <>
List: tech-security
Date: 07/01/2002 10:28:31
   >it around like magic dust.  Also, given that they sounded a major panic
   >unnecessarily, I don't trust them.  They made it seem like I had to
   >update all 20+ systems on the spot, when there was no need to update
   >any of them, except to make a config change on a handful.  They just
   >happen to be the best choice available at the moment.  However, I would
   >really really like an alternative.
   	there were reasons why they couldn't annouce the config file workaround
   	when 3.3 release was made.
   	- saying "disabling challenge authenticaiton will make you safe"
   	  will make the location of the bug apparent, letting script kiddies
   	  create attack code in less than a day
   	  (and in fact, did you see posting on bugtraq?  in fact attack
   	  code appeared in less than a day)
   	- ditto for "disabling protocol version 2"
   	i suggested markus to include the reasoning behind the way 3.3 -> 3.4
   	upgrade path was annouced.  i think it will help a lot of people to
   	understand why it had to be handled this way.

i will never understand why it had to be handled that way.  it was
*SO EASY* for me to go to all my machines and turn off skey.  it
had started to prove to be a REAL PAIN IN THE ASS to update them
to a newer version (that STILL included the problem) that i'm not
sure i'd done more than 1 machine before the ISS advisory came out
and the sane workaround became known.

protect the users?  this sounds so much like "protect the children"
to me it makes me sick.