Subject: re: rfc2228 in ftpd
To: None <itojun@iijlab.net>
From: matthew green <mrg@eterna.com.au>
List: tech-security
Date: 07/01/2002 10:28:31
   >it around like magic dust.  Also, given that they sounded a major panic
   >unnecessarily, I don't trust them.  They made it seem like I had to
   >update all 20+ systems on the spot, when there was no need to update
   >any of them, except to make a config change on a handful.  They just
   >happen to be the best choice available at the moment.  However, I would
   >really really like an alternative.
   
   	there were reasons why they couldn't annouce the config file workaround
   	when 3.3 release was made.
   	- saying "disabling challenge authenticaiton will make you safe"
   	  will make the location of the bug apparent, letting script kiddies
   	  create attack code in less than a day
   	  (and in fact, did you see posting on bugtraq?  in fact attack
   	  code appeared in less than a day)
   	- ditto for "disabling protocol version 2"
   
   	i suggested markus to include the reasoning behind the way 3.3 -> 3.4
   	upgrade path was annouced.  i think it will help a lot of people to
   	understand why it had to be handled this way.


i will never understand why it had to be handled that way.  it was
*SO EASY* for me to go to all my machines and turn off skey.  it
had started to prove to be a REAL PAIN IN THE ASS to update them
to a newer version (that STILL included the problem) that i'm not
sure i'd done more than 1 machine before the ISS advisory came out
and the sane workaround became known.

protect the users?  this sounds so much like "protect the children"
to me it makes me sick.



.mrg.