Subject: Re: rfc2228 in ftpd
To: None <>
From: Jaromir Dolecek <>
List: tech-security
Date: 07/01/2002 08:25:58 wrote:
> 	- saying "disabling challenge authenticaiton will make you safe"
> 	  will make the location of the bug apparent, letting script kiddies
> 	  create attack code in less than a day
> 	  (and in fact, did you see posting on bugtraq?  in fact attack
> 	  code appeared in less than a day)
> 	- ditto for "disabling protocol version 2"

I do not believe in this kind of reasoning. How many people out
there are using S/Key ? 1% of people or less? So while there people
would know they are vulnerable, rest could have had better sleep.
And hackers would have tough time to _find_ vulnerable server,
even if they'd find the problem.

It's hingly unprofessional and nonresponsible to leave people
in fear for extended periods of time unnecessarily, like this.
The fact that Mr. de Raadt abused this situation to push privsep
is highly disgusting.

It's highly worrying that people working on OpenSSH behave like

Jaromir Dolecek <>
-=- We should be mindful of the potential goal, but as the tantric    -=-
-=- Buddhist masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow.   Do not let this distract you.''     -=-