Critical hole found in encryption program

CNET News.com ^ | June 27, 2002, 10:30 AM PT | Vivienne Fisher

[Bush2000]

Repeat after me: "More eyes means better security".

[JRandomFreeper]

Slender said ISS notified OpenSSH's senior developer, who had created a patch.

Gotta love the response time when there is a named senior developer with a public reputation to uphold.

/john

[TomServo]

Whoops!!! ;-)

[E=MC²]

We will be hearing more such incidents as the MSFT bashers "flock" to open source. I personally think MSFT has done fairly decently on security considering that 95% of the world's personal computers use its software, making it the ultimate target for hackers. The only reason security flaws aren't trumpeted about Apple and open-source to the same extent is because the vermin writing viruses and hacking aren't attracted to such minority systems yet.

[Bush2000]

Notice how silent the ABMers are when their own crap is shown to be full of holes?

[PatrioticAmerican]

yep. EVERYTHING is open to attack, everything. Notice how they pick on MS for security, but when Bill makes a determined effort they pick on that, too? When MS finds holes and makes an update, almost weekly, they denounce that. When MS follows proper security and doesn't announce known holes until they have a fix, they denounce that. Bigots.

[Bush2000]

Your silence on this vulnerability is deafening...

[dheretic]

The only reason security flaws aren't trumpeted about Apple and open-source to the same extent is because the vermin writing viruses and hacking aren't attracted to such minority systems yet

You are making a terribly flawed assumption. Your statement assumes that every platform is of equal quality and that it is virtually impossible for any platform to be genuinely more secure than another. It also assumes that every platform functions virtually identically and that whatever problems apply to one inherently apply to all of them. If we were talking about cars you'd be arguing essentially that American and European cars only have more problems in the US than major Japanese cars because more people in America drive them and thus they are exposed to a great number of potentially bad drivers and dangerous driving conditions.

Microsoft isn't well-known for preventing problems from occuring by taking long periods of time to test the product thoroughly. It makes up for that with, generally speaking, timely patches. That's good enough for the average person and even most businesses. That is not however good enough for the DoD or other major departments of the federal government responsible for protecting the public 24/7/365.25.

And Bush2000, give it a rest. I have already stated that I don't view Microsoft as the problem and that I am against the government policies such as software patents that protect them from competition. You are starting to become like Scott McCollum in your attempts to paint me as a Microsoft-hating, Communist. You have already proven yourself to be totally lost to Bill Gates' cult of personality.

[sigSEGV]

I wasn't aware that Microsoft provided an ssh server. A buggy telnet server yes.

[sigSEGV]

Oh, and FYI, new sad but true update on openbsd.org:

One remote hole in the default install, in nearly 6 years!

[Bush2000]

Oh, and FYI, new sad but true update on openbsd.org: One remote hole in the default install, in nearly 6 years!

If you're naive enough to believe your own BS, who am I to disturb your little hallucination ...

[ShadowAce]

Your silence on this vulnerability is deafening...

Hmmm... Let me see. The article was posted at 10:30 AM Friday. You posted a flag to me at 3:29 PM Friday. What was I doing during all that time? Let me think....

Oh yeah--I was WORKING FOR A LIVING!!!!!

Get off my back. I use MSFT as much or more than Linux--but it's not a religion.

[usconservative]

Notice how silent the ABMers are when their own crap is shown to be full of holes?

Duly noted. I got back home late Weds. night from spending three days @ Microsoft in Redmond, WA at their Executive Briefing Center.

Microsoft's entire focus right now is on making Windows as secure as Linux. Can you believe that? I wonder if they've seen this article. (smirk)

In all seriousness, they're apparently finally getting around to shipping their OS with everything locked down the way Linux/Unix variants are shipped and forcing users to open up the services they need. Quite a change, well over-due IMO. I remain skeptical that they can actually pull it off. I've heard the same crap from them for 2 years now. (I go twice yearly.)

As far as their DRM (Digital Rights Management) schema is concerned, there ain't no way in HELL I'm ever going to implement MS' version of DRM and give them the keys to my media. They can't even get Passport and .NET services down right. And when I brought those instances up, they suggested that MS would give the "keys" to the Government or to the U.N. (of all things!) to "enforce" Digital Rights in Cyberspace! The uproar in the room when they said that was something. LOL!!!

When MS suggested that the US Gov't would hold the keys to DRM, it was a pretty mellow "No way" from the group. The second they suggested the U.N. everyone in the room pretty much said HELL NO!!! Made me feel good, since I now know I'm not alone (outside of FR) in my anti-UN stance.

[sigSEGV]

If you're naive enough to believe your own BS, who am I to disturb your little hallucination ...

I don't suppose you'd like to provide evidence to the contrary.

[Bush2000]

I don't suppose you'd like to provide evidence to the contrary.

All networked OS software ... and I don't care whether you're talking about BSD, Linux, Windows, MacOS, whatever ... has vulnerabilities. Many of these vulnerabilities have been found. But many haven't yet been discovered. They're in the source code now, waiting for you to find them. But as this exploit points out, the availability of the source code doesn't eliminate security holes. So get off your high horse. If hackers spent as much time banging on BSD as they did on Windows, more of these exploits would be found.

[sigSEGV]

I don't understand how your reply has anything to do with what I asked.

The availability of source code reduces security holes and reduces the user's exposure to them. No one has claimed that open source eliminates security holes. Last Tuesday when one of the main OpenSSH coders announced this vuln, there were patches within a matter of hours. I had all my machines (Linux and Windows) patched by Thursday.

Oh, and "hackers" do spend more time banging on BSD than Windows. Why do you think there is an Apache worm floating around out there for FreeBSD when the Win32 Apache vulnerability is the most easily exploited?

[OHelix]

Your silence on this vulnerability is deafening...

Why me?

[AaronAnderson]

I'll have to admit, M$'s practice of charge obscene prices per seat for remote user access is certainly a deterrent for running terminal services and thus avoiding this type of exploit. Of course, the one and only time I have ever ran terminal services on a machine for remote access the system was compromised in three days, so I cannot vouch that it any more secure than SSH.

[bobwoodard]

Repeat after me: "More eyes means better security".

Seems like it worked. What was the turn around time to fix? It certainly seems pretty good.

[Bush2000]

Seems like it worked. What was the turn around time to fix? It certainly seems pretty good.

Too bad the eyes couldn't prevent it in the first place. ;-p