lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1227568762284@names.co.uk>
Date: Mon, 24 Nov 2008 23:19:22 +0000
From: "dennis jackson" <dennis.jackson@...rect.co.uk>
To: <guillaume.muller@...esurf.fr>, <bugtraq@...urityfocus.com>
Subject: Re: Re: OpenSSH security advisory: cbc.adv 

What documents have you been reading?

Take a look at the actual vulnerability advisory.
http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
Or the original posting by OpenSSH
http://www.securityfocus.com/archive/1/498558/30/0/threaded

Where is there any condition related to National Security?

If you read the vulnerability advisory you would see that the problem is "a
design flaw in the SSH specification". OpenSSH was merely used as an example of
an implementation of SSH written to implement the specification.

It only takes a few seconds to realise that SSH is used in critical systems. We
have seen in recent weeks and months that we are all vulnerable to the security
of the banking systems. Anyone who uses online banking makes use of systems that
include SSH. Do the oil companies have a private network for ordering stocks?
What about weather stations or tidal guages, are they on private networks? Are
there any ISPs who don't use remote mangement?


on 24/11/08 8:04 PM, guillaume.muller@...esurf.fr wrote:

> Hey!
>
> They put a condition because of "National Security". Should that mean
> that they use OpenSSH in "National Security"-sensitive applications
> (interesting ;););))?
>
> If so, should that mean that they implicitely recognize the very good
> work done by the community?
>
> If so, why not act politely with the community and share knowledge?
>
> This would make the software better, so that they could still use it in
> their applications.
>
> How can't they understand that?
>
> Why not just share the knowledge and just ask for some time (fixed
> amount? or just "when a solution will be found") before public release
> of the details of the attacks?
>
> Why not release the details and switch to another system if OpenSSH is
> not what they need anymore?
>
> So one more entity that just want to benefit from FOSS, but not
> contribute...
>
> If I were the developpers, then I would just retaliate (humoristically)
> by sending them a similar (fake)-contract/NDA, asking them not to use
> OpenSSH, but share National Sensitive information. In other words, just
> ask them to share THEIR knowledge without US providing our tools.
>
> There are some times where I hate the BSD licence, because it does not
> force people to cooperate! (even if I don't think any other licence
> would help here...)
>
> My 2 cents and sorry for the off-topic subject...
>
> Cheers
>
> GM
>
> --
> Guillaume MULLER
> Post-Doc - Sala C2-50
> Laboratório de Técnicas Inteligentes (LTI)
> Depto. Eng. Computação e Sistemas Digitai(PCS)
> Escola Politécnica da Universidade de São Paulo
> Av. Prof. Luciano Gualberto, 158 travessa 3
> 05508-900 - São Paulo - SP - Brasil
> Tel: +55 11 3091 5397
> http://www.lti.pcs.usp.br/~guillaume

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ