lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1063973435.885.85.camel@dobber.bastun.net>
From: dobber at bastun.net (Ivan Dimitrov)
Subject: The lowdown on SSH vulnerability

I'm going to write my "Thank You Theo" to the man. I hope his mailbox
fills with another 10,000,000 email like mine to which he does not need
to respond.

On Tue, 2003-09-16 at 16:16, Andy Wood wrote:
> 	Well maybe he's had to answer 10,000,000 email on it, which if he
> doesn't respond he'll get the same press as you're giving up.  Maybe he's
> swamped with other contributions to the computing industry. Seeing that yer
> so tireless why don't you learn to write patches instead of just squawking
> about it.
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Carl Livitt
> Sent: Tuesday, September 16, 2003 8:26 AM
> To: full-disclosure@...ts.netsys.com
> 
> 
> Straight from the horses mouth, this is a snippet of an email conversation I
> just had with Theo Deraadt:
> 
> --------------
> Theo,
> 
> Is there a patch available to patch the off-by-one that has been reported in
> OpenSSH ?  As it is being actively exploited in the wild, I would like to
> patch my servers ASAP (as you can probably imagine).
> 
> Thankyou for taking the time to read - and hopefully respond to - this
> email.
> 
> Kind regards,
> 
> Carl
> ---------------
> 
> A flamefest ensued, but his answer was:
> 
> Bugger off, wait like the rest of the planet.
> 
> -------------
> 
> After more flaming abuse, I received this from him:
> 
> I have been spending the last 10 days making openbsd releases for about
> 14-15 hours a day for people to use We've been spending hours and hours
> making openssh release We are dealing with an, as far as we know,
> unexploitable hole (affects some systems, but not openbsd it is pretty
> clear) issue for all of you who run other system we've been dealing with
> this frantically to make something that the internet relies on as good as
> good as it possibly can be no sleep for 30 hours and you expect me to treat
> you special?
> 
> AND YOU EXPECT ME TO TREAT YOU SPECIAL?
> 
> AND YOU THINK THAT PASTING THAT TO SOME IRC CHANNEL MAKES YOU LOOK RIGHT?
> 
> and you think that you pasting it to some icb channel makes me feel worth
> less, when every single hp and cisco switch containing this code is likely
> vulnerable, and i don't like that, and want to make the world a better place
> even if it kills me due to stress and lack of sleep because i think that a
> better world is a better place to live my life?
> 
> 
> The main point is that " every single hp and cisco switch containing this
> code is likely vulnerable". Oh dear, this could get nasty.. batten down the
> hatches... 
> 
> Poor Theo, he needs his rest.
> 
> Carl.
> 
> Carl.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.518 / Virus Database: 316 - Release Date: 9/11/2003
>  
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.518 / Virus Database: 316 - Release Date: 9/11/2003
>  
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030919/677c5846/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ