lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: SNMP Broadcasts

J.A. Terranson wrote:

>
>Agreed.  It is the SSH protocol, but it is not the SSH *service*.  It
>violates the standard (as you note).
>
>If I write a trojan that uses HTTP to process requests, then park it on
>31337, I do not have an HTTP serv(er|ice).  I have a trojan which happens
>to use the HTTP protocol.
>
>  
>
Agreed to the example above as it's a trojan, not an HTTP server, but if 
you take Apache and assign it to port 8081, you do have an HTTP server 
running on that port.  The distinction is one of intent and design, not 
technicality.

>No, not at all.  There's a big difference between a *standardized service*
>and it's underlying protocols.  In order to be SSH, it must comply with
>all of the standards for SSH.  Otherwise, you get a M$ Windows product.
>
>  
>
Yes, and not all standard subsections are of equal value.  Making the 
distinction based on bound port is, frankly, stupid.


>
>I understood that risk during the first post, and deliberately made note
>of that.
>
>  
>
So you knew you were wrong but said it anyway?

>As a non member of the appropriate standards bodies, what I would like is
>irrelevant.  If you assess a site, and report that they have ssh running
>on port 31337, you are not providing factual data - you are providing an
>uninformed opinon, which is *wrong*.
>
>
>  
>
Actually, please point me to the SSH standard document and section that 
lists that sshd *must* run on TCP port 22 to be a valid SSH server. 

My point about standards compliance in the last mail made the assumption 
that bound port was defined at all in the standard.  Doing a quick 
review of the IETF Secure Shell standard draft, I can't see any mention 
of it at all.

Barring your ability to provide this information, I'll accept your 
forfeit of the argument.

>>Saying what you said above is counterproductive and will only serve to
>>confuse people.  Perhaps you should wratchet up your pedantic nature and
>>instead of saying that it's "not SSH because it's on the wrong port" say
>>"it's non-compliant SSH because it's on the wrong port".
>>    
>>
>
>Except for you, I think everyone else *got* the point.
>  
>
That's funny - other people are arguing against you on this issue.

Making yourself feel like the world is on your side may make you feel 
good... but you're not fooling me with a stupid remark like that.

>
>Then I'm being difficult.  But in the end, this is my attempt to realign
>your thinking on it.  That you are immobile is not something I can help.
>
>  
>
I'm not the immobile one here. 

          -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ