lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5d6848b00907090833x8c53432g857dc7bfbf87c401@mail.gmail.com>
Date: Thu, 9 Jul 2009 11:33:01 -0400
From: Kevin Wilcox <kevin.wilcox@...il.com>
To: Charles Majola <charles.lists@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Rumor] SSH 0-day

2009/7/9 Charles Majola <charles.lists@...il.com>:

> >From the LWN article (OpenSSH maintainer Damien Miller), its probably
> not real, well just have to wait and see

Agreed.

Even if you *do* believe the secer site, look at the particulars. It's
a brute force. Properly configure your ssh servers (including
rate-limiting, key based authentication and user@...t allow
statements) and file this under a non-issue.

Of course this is all theoretical so far so I suppose everyone is free
to wring their hands and gnash their teeth as much as they wish over
this.

kmw

-- 
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, ‘the
guarantee to every one of a free exercise of his industry, & the
fruits acquired by it.'

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ