Slashback: OpenSSH, Bio, Timeliness
Things that make you want to bring back thumbscrews. A few days ago, we mentioned the release of OpenSSH 3.3; compared to previous versions, the biggest change in 3.3 is increased emphasis on privilege separation. Today, Theo de Raadt sent word of an OpenSSH vulnerability being worked on by ISS and the OpenBSD team, details of which are expected to be published early next week.
In an announcement sent to bugtraq, he wrote: "However, I can say that when OpenSSH's sshd(8) is running with priv separation, the bug cannot be exploited.
OpenSSH 3.3p was released a few days ago, with various improvements but in particular, it significantly improves the Linux and Solaris support for priv sep. However, it is not yet perfect. Compression is disabled on some systems, and the many varieties of PAM are causing major headaches.
However, everyone should update to OpenSSH 3.3 immediately, and enable priv separation in their ssh daemons, by setting this in your /etc/ssh/sshd_config file:
UsePrivilegeSeparation yes
Depending on what your system is, privsep may break some ssh functionality. However, with privsep turned on, you are immune from at least one remote hole. Understand?
3.3 does not contain a fix for this upcoming bug.
If priv separation does not work on your operating system, you need to work with your vendor so that we get patches to make it work on your system. Our developers are swamped enough without trying to support the myriad of PAM and other issues which exist in various systems. You must call on your vendors to help us."
Theo emphasizes the role of vendor cooperation in making privilege separation work on the full range of systems on which OpenSSH runs. "If the vendors don't start pulling their part," he says in an email, "by the time the bug is posted their customers will be left unprotected. These vendors who do not do the right job and instead just 'sell sell sell' are starting to become annoying. On a lot of systems today, privsep does NOT work well at all. The vendors have not been helping!"
A patched version of OpenSSH could be released as soon as Friday, incorporating vendor patches received by this Thursday.
Read More on Stallman. Vamphyri writes: "Sam Williams, author of 'Free as in Freedom', biography of GNU/Linux founder Richard M. Stallman has gone live with the online free version 1.0 of FAIFzilla.org. The paper pulp version publishers O'Reilly & Associates agreed under the terms of the GNU Free Document License and have their own version up at their site. Williams' site allows for content and corrections to be submitted by readers. He hopes for contributions to be included in later editions of the O'Reilly bio. Also: CGI coders wanted for site enhancement, paragraph and line numbering, searches etc. Maybe a CVS Tree is in order? :)"
"Urpmi Norton" doesn't work for some reason. MrResistor writes "Upon logging in to my computer at work this morning, I was greeted by a virus update notice from McAfee SecurityCenter. The update for today includes W97M/Melissa@MM, and of course McAfees newly manuf^H^H^H^H^Hdiscovered threat, the W32/Perrun JPEG virus (which was also highlighted in yesterdays update). All of the updates in the last week or so have been rated Low or No Threat (except for Perrun, which is "Low On Watch". It seems that in addition to manufacturing new threats, they're also rehashing old threats to keep subscription renewals up. Perhaps it's time for Slashdot to add an Ethics topic?"
I hate Slashdot.org.
I laugh at Slashdot.org's cruddy journalism. I unclog my nose at Slashdot.org. I fart in Slashdot.org's general direction.
Dirtbag. Don't fool people with a redirect to goatse.cx
How many others don't find the time for all these updates?
So much to do, so little bandwidth.
--
Try Mozilla
Again, OpenSSH has another remote exploit! It is climbing my list of insecure software on my machine, which is pretty scary. Can't someone write secure software??
Fuck the police! Fuck, fuck. Fuck the police!
I would rather be a coccky BSD using bastard than a homosexual linux using moron any day.
But the good thing is that nobody uses BSD anymore.
goatse link in above post
I used to be a loyal Norton AV user for years, until they started with this "subscription" bullshit. I've been using McAfee ever since. $29 retail at Wal*Mart isn't that bad, and plus I get free updates every Wednesday sans subscription. It even runs an auto-update service so I don't even have to worry about updating... it takes care of itself! It even ships with other cool features like a monitor for Outlook (it checks for trends in messages... e.g., if I try to send a message with more than a couple of recipients in the To: field, HAWK halts the process and asks if I really want to send that e-mail. Annoying, yes, but at least I feel protected. That on top of Outlook's I-won't-let-anything-access-the-address-book feature (you can enable address book access for a minute or 5 at a time, if you wish, for things like Palm sync to access the addr book). What I deal. Peter Norton is a sellout. If I had a copy of Norton AV today, I'd wipe my ass with the CD, no matter how painful that may be!
;)
On another note... First the Apache hole, now this OpenSSH exploit? Looks like some folks are joining the ranks of Windows server users
Aw, fuck it. Let's go bowling. - The Big Lebowski
RedHat has posted an RPM of the new OpenSSH 3.3p already. Come and get it!
Open Snot So Secerure Shell
Openend up and just got root thanks to your Shell
this is aproperatly named open but isn't ss
OUSH: Open Unsecure Shell (pronounced Ouch)
And as proposed by my girlfriend
POSSH (and if you can't figure out what this stands for start drinking your daily gensing and taking your ginko)
I fully agre Theo de myegoisbiggerthanprincesego Raddt should be renamed TDR (not to be confused with TCH)
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
Rob Malda is definitely QUEER.
Yeah, those security exploits sure are craaaazy! I should be shipped to the loony bin!
--
Theo DeRaadt
Founder, OpenBSD project.
Will you be my music teacher for repeating kindergarten?
I am the nightmare of nightmares.
To fix your freebsd boxen:
If you are a good little boy, you will find that this special port links against openssl 0.9.6d. Gosh and gollies, that's why you needed to cvsup your ports, silly! Ain't that a fucking riot? More emoticons to take the bitter edge off:
UsePrivilegeSeparation yes
Wheeeee! Now I don't run 20K of code as root, and run only ~2K as root in a chroot.
How's that? You feel any better about things? Maybe this is the proper motivation you need to patch your damn box.
Do your nipples get sore after clamping and stretching?
Writers imply. Readers infer.
Now that BSDi is dead ARE there any companies left that are dedicated to developing BSD as a kernel and OS as part of their core business activities anymore ?? No. Except Wasabi which is pretty small still only able to meet payroll by borrowing more money. Pretty heavy in debt.
The reason it's delayed a year is because BSD development has had a serious accident and needs to be hospitalized to get itself back together. With BSDi defunct relying on Apple, Wasabi and a band of merry volunteer hackers to get SMP done means it AIN'T gonna happen.
Hello Yahoo??!! Can Yahoo afford to hire a few SMPng hackers for a year??? Oh yeah I forgot Yahoo is broke too.
At this point SMP is owned by Linux and Solaris and in a distant third Microsoft .
On 4 way and 8 way machines BSD is simply not in the running at this stage and even on 2 way systems out of the box RedHat7.1 is a better choice for SMP. What's more threading work done by IBM is gonna improve Linux even more on this front - even Caldera (which bought SCO Unix a quite good SMP system up to 8 ways) admits that Linux will likely overtake the SCO kernel.
BSD dying? Quite likely.
Go away Darren Reed
It's not dead. It's dying! And you people are s'posed to be IT professionals! Sheesh.
:)
It is 10pm Do you know where your karma is Right Let us get startedIn order to get maximum karma from Slashdot posting you can follow a few simple guidelines The University you go to Regardless of where you actually study saying that youre at MIT automagically gains you 2 Slashdot like the glorified student notice board that it is has a special place in its heart for anything from MIT whether it be a teddy bear stuffed with a switch or some wankers wrapping a yellow banner with elvish text around the main dome Even if you didnt go to university qualify every comment with a My professor told me to bask in the warm fuzzy glow of 2 Insightful Linux The basis of the Slashdot Experience Claiming you run Linux also gets you 1 Interesting It doesnt really matter if youve never actually installed it or your Red Hat box still doesnt have PPP running after 2 years of reading FAQs The important bit is Youre part of the community You can bathe in the refelected glory of years of shoddy buggy code You are exempt from the Microsoft penalty see below as of course your Win 98 install is only used for playing games And reading Slashdot And using MS Word And Photoshop And Microsoft Slashbots and the editors hate Microsoft Period Use of a symbol in every iteration of their trademarks gets you a 4 Funny Even though it is far from original it still manages to raise a grin in those people reading Slashdot between episodes of Cowboy Bebop You will get a 1 Flamebait or Troll for any post even hinting that Microsoft products are any good useful intuitive user friendly You will also quickly be shot down with replies about how good GNOME and KDE are which will then in turn erupt into a flame war Freedom Privacy YRO The bread and butter of Slashdot It fits in sublimely with the whole Linux thing Youll get a 3 Informative for any post containing the Ben Franklin quote about sacrificing essential liberty It makes no difference that the quote is totally irrelevant in the modern world Hey youve got karma Miscredting the quote will not end up in a karma penalty as has been demonstrated countless times You will gain extra karma if you make reference to your experiences of being wiretapped by the NSA and throwing in a vague link to Echelon black helicopters or Tin Foil Hat Linux Include a link to the First Amendment for a 1 Interesting mod Give yourself a pat on the back if you manage to include some extra raging paranoia with no evidence to back it up Nice BSD If you use it dont mention it on Slashdot Most of the Linuxusing friendless wonders that inhabit Slashdot wouldnt know quality and stability if it strolled up and kicked them in the throat with a size 13 HiTec Magnum boot Any mention of how a Firewall running OpenBSD with pf is far superior to Linuxs pathetic offering will soon see you as 1 Troll Much like the post youre reading now Yearning for yesteryear Although most comments are written by first year wannabeCSguru students or links to goatsecx there is still the fallout dregs of the dot com boom lurking around slashdot You can get 5 Insightful for telling how you were so badly treated after the bubble burst Whining about the lack of jobs where you get paid to fire foam darts at colleagues is a good start Dont forget to mention how youve now been out of work for months It starts a Im about to graduate and theres nothing going fuckfest which can spill over into hundreds of comments Although all the staff who were any good simply got hired into another company it makes Good Karma Senseto hide the fact that your passing familiarity with Perl and C simply cant get you a job This is also a prime opportunity to show your egregious personality as Slashdot rewards arrogance and elitism DONT FORGET TO MOD ME DOWN
Yeah, it would be ridiculous for a UNIX box to allow people to log into it.
OpenBSD can eat a fat dick.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"