What if eEye didn't discover the thing but took it from some obscure 0day place (irc chan?). They wouldn't be able to tell, as that would make all their discoveries suspicious of same thing.
(just conjecturing)
Why don't you free people make a petition asking this kind of laws be banned by fed law or similar (IANAL). And put NAMES of politicians backing the current/upcoming state ones.
(petitiononline.com maybe?)
Completely disagree. Linus many times says things wrong or uninformed, just like this time. Read my other post.
RMS communist, ok same level of communism as Jesus, Ghandi and many other figures. Either you are troll, oran illiterate ranter. (go wikipedia at least, dig communism+marxism+stalinism+fascism and dig a bit further from there, come on, prove me wrong!)
What if someone discovers a security bug, and they are really responsible professional researchers, and they want to give all affected vendors some time to come up with an official solution?
(researchers, not ppl into 0day exploits or cracking or whatever)
The way to do this is to have a multiple vendor coordinated release, where all agree on a date to release all together the alert and fix. This usually takes a few days, as most of them need to go through QA and other processes, as they are responsible to their customers. SecurityFocus offers such a service for FREE to any researcher/vendor.
Blowing the whistle too early:
Even with that, there is always some a**hole or some idiot vendor breaking this blanket period. See how RH fsckd up this, many times, and got
themselves up to the point of being told late.
Some other linux groups also did this, by "mentioning" the bug to uncontrolled developers who went fixing on their own, thus blowing the whistle.
IF LINUS & CO LEAVE THIS COORDINATED SCHEMA, THEY'LL LOCK THEMSELVES OUT NOTIFICATIONS FROM RESPECTED RESEARCHERS.
NOTE1: i have nothing against the 0day or the cracking comunities, im only stating IF a researcher wants to give a blanket to vendors. (a very common case)
NOTE2: im not affiliated with SF, and even HATE the split bugtraq times for special vendors (i think this really killed it, a VV BAD move)
NOTE3: you might not agree with this schema, but consider most top name security firms follow it and it is to protect the users.
NOTE4: there is a defined period, so vendors are urged to come up with patch/alert
NOTE5: think also for the poor devs working for those vendors, making them work overnight hurried is not polite, they are devs like all of us
(im sure i miss some note and i'll get flamed anyway... flame on grrrrr)
still missing: session keys and host keys.:)
Plus how good is your OS at getting entropy? What symmetric encryption algorithm? What key exchange algorithm?
And about ssh over vpn... a friend (known player @ crypto) told me once that you should never assume that re-encrypting would improve security, unless you are using a well known and tested method of mixing both encryption systems.
Intention of this post is not bitching, but to try to make ppl aware it's not just "i use XXX, so im safe", but a very complex subject.
SS1 is weak in many ways. are you SSH2 only?
Also, how good is your w32 software on picking session keys? host keys?
Not saying you're insecure, just that you didn't mention basic 101 stuff about it. And ssh implementations on w32 are rumored to be all weak.:-/
hell, some time ago ppl used to "free" source code like this just for fun. only greedy kids nowadays it seems;)
and not smart... or very smart and this is a scam... If I were selling it, first thing would be to contact key agencies/companies anonymously, not this freak high-profile thing. sounds bad. and there are no md5 or something of a few files to prove it is the real thing.
Seen IOS and other srcs years ago... This is what they get for playing the closed source game: FEAR.:)
Even ignoring that... i would go get some nasal filters or similar solution if need to, or get some air filtering system for home. Change the world around you vs. change yourself.
I wouldn't recomend OpenBSD as replacement for everyone. Actually IMHExperience most network admins don't know the real protocols below their Cisco routers. They are more about the manuals and cisco howtos. Sure there are many great guys knowing a lot, but these are rare lately (in proportion, ppl don't dissapear or forget all they know).
So I recomend ppl to go study the noncomercial docs (books specs rfcs papers whatever) FIRST, then do the manuals. Else you don't know for real how things work. You're almost a certified acronym freak.
Very dangerous how nowadays the default to get a "network admin" is looking just for CCNA or CCIE or whatever thing they make up. Not even M$ has a hold of a market like this. Compare in contrast programming (pick language), unix admin... Though i wouldn't be surprised the Java world does the same trick; they have that attitude.
Also, don't you think its a very bad situation where most internet termination ends up on one single company? When they start to own standards comitees and thus decide what gets in or out? I have very bad experience dealing with this kind. They don't have the researcher's view, or the ppl who do it just because they like the subject.
IMHO this is companies taking over. With all what that implies. And no government or organization is putting a limit. And the user base doesn't respond as on other cs areas. It feels quite sad for some of us.
If this impresses you, check out this one...
on
Point, Click, Root.
·
· Score: 1
One of the original posts in one of the threads stated, that there had been multiple successful attacks at an ISP which seemed to be SSH related. In this case they did run with privilege separation enabled.
Did you read the "from" addresses? you are talking about 2 different sources, claiming stuff without *any* precission. (all following is asuming these are truly from more than one guy having fun)
Does anyone know of or have source related to a new, and unpublished exploit? An ISP I work with has filtered all SSH connections due to several root level incidents involving ssh. Any information is appreciated.
So it isnt a first hand report, and the guy doesn't say the incidents are related to this ISP. And he is *asking* if someone knows if there is an exploit. This initiating mail has as subject "new ssh exploit?", see the punctuation at the end of it? But there is more on the followup from the same guy:
More on this;
The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.
The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.
I have received numerous messages from folks requesting anonymity or direct-off-list-reply confirming this exploit;
The suggestions I have heard are:
Turn off SSH and
1. upgrade to lsh.
or
2. add explicit rules to your edge devices allowing ssh from only-known hosts.
or
3. put ssh behind a VPN on RFC-1918 space.
thanks.
Are you blind? Doesn't that "upgrade to lsh" bullsh** ring a bell on your brain? Or the nonsense of blocking ssh protocol altogether? Or the VPN craze?
*Other* ranter follows up:
Reported, Privsep was setup on the machines. I wouldn't know if they
have tcpdumps, but I would assume they have logs.
Just what I've heard by proxy.
-Justin
Unless they know each other or something, or this guy works at the ISP in question, wich they didn't imply, they are just spreading unbased gossip. On *what* machines were privsep up? Do you think that enumeration of vulnerable OSs is based on attacks?
You claim that the poin of your post is to state that "it looks like" privsep didn't help. Do you base it on *this* unbased, quite suspicious rants?
I am *not* saying there is no exploit, nor privsep does or doesn't help. The point of *my* post was to show other ppl your overrated post is, for me, just plain old FUD. And instead of just claiming it as you do, I give the links so the readers decide themselves.
I am a slashdot freak, since most of/. posts are like yours, just propagation of FUD. I just put my poin of view as challengeable, and *base* my opinion on something.
Can't see anything at the full disclosure mailing list poiting anything serious. Only a priv mail from theo stating the bug doesn't look exploitable for now.
Do you trust anybody posting something they've heard? The guy that started the "new ssh exploit?" thread stated first he knew of an ISP *blocking* sshd traffic (this is far from an exploit). And afterwards he says "The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.". Note he is loosing it, the exploit FUD without base... and all ppl there start to talk about the bug as a fix against an exploit, though *nobody*, not even Theo's nemesis Darren Reed, mentions there is an exploit on the loose.
So FU** YOU. You scare ppl, you hide that and to d o so spread more fud by making wrong paraphrasing of the mailing list, hiding behind the slashdotted main archive.
All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.
Slashdot Mirror
What if eEye didn't discover the thing but took it from some obscure 0day place (irc chan?). They wouldn't be able to tell, as that would make all their discoveries suspicious of same thing.
(just conjecturing)
And remember, your taxes/tribute cover unemployment checks.
I bet you don't read newspapers or watch the news.
Why don't you free people make a petition asking this kind of laws be banned by fed law or similar (IANAL). And put NAMES of politicians backing the current/upcoming state ones.
(petitiononline.com maybe?)
RMS communist, ok same level of communism as Jesus, Ghandi and many other figures. Either you are troll, oran illiterate ranter. (go wikipedia at least, dig communism+marxism+stalinism+fascism and dig a bit further from there, come on, prove me wrong!)
What if someone discovers a security bug, and they are really responsible professional researchers, and they want to give all affected vendors some time to come up with an official solution? (researchers, not ppl into 0day exploits or cracking or whatever)
The way to do this is to have a multiple vendor coordinated release, where all agree on a date to release all together the alert and fix. This usually takes a few days, as most of them need to go through QA and other processes, as they are responsible to their customers.
SecurityFocus offers such a service for FREE to any researcher/vendor.
Blowing the whistle too early:
Even with that, there is always some a**hole or some idiot vendor breaking this blanket period. See how RH fsckd up this, many times, and got themselves up to the point of being told late. Some other linux groups also did this, by "mentioning" the bug to uncontrolled developers who went fixing on their own, thus blowing the whistle.
IF LINUS & CO LEAVE THIS COORDINATED SCHEMA, THEY'LL LOCK THEMSELVES OUT NOTIFICATIONS FROM RESPECTED RESEARCHERS.
NOTE1: i have nothing against the 0day or the cracking comunities, im only stating IF a researcher wants to give a blanket to vendors. (a very common case)
NOTE2: im not affiliated with SF, and even HATE the split bugtraq times for special vendors (i think this really killed it, a VV BAD move)
NOTE3: you might not agree with this schema, but consider most top name security firms follow it and it is to protect the users.
NOTE4: there is a defined period, so vendors are urged to come up with patch/alert
NOTE5: think also for the poor devs working for those vendors, making them work overnight hurried is not polite, they are devs like all of us
(im sure i miss some note and i'll get flamed anyway... flame on grrrrr)
can't believe there's nobody w/ sense of humor at this time...
you're wrong. you can have multiple MX records
still missing: session keys and host keys. :)
Plus how good is your OS at getting entropy? What symmetric encryption algorithm? What key exchange algorithm?
And about ssh over vpn... a friend (known player @ crypto) told me once that you should never assume that re-encrypting would improve security, unless you are using a well known and tested method of mixing both encryption systems.
Intention of this post is not bitching, but to try to make ppl aware it's not just "i use XXX, so im safe", but a very complex subject.
SS1 is weak in many ways. are you SSH2 only? :-/
Also, how good is your w32 software on picking session keys? host keys?
Not saying you're insecure, just that you didn't mention basic 101 stuff about it. And ssh implementations on w32 are rumored to be all weak.
hell, some time ago ppl used to "free" source code like this just for fun. only greedy kids nowadays it seems ;) :)
and not smart... or very smart and this is a scam... If I were selling it, first thing would be to contact key agencies/companies anonymously, not this freak high-profile thing. sounds bad. and there are no md5 or something of a few files to prove it is the real thing.
Seen IOS and other srcs years ago... This is what they get for playing the closed source game: FEAR.
For info on exploits badcoded Note: This is not a 0day site, it is real info for exploit writing.
are you deeply religious? ;)
else how can you say something like that!
yeah, was a bit shocked too to see that.
affect vs effect usage
Even ignoring that... i would go get some nasal filters or similar solution if need to, or get some air filtering system for home. Change the world around you vs. change yourself.
So I recomend ppl to go study the noncomercial docs (books specs rfcs papers whatever) FIRST, then do the manuals. Else you don't know for real how things work. You're almost a certified acronym freak.
Very dangerous how nowadays the default to get a "network admin" is looking just for CCNA or CCIE or whatever thing they make up. Not even M$ has a hold of a market like this. Compare in contrast programming (pick language), unix admin... Though i wouldn't be surprised the Java world does the same trick; they have that attitude.
Also, don't you think its a very bad situation where most internet termination ends up on one single company? When they start to own standards comitees and thus decide what gets in or out? I have very bad experience dealing with this kind. They don't have the researcher's view, or the ppl who do it just because they like the subject.
IMHO this is companies taking over. With all what that implies. And no government or organization is putting a limit. And the user base doesn't respond as on other cs areas. It feels quite sad for some of us.
Core Impact. Just that its commercial doesn't mean it's not the same issue.
Good pals.
Flash movie with sample attack
mod-parent-up-or-die-in-karma-hell ;)
java jvms written in language X... so every device running java should say powered by java/ powered by X ?
Kazaa suing the mpaa/riaa for reverse engineering... ha!
scroll down a bit, it's right there.
Did you read the "from" addresses? you are talking about 2 different sources, claiming stuff without *any* precission. (all following is asuming these are truly from more than one guy having fun)
So it isnt a first hand report, and the guy doesn't say the incidents are related to this ISP. And he is *asking* if someone knows if there is an exploit. This initiating mail has as subject "new ssh exploit?", see the punctuation at the end of it? But there is more on the followup from the same guy:
Are you blind? Doesn't that "upgrade to lsh" bullsh** ring a bell on your brain? Or the nonsense of blocking ssh protocol altogether? Or the VPN craze?
*Other* ranter follows up:
Unless they know each other or something, or this guy works at the ISP in question, wich they didn't imply, they are just spreading unbased gossip. On *what* machines were privsep up? Do you think that enumeration of vulnerable OSs is based on attacks?
You claim that the poin of your post is to state that "it looks like" privsep didn't help. Do you base it on *this* unbased, quite suspicious rants?
I am *not* saying there is no exploit, nor privsep does or doesn't help. The point of *my* post was to show other ppl your overrated post is, for me, just plain old FUD. And instead of just claiming it as you do, I give the links so the readers decide themselves.
I am a slashdot freak, since most of /. posts are like yours, just propagation of FUD. I just put my poin of view as challengeable, and *base* my opinion on something.
Do you trust anybody posting something they've heard? The guy that started the "new ssh exploit?" thread stated first he knew of an ISP *blocking* sshd traffic (this is far from an exploit). And afterwards he says "The systems in question are FreeBSD, RedHat, Gentoo, and Debian all running the latest versions of OpenSSH.". Note he is loosing it, the exploit FUD without base... and all ppl there start to talk about the bug as a fix against an exploit, though *nobody*, not even Theo's nemesis Darren Reed, mentions there is an exploit on the loose.
So FU** YOU. You scare ppl, you hide that and to d o so spread more fud by making wrong paraphrasing of the mailing list, hiding behind the slashdotted main archive.
SO BAD THERE ARE OTHER ARCHIEVES AROUND.