[LUAU] so much for OpenBSD

bully bully at hawaii.rr.com
Mon Aug 6 13:45:35 PDT 2007 

So, let me get this straight. What are we talking about here? ONE 
security 'hole' or exploit every FIVE YEARS?
As opposed to ONE "hole" punched in Windows OS every FIVE MINUTES? (Or 
less?)

No brainer if you ask me. I think they're making way too much of such a 
little thing comparatively speaking. (actually there is no comparison) :)

Whatdayathink Jim? :)

Bully



Jim Thompson wrote:
>
> On Aug 6, 2007, at 1:09 PM, 808blogger wrote:
>
>> well.... Keep in mind no other OS has even a close record  to what the
>> openbsd team has done.
>
> Please.
>
>> And dont forget that the ssh you use everyday is
>> written by the openbsd team, thats right. Theo and co. have done a 
>> HUGE job
>> improving security the unix world at large.
>
> So what?  There were RSA-keyed, encrypted telnets in-existence before 
> ssh got written.
> (Under my watch, by Doug Barnes, at Tadpole, circa 1994. Doug later of 
> 'C2' fame.)
>
>> and on the topic of this particular exploit, you would actaully have 
>> to be
>> on the same physical LAN segment to use this exploit. this is a not 
>> an "over
>> the internet" hack that can occur
>>
>> to quote from http://www.securiteam.com/unixfocus/5HP0C1FKUO.html
>>
>> "However, in order to exploit a vulnerable system an attacker needs 
>> to be
>> able to inject fragmented IPv6 packets on the target system's local 
>> network.
>> This requires direct physical/logical access to the target's local 
>> network
>> -in which case the attacking system does not need to have a working IPv6
>> stack- or the ability to route or tunnel IPv6 packets to the target 
>> from a
>> remote network."
>
> "logical"... if your router manages to create a tunnel for you, you're 
> hosed.
>
> Its **SPIN**, get it?
>
>> 99% of users will not even have a a problem with this and
>> you dont even have to patch the system if you dont want to  simply put
>> 'block in quick inet6' in your pf.conf
>
> Right, but the claim is "default installation", and they didn't want 
> to lose that.
>
> (and let us not forget that the other bug was in (drumroll) ssh)
>
>> dont dump on the openbsd guys..... their product rocks.
>
> their process for security bugs appears to be quite badly borked.
>
> and FreeBSD rocks much, much harder.
>
> Jim
> _______________________________________________
> LUAU at lists.hosef.org mailing list
> http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

More information about the LUAU mailing list