This thread has the typical "useless thread on NANOG" problem. It attepts to be tangentially relevent but really it just is not. Certainly, the initial thought -- to communicate that www.rootshell.com was compromised -- was not relevent to north american network operators. Next, a discussion of what it means to be secure, and of course this wasn't relevent for NANOG either, but some well-meaning competant individuals got roped in, presumably in the hope that the discussion would terminate. After all, a little bit of off-topic discussion is fine and useful -- if we tried to find the right mailing list for absolutely *everything*, no one would ever get anything done. But we went long past that point. Discussion of compromises in application programs (ssh), even ones widely used in the network community, is not very appropriate for NANOG either. We could discuss compromises every time Sun released a security patch, or every time rootshell.com posted an exploit -- we'd have more traffic than bugtraq (not hard, it's a moderated list...)! The latest stuff about ftping through SSH tunnels just kicks the bucket even further, beneath the lower standard of conduct to which some of us hold NANOG (because the community seems to be comprised of a more-childish and less-responsible set of individuals than most other communities, so it's foolhardy to try and hold it to high standards). Please try not to dignify any of the traffic in this thread with a reply. If you really feel that your commentary is useful and relevent, please direct it to the authors in private email. Similarly, if you feel a burning need to know the resolution of an issue raised by some individual, please send them private email and I'm sure they'll be happy to forward you the relevent discourse they've received, or direct you to a venue more suited for the discussion. I, for one, am disgusted, but you already knew that. --jhawk