At 06:50 PM 11/1/98 -0500, you wrote:

Hey morons argueing over the ssh bug, rootshell just posted an email advisory, they have written code on an ssh-1.2.26 exploit. They were hacked via ssh, and they have stated so on their web page as well.

Dave McKay themonk@lower.org Systems/Security Admin

Hello Mr. McKay. Firstly, I do wonder where you get off addressing NANOG as morons. Do you suppose to be the only individual in the readership with a clue? Before you crotch-check yourself and belt out "hell yes," perhaps you should re-read the email from mr Knox. I realize that being a the hero to network admins everywhere must take up an enormous amount of your time so, I have included the paragraph to which I am referring: [ Date: Sun, 1 Nov 1998 12:45:13 -0800 (PST) From: Kit Knox <kit@connectnet.com> X-Sender: kit@kit.rootshell.com To: nanog@merit.edu Subject: [rootshell] Security Bulletin #25 <snip> They appear to have jumped the gun slightly and do not have working exploit code, but have found possible buffer overflows in the ssh 1.2.26 code. Rootshell has also received further reports of exploit code going around in various circles. SSH Communications Security Ltd. has evaluated this bulletin and now believes it is actually not a problem. <snip> ] "reports of exploit code" and actual WORKING exploits are nowhere near the same. Hell, some marketing people would like you to believe "reports" of windows boxes outperforming *nix boxes on identical hardware running the same tasks. So, please tell all of us supposed "morons," where is the mention of the "code on an ssh-1.2.26 exploit" that they have written? Could you do us the service of posting a URL or are you too busy saving us from our feeble selves? What I'm seeing on the webpage live and in technicolor is the same email from IBM-ERS that was posted to NANOG with rootshell comments added in [] to each paragraph. There is no mention of their having a working exploit and there is no mention of them being "hacked" via SSH. The site states: [ On Wed Oct 28th at 5:12AM PST the main Rootshell page was defaced by a group of crackers. Entry to the machine was made via SSH (secure shell) which is an encrypted interface to the machine at 04:57AM PST this morning. Rootshell was first informed of this incident at 6:00 AM PST and the site was immediately brought offline. The site was back up and operational by 8:00AM PST. ] If you contend that this is being "hacked via ssh" I contend that you are making a huge leap. For all we know, and what I personally suspect, another box on the net was compromised that had a valid key with empty passphrase to login to the rootshell box. ------- John Fraizer | __ _ The System Administrator | / / (_)__ __ ____ __ | The choice mailto:John.Fraizer@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation A 486 is a terrible thing to waste...