Re: Re: OpenSSH security advisory: cbc.adv

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: OpenSSH security advisory: cbc.adv
From: Guillaume MULLER <guillaume.muller@xxxxxxxxxxx>
Date: Mon, 24 Nov 2008 15:37:45 -0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding:sender; bh=gTXCJglsQUsbVn9oWjDgRisnlBtxQaWHscuDv94yu3I=; b=qI0wrMyZpmZgtnhEU7t/FF24kMcFf2eW2149wDgWAr2xQYrY7P76YFWIFj9HaVMv59 D0bta+WOAQX1Muk5AoK9MA5EwWL5dOfhyd1N0PZ3+Np78LVw2eC1MOv8oxasxz3ib/LQ P1pISg5QqvoSCLHhIM+jPDcOe8uXL4SbxqUsA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding :sender; b=NRCOT+XUbkDn/5LSIq2M0EnKKy4ycaeD6iIY8CKFVSf9scnWhXdEK6jv9PGHNf+Zui Wt4Hz1L8p/TF8zBAZfF85LS+vbPhwRxrP+Nbp9UmhpRdow4frRxgQoNmTyMvjC5NYYz9 DFcO82v0IYIWr3tqx8VUqUlr/QP/8bUsXpkx8=
In-reply-to: <20081124094646.GB8481@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20081124094646.GB8481@xxxxxxxxxxxxxxxxxxxxxx>
Reply-to: guillaume.muller@xxxxxxxxxxx
Sender: Guillaume Muller <guillaumemuller75421354@xxxxxxxxx>
User-agent: Thunderbird 2.0.0.16 (X11/20080812)

Hey!

They put a condition because of "National Security". Should that meanthat they use OpenSSH in "National Security"-sensitive applications(interesting ;););))?

If so, should that mean that they implicitely recognize the very goodwork done by the community?


If so, why not act politely with the community and share knowledge?

This would make the software better, so that they could still use it intheir applications.


How can't they understand that?

Why not just share the knowledge and just ask for some time (fixedamount? or just "when a solution will be found") before public releaseof the details of the attacks?

Why not release the details and switch to another system if OpenSSH isnot what they need anymore?

So one more entity that just want to benefit from FOSS, but notcontribute...

If I were the developpers, then I would just retaliate (humoristically)by sending them a similar (fake)-contract/NDA, asking them not to useOpenSSH, but share National Sensitive information. In other words, justask them to share THEIR knowledge without US providing our tools.

There are some times where I hate the BSD licence, because it does notforce people to cooperate! (even if I don't think any other licencewould help here...)


My 2 cents and sorry for the off-topic subject...

Cheers

GM

--
Guillaume MULLER
Post-Doc - Sala C2-50
Laboratório de Técnicas Inteligentes (LTI)
Depto. Eng. Computação e Sistemas Digitai(PCS)
Escola Politécnica da Universidade de São Paulo
Av. Prof. Luciano Gualberto, 158 travessa 3
05508-900 - São Paulo - SP - Brasil
Tel: +55 11 3091 5397
http://www.lti.pcs.usp.br/~guillaume

References:
- Re: OpenSSH security advisory: cbc.adv
  - From: Otto Moerbeek

Prev by Date: [USN-675-2] Gaim vulnerability
Next by Date: FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random
Previous by thread: Re: OpenSSH security advisory: cbc.adv
Next by thread: Re: OpenSSH security advisory: cbc.adv
Index(es):
- Date
- Thread