[ale] Known SSH exploits?

Robert L. Harris Robert.L.Harris at rdlg.net
Mon Oct 14 09:02:17 EDT 2002




As an ex-lockmart person I can say you have no idea...  They can get
some strange ideas locked in and there is nothing short of a bitchslap
from God that'll make them rethink it.  One reason it's "ex-lockmart". 



Thus spake John Wells (jb at sourceillustrated.com):

> Date: Mon, 14 Oct 2002 08:49:54 -0400 (EDT)
> From: "John Wells" <jb at sourceillustrated.com>
> To: <dana at slothlovechunk.org>
> Cc: <ale at ale.org>
> X-Mailer: SquirrelMail (version 1.2.8)
> Subject: Re: [ale] Known SSH exploits?
> 
> Um...I'll take this opportunity to point out that on its worst day,
> exploits or not, ssh it 100 times as secure as telnet.
> 
> Man, someone at your company just ain't thinking right ;-)
> 
> John
> 
> Dana Powers said:
> > Well, for one, if you are going to try to keep your company nameless,
> > you should a) probably not send from a corporate account, b) at least
> > remove the give-away .sig .
> > I mean, how hard is it to just 'telnet' to an external machine and mail
> > from there ;)
> >
> > Seriously though, SSH has had its share of bug exploits, but like most
> > other projects, if you keep them up to date, you'll be ahead of the
> > curve. As for algorithmic exploits, yes, the original SSH protocol,
> > version 1, has been shown to be vulnerable in a few ways. Most people
> > feel very safe with SSH protocol 2 using the current OpenSSH, however.
> > There was a week or so, fairly recently, where it seemed like there was
> > a new ssh exploit every day - Im not sure why this was, but that may be
> > the stem of uncertainty your employer is clinging to.
> >
> > dpk
> >
> > ----- Original Message -----
> > From: "Jeff Layton" <jeffrey.b.layton at lmco.com>
> > To: <ale at ale.org>
> > Sent: Monday, October 14, 2002 7:26 AM
> > Subject: [ale] Known SSH exploits?
> >
> >
> >> Good morning,
> >>
> >>    Corporate security where I work (who shall remain nameless
> >> for the moment :) has decreed that SSH is to be outlawed because there
> >> are known exploits. I'm starting to do a little investigation on this
> >> issue, but I know there are some security experts on the list who
> >> might be able to shed some light on this (Bob T. are you there? :)
> >>    Just to add a little comedy to your morning, SSH is outlawed,
> >> but telnet is allowed and encouraged.
> >>
> >>
> >> TIA,
> >>
> >> Jeff
> >>
> >>
> >> --
> >>
> >> Jeff Layton
> >> Senior Engineer
> >> Lockheed-Martin Aeronautical Company - Marietta
> >> email: jeffrey.b.layton at lmco.com
> >>
> >> "Is it possible to overclock a cattle prod?" - Irv Mullins
> >>
> >> This email may contain confidential information. If you have
> > received this
> >> email in error, please delete it immediately, and inform me of the
> > mistake by
> >> return email. Any form of reproduction, or further dissemination of
> > this
> >> email is strictly prohibited. Also, please note that opinions
> > expressed in
> >> this email are those of the author, and are not necessarily those of
> > the
> >> Lockheed-Martin Corporation.
> >>
> >>
> >>
> >>
> >> ---
> >> This message has been sent through the ALE general discussion list.
> >> See http://www.ale.org/mailing-lists.shtml for more info. Problems
> > should be
> >> sent to listmaster at ale dot org.
> >>
> >>
> >>
> >
> >
> > ---
> > This message has been sent through the ALE general discussion list. See
> > http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> >  sent to listmaster at ale dot org.
> 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.



:wq!
---------------------------------------------------------------------------
Robert L. Harris                
                               
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list