[21021] in North American Network Operators' Group
Re: Rootshell pages hacked
daemon@ATHENA.MIT.EDU (Paul Vixie)
Sun Nov 1 13:22:06 1998
To: nanog@merit.edu
From: Paul Vixie <paul@vix.com>
Date: 01 Nov 1998 09:48:16 -0800
In-Reply-To: adam@flounder.net's message of 1 Nov 1998 02:13:41 -0800
> Moral.. Don't trust ssh.
>
> -Ryan
> Net Access Corporation
what idiocy. given write access to a binary, one can use the binary as a
trojan horse. if it has privileges or is executed by someone who has
privileges, then your trojan will have those privileges.
ssh is not the problem. writable / mutable binaries are the problem, and
letting someone break into your system far enough to write or mutate your
binaries is the problem, and using versions of SSH (or any other privileged
tool) whose signatures you have not verified out-of-band is the problem.
ssh is a fine program as such things go. security is fundamentally more
about the procedures for key use and key management than it is about the
quality of one's locks. in other words it's the people not the technology.
