Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

[Editor's note: Turn down the volumn if you listen to the audio version of this column. Don't say we didn't warn you...]
As read by the author

OpenSSH, thou art unclean!

As read by the author Rob Rosenberger, Vmyths co-founder
Tuesday, 25 June 2002 NOSTRADAMISS ONCE AGAIN raised their "AlertCon" to a level of "3" after they detected a horrifying new security exploit. Quoting directly from their website: "AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, immediate action required."
NostradamISS raised their "AlertCon" again. I'd offer you a link to their web­site ... but their secu­rity cer­ti­fi­cate expired today. I don't trust them anymore.
Actually, the psychic friends' network at ISS has a more pressing issue to worry about. Their website's security certificate expired today. (We archived a snapshot for posterity.) I'd offer you a link to their website so you could see the irony for yourself ... but, frankly, I don't trust their website anymore. I mean, what if a hacker broke in and changed something? Never trust an invalid security certificate, folks. Never. ISS may be spreading computer viruses right now for all we know. ATTENTION ISS FLUNKY PATRICK GRAY! ATTENTION ISS SUPERHERO CHRIS ROULAND! ALERTCON 4! ALERTCON 4, I SAY!!! FIX YOUR WEBSITE SECURITY CERTIFICATE IMMEDIATELY BEFORE-- --uh, before the Internet dies, of course! {cough} I apologize for screaming at the top of my lungs, but what else could I do? The Internet faces a dire new vague threat. Forget any tripe you've heard about a horrifying new way to take over a few web servers run by native Americans — and forget any tripe you've heard about a horrifying old way to take over a few web servers run by native Americans — because a bigger threat has surfaced. Way bigger. Hugantic! Gimongous! A threat so big, it dwarfs even an expired website security certificate. The very fate of the Internet now lies in the hands of the most respected computer security expert on the planet. I'm talking about none other than Theo de Raadt, of course! Quadrillions of Internet users worship Theo de Raadt as a living deity. Angelic music echoes from the heavens when He types His prophesies on a keyboard! I myself am unworthy to touch the holy vessel known as Theo de Raadt, but I will genuflect and then prostrate myself on the ground if I ever receive an audience with Him. I would give my life to save Theo de Raadt from so much as a paper cut. I would gladly volunteer my body to science as the second male pregnancy candidate if I could carry Theo Jr. in my synthetic womb...
I re­printed Theo de Raadt's vague prophecy in small type. True be­lievers would gladly squint just to read the words that flow from His holy keyboard.
So where was I? (Aha.)
MANKIND'S BLESSED GIFT came forth to announce the coming Cybergeddon. I am not worthy to interpret Theo de Raadt's vague cries of alarm, so I will reprint them here in verbatim. (Heathens may click here to skip over the holy vessel's immortal words.)
NERDITICUS CHAPTER 15:
The Uncleanness of OpenSSH Umpteenth Letter from Theo to the Nerdinthians
[1] There is an upcoming OpenSSH vulnerability that we're working on with ISS. Details will be published early next week. [2] However, I can say that when OpenSSH's sshd(8) is running with priv seperation, the bug cannot be exploited. [3] OpenSSH 3.3p was released a few days ago, with various improvements but in particular, it significantly improves the Linux and Solaris support for priv sep. However, it is not yet perfect. Compression is disabled on some systems, and the many varieties of PAM are causing major headaches. [4] However, everyone should update to OpenSSH 3.3 immediately, and enable priv seperation in their ssh daemons, by setting this in your /etc/ssh/sshd_config file:
UsePrivilegeSeparation yes
[5] Depending on what your system is, privsep may break some ssh functionality. However, with privsep turned on, you are immune from at least one remote hole. Understand? [6] 3.3 does not contain a fix for this upcoming bug. [7] If priv seperation does not work on your operating system, you need to work with your vendor so that we get patches to make it work on your system. Our developers are swamped enough without trying to support the myriad of PAM and other issues which exist in various systems. You must call on your vendors to help us. [8] Basically, OpenSSH sshd(8) is something like 27000 lines of code. A lot of that runs as root. But when UsePrivilegeSeparation is enabled, the daemon splits into two parts. A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privs. This makes the daemon less vulnerable to attack. [9] We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter — it is just so funny). HP's representative was downright rude, but that is OK because Compaq is retiring him. Except for Solar Designer, I think none of them has helped the OpenSSH portable developers make privsep work better on their systems. Apparently Solar Designer is the only person who understands the need for this stuff. [10] So, if vendors would JUMP and get it working better, and send us patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday which supports these systems better. So send patches by Thursday night please. Then on Tuesday or Wednesday the complete bug report with patches (and exploits soon after I am sure) will hit BUGTRAQ. [11] Let me repeat: even if the bug exists in a privsep'd sshd, it is not exploitable. Clearly we cannot yet publish what the bug is, or provide anyone with the real patch, but we can try to get maximum deployement of privsep, and therefore make it hurt less when the problem is published. [12] So please push your vendor to get us maximally working privsep patches as soon as possible! [13] We've given most vendors since Friday last week until Thursday to get privsep working well for you so that when the announcement comes out next week their customers are immunized. That is nearly a full week (but they have already wasted a weekend and a Monday). Really I think this is the best we can hope to do (this thing will eventually leak, at which point the details will be published). [14] Customers can judge their vendors by how they respond to this issue. [15] OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. On OpenBSD privsep works flawlessly, and I have reports that is also true on NetBSD. All other systems appear to have minor or major weaknesses when this code is running. [16] (securityfocus postmaster; please post this through immediately, since i have bcc'd over 30 other places..)
(I reprinted Theo de Raadt's vague prophecy in small type. True believers would gladly squint just to read the words that flow from His holy keyboard.)
Don't listen to cul­tists who would scoff at the blessed Prophet! Those heathens cling to precious illu­sions of safety. Cyber­geddon awaits, I tell you!
My Gulf War dogtags list "OpenSSH" as my religious preference. I worship at the altars of OpenBSD's OpenSSH server software and F-Secure's OpenSSH client software. Therefore, I expect to ascend bodily into heaven when our deity trumpets the actual arrival of the Cybergeddon. And Theo de Raadt will trumpet the actual arrival of the Cybergeddon, I can assure you. Don't listen to non-OpenSSH cultists who would scoff at the blessed Prophet! Those heathens cling to precious illusions of safety. Cybergeddon awaits, I tell you! Theo de Raadt Himself proclaimed it in appropriately vague terms. I myself will face the cleansing firestorm with open arms. Prepare for the coming doom, my brothers and sisters! The end is nigh! So spake the holy vessel known as Theo de Raadt. Amen.
OH, BY THE way — if you don't know Him from Adam, then you are a heathen and you deserve to writhe in agony when the holy firestorm consumes your fetid PC. [Credit where due: TdR cult member Arrigo Triulzi planted the seed for this column when he accused me of blasphemy against the Prophet. TdR's reference to "seperation" in the uncleanness of OpenSSH led me to pilfer Leviticus 15:26-28 from the Holy Bible (which I pilfered from a Holiday Inn). Faithful Vmyths readers who cite TdR's letter should link to this column and use proper biblical notation (e.g. Nerditicus 15:9-10). I swiped the ascension joke from the almighty Cecil Adams. Last but not least, you'll notice Hebrews 13:8 talks about vague computer security prophesies. (Ha!) Now if you'll excuse me, I'm off to Confession...] [Audio credits: "Jerusalem" clip (Parry, Blake; Arr. Hawksley) used with permission, www.hawksley.net; record scratch used with permission, PartnersInRhyme.com.]