[conspire] OpenSSH client 'roaming' bug

[Rick Moen]

Quoting Paul Zander (paulz at ieee.org):

> Now I understand the email thread about malware.  
> 
> A weakness has been found.  Here is how to patch the hole.  Hopefully
> a better fix will be forthcoming.  When it is, the standard package
> manager tools will install it.  No need for everyone to run software
> looking for attempts to exploit the hole after it has been closed.

Well, yes.

Moreover, if there's a security hole, the problem is the _security hole_.
The problem isn't automated attack tools, crafted months or years
later, to exploit unpatched occurrences of that hole -- and certainly
isn't non-attack code that might -- _if_ a separate hole were exploited
-- be subsequently installed using that separate exploit, and then the
non-attack code run on your system by some mischievous person to do
unpleasant things using screen-capture and the system microphone.

Real security attempts to prevent, fix, and anticipate holes (security
problems).  Fake security attempts to sell you software that searches
for minor after-effects of ignoring such holes.

That having been said, the OpenSSH 'roaming' bug was eyebrow-raising in
that it resulted from a dumb error from an organisation (OpenBSD
Foundation) that is normally a lot smarter.

-- 
Cheers,                  QA engineer walks into a bar.  Orders a beer.
Rick Moen                Orders 0 beers.  Orders 999999999 beers.  Orders
rick at linuxmafia.com      a lizard.  Orders -1 beers.  Orders a sfdeljknesv.
McQ! (4x80)              -- @sempf, https://www.sempf.net/post/On-Testing1.aspx