Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security GNU is Not Unix The Internet

Remote Root Exploit In lsh 445

skookum writes "After last week's OpenSSH patch-fest, a lot of people suggested GNU lsh as a replacement. Unfortunately, it seems that the lsh team has recently discovered a heap overflow bug of their own that can lead to compromise. An exploit was posted to BugTraq two days ago. Happy patching."
This discussion has been archived. No new comments can be posted.

Remote Root Exploit In lsh

Comments Filter:
  • Ha-Ha (Score:4, Insightful)

    by Anonymous Coward on Sunday September 21, 2003 @01:20AM (#7015951)
    I find it entertaining that the GNU zealot hippies suggest lsh as a replacement. That's like suggesting that the HURD is a replacement for the Linux kernel. Always trying to one-up the *BSD people by making something "more free", but never living up to the hype.

    BTW, *who* uses lsh????
  • by evn ( 686927 )
    We should all take this to heart; any computer that isn't turned off and locked in a safe at the bottom of an ocean on jupiter should be considered insecure, and even then...
  • by Anonymous Coward
    Does it exist solely because of the non-GNUness of other implementations?

    What idiots.
    • by divec ( 48748 ) on Sunday September 21, 2003 @03:52AM (#7016443) Homepage
      Does it exist solely because of the non-GNUness of other implementations?

      When lsh was started, OpenSSH didn't exist. The original SSH was free till version 1.2.12, but was then put under a more restrictive licence. The licence on ssh version 2 was more restrictive still (I think it wasn't even free-as-in-beer). lsh was intended to be a Free, Open-Source replacement to ssh.


      Then the OpenBSD people took the old, free 1.2.12 version of ssh, fixed all the known bugs which had accumulated since that release and updated it with the new features in the SSH protocol. This is OpenSSH.

  • by Overly Critical Guy ( 663429 ) on Sunday September 21, 2003 @01:23AM (#7015970)
    Nothing is 100% secure, nothing is flawless, all operating systems are imperfect pieces of junk we're lucky to have running in the first place.
    • by GammaTau ( 636807 ) <jni@iki.fi> on Sunday September 21, 2003 @01:34AM (#7016021) Homepage Journal

      Nothing is 100% secure, nothing is flawless, all operating systems are imperfect pieces of junk [...]

      Which is why software monoculture is bad. The existence of competing implementations is always a good thing whether it's OpenSSH vs. GNU lsh or something else. That way not everything is compromised in one swoop once a new security flaw is discovered.

      • by ScrewMaster ( 602015 ) on Sunday September 21, 2003 @08:35AM (#7017111)
        I might add that this philosophy applies to organic systems as well, and for the same reason. A sufficient degree of diversity in any population, whether it be microbes, human beings, or operating systems, helps assure that no single pathogen can be totally destructive. Certainly, in this modern age of world-wide non-OS-specific internetworking protocols and data interchange formats, we should promote operating-system diversity as an additional level of safety.

        I see many large corporations enforcing enterprise-wide standards. That is, everyone will run the same version of Windows, with the same applications software, same service packs, same anti-virus and firewall software ... which just means that when one machine does get compromised the entire organization is at risk. On the other hand, this situation is very convenient from the IT professional's point of view, so there is some argument for it. But I maintain that having a mix of operating systems, applications and protective software can provide more security than a more homogenous approach, and security is what we all want, right? Right?
    • Nothing is 100% secure

      Oh [cr.yp.to] really [cr.yp.to]?
    • by RoLi ( 141856 ) on Sunday September 21, 2003 @04:08AM (#7016474)
      nothing is flawless

      Nobody ever claimed it would be.

      However I've personally experienced that many systems are more secure than others. Almost all security problems on Unix didn't affect me (like this, BTW. This is actually the first time I've ever heard about lsh) and often were hyped up. In the meantime I get tens of Windows-Virus-mails and attemted IIS infections per day.

      The true conclusion:

      Windows is like a 50 year old car without safety belts, Unix is like a modern Volvo with safety belts and airbags.

      Neither car is "flawless" and you can die in the Volvo too.

      • by Overly Critical Guy ( 663429 ) on Sunday September 21, 2003 @12:25PM (#7018434)
        Nobody ever claimed it would be.

        You do visit Slashdot, don't you? It is claimed all the time. The prevailing attitude and anecdotal evidence about how secure Linux is and how insecure and unstable Windows is runs through every discussion thread even remotely involving anything Microsoft. A large part of this site is just reactive hysteria to "Microsoft worms." Heck, whenever there's an X-Box article, you get the requisite hundreds of "jokes" about green screens of death.

        You claim to get virus-mails, which usually require user intervention to spread. Then you mention IIS intrusions, despite the fact that Slashdot recently posted an article called "Linux Most Attacked Server?" which showed Linux was the most breached operating system on the net.

        The true conclusion:

        Windows is like a 50 year old car without safety belts, Unix is like a modern Volvo with safety belts and airbags.


        No. The true conclusion is that your personal disdain for Microsoft products in an OS war doesn't matter in the end. All operating systems are insecure and vulnerable. They are equal.

        The true heart of security lies in your system administrator. Period.
  • That's it (Score:5, Funny)

    by Anonymous Coward on Sunday September 21, 2003 @01:24AM (#7015973)
    I am switching to a vendor, who takes security seriously [microsoft.com]. Enough of this patching crap.
  • by Anonymous Coward on Sunday September 21, 2003 @01:24AM (#7015974)
    Between MS worms, SSH, and this I am throwing down my keyboard...

    Oh wait is that a new slashdot article?

    I might be able to get first post...
    • Between MS worms, SSH, and this I am throwing down my keyboard...

      Oh wait is that a new slashdot article?

      I might be able to get first post...


      Well, I guess you'll have to settle for frosty piss instead.
  • by Anonymous Coward on Sunday September 21, 2003 @01:25AM (#7015980)
    We have a GNU ordained version of the SSH protocols when OpenSSH is doing a fantastic job?

    Even if you are going to argue the BSD vs. GPL license issue, the lsh devs could have just taken the OpenSSH code, made some slight changes, and re-released it under the GPL.

    So again I ask: Why?
    • Pick one of: "Because they could", "Why not?", or "It seemed like a good idea at the time".
    • It's good to have competing implementations of critical protocols like this, to avoid monoculture.

      See, if everyone had been using OpenSSH, then an exploit against an OpenSSH vulnerability would have worked everywhere. This way, the script kiddies need to come up with two separate exploits, and try to figure out which one is applicable for any given system.

      Of course, it looks like this lsh vulnerability is much worse than the OpenSSH theoretical vulnerability was, but the ecological argument still perta

      • The five people on the planet using ish really slowed down those who sought to exploit the ssh vulnerability.
        • Re:oh, right (Score:5, Interesting)

          by jonabbey ( 2498 ) * <jonabbey@ganymeta.org> on Sunday September 21, 2003 @02:55AM (#7016324) Homepage

          The number of users of lsh today is immaterial to the question of justification for the lsh team's efforts, really. Ssh is critical stuff to have.. we have alternatives in mail transport servers, ftp servers and clients, web servers, programming languages.. why in the world not for free ssh implementations?

      • Of course, you could also argue that having multiple implementations of the same tools increases the likelihood of vulnerabilities. It stands to reason that as the number of projects increases, so will the number of security holes as a whole.

        Regardless, I doubt that increasing security via more alternatives was the reasoning behind starting this project. I would much rather see these developers group together to debug problems and eliminate security issues.
    • by lcs ( 61658 ) on Sunday September 21, 2003 @02:30AM (#7016243) Homepage
      I, like the author of lsh, is a member of the same
      computer society, Lysator, and I happen to remember
      reading about the early lsh developments.

      It was started in August 1998, and that's as far
      as I know, several months if not years before
      OpenSSH was started.
    • Because GNU Ish was created before OpenSSH. It's as simple as that.
  • GPL? (Score:2, Insightful)

    by ashkar ( 319969 )
    Why would anyone voluntarily use software liscenced under the GPL when there is a much better, more servicable, and well tested application that runs under a less restrictive liscence? With the speed OpenSSH was patched, what is there to complain about. I mean, people still use sendmail with its track record of security bugs galore. It's unlikely anyone will switch because of a single bug.

    BSD, the way the world is supposed to be.
    • Because security through denial is not security.

      Theo has a horrible track record, I wouldnt trust him to secure my porn collection. That openssh hole wasnt the first remote root on openbsd, just the first one that was too big for theo to deny and silently patch to keep his ego up.
      Compare old(vuln) talkd in openbsd to current.
      No security professional worth anything would honestly say they trust any code theo is at all responsible for.

      For anyone looking for a good alternative: telnet over an ssl tunnel or v
    • For the very same reason companies found alliances around Linux but usually ignore BSD.

      BSD can be highjacked anytime (exactly what happened to Unix) and it doesn't protect you from patents.

      The GPL is a true hassle-free "no-sue" license.

  • Telnet (Score:5, Insightful)

    by Henry V .009 ( 518000 ) on Sunday September 21, 2003 @01:28AM (#7016000) Journal
    I was going to repeat "switch to Telnet joke" that I made last time, but I just can't get up will this time. These bugs are killing us. I seriously think that we need to take some time to consider how Open Source projects do security. The "more eyes" mantra doesn't cut it. We need security models, standards, testing, and god knows what else. We need to look at which projects have been successful, and which have been miserable security failures. I know the open source community can do a lot better.
    • Re:Telnet (Score:4, Insightful)

      by daeley ( 126313 ) * on Sunday September 21, 2003 @01:36AM (#7016031) Homepage
      While I would agree with you in the abstract that the open source community can do a lot better on some things, the bug was confirmed 2 days ago and patched immediately. Good software !== no bugs ever.
      • Re:Telnet (Score:4, Funny)

        by quantaman ( 517394 ) on Sunday September 21, 2003 @02:00AM (#7016131)
        Good software !== no bugs ever.

        Just like good posts don't require logical operators that actually exist.
    • Re:Telnet (Score:5, Informative)

      by runderwo ( 609077 ) <runderwo.mail@win@org> on Sunday September 21, 2003 @01:38AM (#7016045)
      I seriously think that we need to take some time to consider how Open Source projects do security. The "more eyes" mantra doesn't cut it.
      Um, how do you think this problem was spotted? Read the mailing list post. There was a pair of eyes that found the bug, and he subsequently posted to the list.

      In addition, a fix was checked in within four hours. 14 hours later, exploit code was posted to SecurityFocus, in the afternoon. Any admin who checked the lsh mailing list in the morning would have seen the error and the fix, and been well ahead of the exploit.

      • Re:Telnet (Score:4, Funny)

        by cscx ( 541332 ) on Sunday September 21, 2003 @01:55AM (#7016114) Homepage
        Any admin who checked the lsh mailing list in the morning would have seen the error and the fix, and been well ahead of the exploit.

        Don't you mean "the admin," or is there really more than one person using lsh?
      • Re:Telnet (Score:3, Insightful)

        by Bronster ( 13157 )
        In addition, a fix was checked in within four hours. 14 hours later, exploit code was posted to SecurityFocus, in the afternoon. Any admin who checked the lsh mailing list in the morning would have seen the error and the fix, and been well ahead of the exploit.

        #include <standard f&*(ing merkin who thinks the world is all merkia>

    • Re:Telnet (Score:3, Interesting)

      by matusa ( 132837 )
      It seems to me that the only projects which can attest to an admirable security record are the ones that not only pursued security with a paranoid fervor for the entirety of their development, but furthermore were envisioned/designed with security as a prime consideration and can comment on security as a foremost issue in basically any context. If you go through examples in your head (postfix, openssh), you'll realize what I say.
    • Re:Telnet (Score:5, Insightful)

      by ajs ( 35943 ) <[ajs] [at] [ajs.com]> on Sunday September 21, 2003 @02:10AM (#7016157) Homepage Journal
      These bugs are not killing us. In fact, they're helping us to make our code stronger.

      I'm so sick of the "there are bugs in it, let's switch" mentallity. There are bugs in every piece of software ever written. Why? Because human beings have a hard time specifying exactly what they want.

      Sometimes those bugs are dangerous (as in buffer overflows), but if you look at your average piece of source code long enough -- source of ANY number of lines -- I bet you can find a bug in it.

      So, we should all switch to the abacus? No, we should all make sure we spend time and money on the problem of finding bugs before the black-hats do. And that's why I buy software like Red Hat... because they actually spend some of that money on auditing for security, and I like the results (many bugs found and killed).
      • Re:Telnet (Score:3, Insightful)

        by zangdesign ( 462534 )
        I think the idea here was that security should be considered at every step of the way, which is absolutely true. While the speed of fixing the bug is certainly commendable, it should not have been there in the first place as this is a fairly common mistake.

        I can understand it from someone new to programming, but if it's going to be something that is touted as being secure, that should be the first consideration in every line of code. Especially if it's something that allows deep access into the system.

        I r
    • >The "more eyes" mantra doesn't cut it.

      You are exactly correct. In fact I would be wary about a working exploit posted within hours and a patch a little after. That leaves x amount of time for someone with a compiler and ten minutes to try to compromise me. But, these things happen. Its software, its supposed to happen.

      If you're running remote admin apps without another layer of protection for redudancy like a VPN tunnel to your firewall, IP range blocking, etc you aren't properly defending yoursel
    • How about the Open Source community just hire Dan Bernstein to code up all the software. Sure, it might not be quite as free as RMS would like, but if every product had the same number of security flaws that have been discovered in qmail (for those sleeping at the back of the class: zero), I could certainly live with the trade-offs.
      • number of security flaws that have been discovered in qmail (for those sleeping at the back of the class: zero)
        Number of security flaws acknowledged by DJB, you mean? It might hurt your religious feelings, but even the holy qmail is not perfect [uni-dortmund.de].
    • Re:Telnet (Score:4, Interesting)

      by Spy Hunter ( 317220 ) on Sunday September 21, 2003 @05:52AM (#7016721) Journal
      Time and time again, it has been proven that software written in C will be insecure. If you don't take extraordinary precautions which are far too inconvenient for most programmers to accept, you *will* have security holes in a network service written in C. And if you do take those precautions, they will interfere with the goal of providing a feature-rich, modern, up-to-date piece of software. Why oh why hasn't there been a move toward writing network services in languages which make most common kinds of security holes impossible? A SSH server written in Java will have zero buffer overflows. Nada. Zilch. It won't have any double-free bugs, or stack-smashing attacks of any kind. That way, developers can focus on fixing the logic bugs and implementing new features.

      It's very easy to understand. If you write your server in a language that prevents several common sources of root exploits, then the number of root exploits present in your code will be dramatically reduced. I would definitely be willing to put up with a server that was twice as slow if it had no possibility of buffer overflows, ever.

      • Re:Telnet (Score:5, Informative)

        by groomed ( 202061 ) on Sunday September 21, 2003 @10:33AM (#7017644)
        Sigh. The language card again. OK.

        Java. Won't have any double-free bugs or stack-smashing attacks. But offers great potential for deadlock bugs due to the braindead IO model. And explodes in out of memory situations -- not unlikely given the tens or hundreds of MBs the Java runtime consumes. Further exacerbated by the ease with which memory is leaked. Then there are the subtle but devastating differences between the various Java runtimes. As well as the fact that the same isolationist principles that make Java immune to buffer overflows also make it very hard to interact meaningfully with the file system (ever tried setting creation dates on a file? ownership?).

        Yeah. Java.
    • Re:Telnet (Score:3, Interesting)

      I full heartedly agree. For home use and most small things the whole find the problem, patch it quick and upgrade system works really well. The code is getting much better but if you're deploying a producting system in an important business environment it's not always so easy. For real production stuff you've probably been safer with telnet instead of ssh over the last few years because the weaknesses of most telnet deamons require sniffing which is a solvable problem in other ways and it's much harder f
  • I have to laugh (Score:4, Interesting)

    by kakos ( 610660 ) on Sunday September 21, 2003 @01:29AM (#7016005)
    All the people that were saying that the lsh code just 'looked' better than the OpenSSH code, a word of advice: looks don't mean jack or shit.

    I don't know much about the development process of lsh, but I'm betting it doesn't do any security audits like OpenSSH does.
    • Re:I have to laugh (Score:5, Insightful)

      by cduffy ( 652 ) <charles+slashdot@dyfis.net> on Sunday September 21, 2003 @02:19AM (#7016195)
      looks don't mean jack or shit.

      In code, looks mean quite a lot.

      Cleaner, more readable code is easier to audit.
      Cleaner, more readable code is easier to bugfix.
      Cleaner, more readable code is easier to add features to.
      Cleaner, more readable code is simply Good Stuff.
    • Hi Mister BSD user. Of course LSH team found their bug purely by random, while the openssh through dilegent code review spotted their bugs right behind each other. (forcing all users to go through two upgrade cycles in quick succession, just bad luck I guess but still annoying)

      You see BSD is good and pure, sure nobody is talking about it but then nobody ever talks about good security. Good security goes unnoticed and unapreciated.

      Gnu team can not hope to compete, bunch of beared hippies. Why if only they

  • by Coryoth ( 254751 ) on Sunday September 21, 2003 @01:30AM (#7016007) Homepage Journal
    Okay, there's a hole here, that's definitely bad. Still it would be nice if lsh could manage to gain some share of the ssh market. It has worried me for a while that OpenSSH has become the standard, which, unfortunately, creates a monoculture. A monoculture of ssh implementations is as vulnerable to massive infection as a monculture of windows boxes (okay, maybe windows has more holes, but its the massive part I'm concerned with).

    If the market on ssh implementations was a little more split, it would be a little more difficult to write a worm that could wreak utter havoc. Repeat after me: Monoculture is bad.

    Jedidiah.
    • Still, I'm not about to choose one implementation over another simply to add diversity. I'm going to pick the one I think is the best. Perhaps the reasons I use are wrong, and I probably don't know all the facts. But I tend to trust OpenSSH more then the other implementations. So I'm going to use OpenSSH. Period. I choose what I do because I don't want to deal with a worm at all. Not because I want to set things up so that when I do get a worm, it's only me and half of the sshd servers out there, rather t
  • by kcbrown ( 7426 ) <slashdot@sysexperts.com> on Sunday September 21, 2003 @01:35AM (#7016023)
    ...you'd think that developers would finally know how to write software that doesn't have such vulnerabilities.

    But unfortunately we don't seem to have made that much progress, despite the reasonably large number of development tools we have that address such issues (including anything from memory debuggers to string libraries). I mean, really ... people are still writing these things in C ... in the 21st century! I'm a big fan of picking the right tool for the job, but I think it should be clear by now that C isn't the right tool for writing secure software. There are simply too many ways to screw up.

    I think it's time we started writing system software (that is, software which provides services but which runs as a process under the OS) in a language which doesn't have these problems. And if a suitable language is unavailable, that argues strongly for creating that language.

    You might still have to worry about buffer overflow exploits against the kernel, but that's a much more manageable problem.

    • Took the words right out of my mouth. For large scale software that's this critical, we really need more safety guarantees to achieve adequate confidence that it's secure. That rules out C.
    • yes, move all system software(gnu tools, bash scripts) to ada! if it is good enough to run a strike fight it is good enoug to run my computer
    • OpenBSD is getting VERY close. It's taken a lot of design thought, a lot of eyes, a lot of manpower, and a lot of time, but OpenBSD is getting very close.

      I'll agree that C lends itself to these things, but its the standard for a number of reasons, and frankly, anything else will introduce the same types of problems.

      Building on what we have makes the most sense, and given a bit more time, I'm confident that OpenBSD will be there.
      • I'll agree that C lends itself to these things, but its the standard for a number of reasons, and frankly, anything else will introduce the same types of problems.

        There will always be security vulnerabilities in software, of course. But buffer overflows are a class of vulnerabilities that simply shouldn't exist. C is unsuitable for system software because there are far too many ways (both subtle and gross) to wind up with buffer overflow bugs. It's what happens when the language is designed to make

        • by vt0asta ( 16536 ) on Sunday September 21, 2003 @09:10AM (#7017225)
          First things, first. C was meant to be a highly portable version of assembly. C successfully facilatated porting operating systems AND applications that used those operating systems.

          People often think of C the wrong way, and that is often because languages considered "safe" borrow heavily from C syntax. If you have ever programmed in assembly/machine language, you know the programming bugs can do quite nasty and unexplained things (sometimes much worse than a buffer overflow). However, having coded in assembly one often becomes more rigorous with their coding, that same rigor is what is needed to carry over to C, and is what is lacking with some of the C coders of today.

          Second, system software also often needs a low memory footprint. System developers often want to know where every little bit of memory went, and often find compiled code barely tolerable. Not everyone can afford the luxury of loading a perl, python, java, byte code interpretor du jour just to send and read data, manipulate strings, and do stuff with files.
          System software is very different from operating systems, and calls for a different language.
          Maybe you're right, problem is, many have tried almost all have failed to gain popularity for systems coding. Big problem for your argument and for developers who know, almost all of those different languages were first written in...drum roll...."C".
    • by 2Bits ( 167227 ) on Sunday September 21, 2003 @02:03AM (#7016140)
      That was something on my mind, when the problem was announced for openssh.

      One thing we could do would be to "deprecate" funtions/modules that are known to be insecure, a la Java, and phase in the more secure ones. Like those old string manipulation funtions, if we can't make them secure and have already introduced something better, why not phasing them out?

      And make the compiler flag it when it finds any deprecated functions.

      Introduce this phase-in period over 2 to 3 years, that should be enough time for everyone to update their software, if that software is still maintained. And it's not maintained anymore, you prolly should be looking for something new anyways, unless your machine is not connected to the network, and you do not (absolutely not) introduce any new component to the system, or unless if you don't give a damn that the machine is owned.

      If we are conservative, maybe introduce the phase in/out period longer, like 5 years or so.

      I don't really give a darn about maintaining backward compatibility at all cost. Backward compatibility is good, but not at all cost. Software is an evolving thing. I code for a living, it sure is a pain, but sometimes, I just feel it's necessary to cut the bond and move to the next level.
      • I already have a compiler that can flag deprecated functions. This magical compiler is known as "gcc", and it has even been included on some Linux systems, recently.

        #warning Ignorance is embarrassing
        • Yeah, but after the phase-out period, you really have to remove the deprecated functions, not just leaving them there forever. That would force everyone who maintains softwares to upgrade.

          And this deprecation mechanism must be emphasized. If the functions are known to be insecure and not fixable, this has to be emphasized. Like in Java, when the class or method is deprecated, it's really explained why (e.g. not secure, not thread safe, etc), and points to the replacement.

          The C/C++ community does not seem
      • by fw3 ( 523647 ) * on Sunday September 21, 2003 @06:03AM (#7016737) Homepage Journal
        There are several available solutions to this

        Libsafe, one of the oldest use LD_PRELOAD to replace the dozen-odd most often problematic library functions with safe/checked versions. It's been available for several years. Requires no code modifications (beyond setting the LD_PRELOAD env).

        Propolice, stackguard, patches to Gcc / kernel provide various stack protections. Propolice has been built into OBSD for about a year now. These require object recompilation. PaX provides various randomizations thru the kernel. All fo these significantly complicate the attakers task.

    • by Chester K ( 145560 ) on Sunday September 21, 2003 @02:41AM (#7016283) Homepage
      I think it's time we started writing system software (that is, software which provides services but which runs as a process under the OS) in a language which doesn't have these problems. And if a suitable language is unavailable, that argues strongly for creating that language.

      Careful there tiger, you're starting to sound exactly like Microsoft --- that's what they're in the middle of doing with C#; and we certainly don't want to imply that the OSS community needs to play catch-up with Microsoft when it comes to security practices.
    • C doesn't impose measures against buffer overflows, but that doesn't mean it is prohibitively difficult to implement them.

      You can easily find information on how to avoid buffer overflows, such as in this article [linuxjournal.com].

      However, the developers in the lsh project (for example) do not appear to have given this subject much thought. In the lsh manual, the chapter on Threats [lysator.liu.se] silently assumes the software works as designed. It does not mention protection against exploits such as buffer overflows.

      And the coding sta

      • Problem is, 90% or more of programmers are just too lazy to do the work necessary to secure their programs. Now, it would be nice if we could just convince all of them to work harder, but realistically we're probably going to have to deal with programmers being notoriously lazy forever. On the other hand, there are many programming languages out there which make it much, much easier to write secure code. If the computer industry were to move to one of these languages, there would simply be far fewer secu
  • A replacement for C? (Score:4, Interesting)

    by guacamole ( 24270 ) on Sunday September 21, 2003 @01:41AM (#7016054)
    Does there exist a good replacement for C? Obviously, things aren't getting any better even though most programmers are aware of and try to avoid various types of typical C problems like buffer overflows, "off by one" errors, "double free" errors, fmt string vulnerabilities, etc. This language should be reserved for low level programming tasks like OS and compiler development only. For other tasks we need an efficient, portable language with automatic memory management, easy string handling, and object oriented facilities. For efficiency reasons, I think that Java or scripting languages like Pythnon are not a good replacement for C. What other alternatives are out there?
    • Common LISP, of course.
    • Java isn't really _that_ slow. There's a java SSH client I've used that runs as an applet that is small and fast. We aren't running 386s anymore, and encryption just doesn't take up that much processing power.

      Maybe a C or C++ ssh daemon would take half the CPU time as one written in Java, but who cares when it's taking up less than 1% of the CPU? Memory and processor are cheap, having your system rooted is expensive.
    • by cduffy ( 652 ) <charles+slashdot@dyfis.net> on Sunday September 21, 2003 @02:37AM (#7016268)
      A good replacement for C, eh? How 'bout C [att.com]? Or, say, C [wisc.edu]?

      Honestly, though: For low-level programming, there *is* no good replacement for C, for a simple reason: the same power that makes it dangerous is also the power that makes it useful. For high-level programming, there are lots of good replacements -- and you just mentioned, and wrote off, two of the best of them.

      Java is getting better (witness the presence of the NIO API in 1.4), and I've got strong hopes for C# and its kin -- but part of what makes C# so useful is its simple API for access to C libraries, something that Java makes much harder. That said, for almost all of the high-level programming I do, I use Python (except at work, where I don't always get to pick; in the cases where I don't have the choice, I write Java).

      Sure, Python and Java aren't suitable for low-level work -- but that's what C is good for. And since calling from Python down to C is simple, writing optimized versions of performance-sensitive routines is easy, in the rare event that it actually needs to be done (which has, in my five or so years of writing Python, happened all of once, when I needed some efficient drawing routines which were most readily available from a C library without preexisting python bindings).

      Compiling Java to native code with GCJ also decreases the startup-time and runtime performance penalty without sacrificing type-safety -- and works for applications using an increasingly large subset of the available APIs.

      Scheme is another language that many folks are too quick to write off. Not only does the language have the expected type-safety goodness -- but compiled scheme can be *very* fast. (On the down side, the lack of a useful standard runtime library is very disappointing).

      So, yes, for high-level stuff, there are lots of alternatives... but what are you going to write your Python interpreter or low-level libraries in? For some jobs, there's still no good replacement for C. (Further, I'm not by any means convinced that low-level work *should* be done in an OO language... but that's a different conversation).

    • Does there exist a good replacement for C?

      At the risk of having my head handed to me... C++? I'm kinda fond of it.

  • Thank God! (Score:5, Funny)

    by Unominous Coward ( 651680 ) on Sunday September 21, 2003 @01:44AM (#7016068)
    I am even more glad than ever that I use telnet!
  • by Build6 ( 164888 ) on Sunday September 21, 2003 @01:45AM (#7016076)
    I remember reading the alert for the OpenSSH bug, where one of the options listed was to upgrade to lsh - not "change to", "try using", or anything of the sort, but "upgrade" - and I thought then that that demonstrated an unnecessarily... high-horse-y attitude. I'll bet they regret saying that now... . Humility really IS the best policy.
  • What is lsh?

    Is it just a different implementation of ssh2, or is there more to it than that?
  • by coene ( 554338 )
    Who would say such a thing? Are you high? Low blood pressure not getting enough of the red stuff to your brain?

    You cannot beat the OpenBSD/OpenSSH coding standards, audit process, or documentation. Every software will have bugs, but replacing it with something more likely to have bugs, with a more restrictive license, less documentation, and next to no track record isnt a good idea just because it has "GNU" in it's name.
  • How about FreSSH? (Score:3, Interesting)

    by Dahan ( 130247 ) <khym@azeotrope.org> on Sunday September 21, 2003 @02:04AM (#7016143)
    Anyone up to finding a root hole in FreSSH [fressh.org], another SSH implementation that nobody's heard of? :)
  • lsh? (Score:2, Funny)

    Hey, for gentoo users, if a piece of software is not in portage tree, it never exists.

    At least that's how I feel.

  • So can someone tell me why the lsh project exists, and what advantages it offers? The perceived security advantage has evaporated with this real exploit vs openSSH's theoretical exploit. Beyond any idealogical GNU license masturbatory issues, why run lsh? Does it offer features that openSSH doesn't?
  • Smug. (Score:5, Insightful)

    by Alioth ( 221270 ) <no@spam> on Sunday September 21, 2003 @03:12AM (#7016370) Journal
    Serves those smug bastards right who were gloating the other day about how they use lsh and how it is so much better than OpenSSH. Hoist by their own petard, so it seems.

    I _never_ gloat about running different software to $COMPROMISED_SW of the day. Just because I run exim, I don't think I'm magically more secure than a sendmail user. Exim users must keep up with the patches as well. Same goes for qmail. If you sit there smugly saying how superior your piece of software is, you're going to get bitten in the ass sooner or later, or at least end up looking very silly after all the gloating to find you're vulnerable too.

    Dudes, doesn't matter what you run: don't gloat about it - be paranoid about the security of what you run, and keep up with the patches.
  • by aliquis ( 678370 ) on Sunday September 21, 2003 @03:58AM (#7016454)
    Thought this is rather old news I never thought that anyone else could do an ssh application better then the one the openbsd team could bring out. I'm confident that they do their best and look thru the code very carefully and still this kind of things happen.
    I find it strange that there never seems to be an end of the openssh, apache, php, sendmail and mysql vulnerabilities. I suppose it's just damn hard to write secure code all the time. I blame the C language a little for this, should you really have to be this careful all the time? Do you really have to reinvent the wheel every single time?
    Imho c is just something you should use because the application you are editing already uses it or the teacher has told you so. There are lots of better languages out there. Can't understand all the complains on java for example.
    Does anyone have some suggestions about libraries, special functions, compiler mods and so on which make C programs a little more secure? Any suggestions of other languages which is available for different platforms but more secure and with less reinventing of the wheel all the time? The ones which come to my mind are as I said java and scripting languages like python, ruby and so on. But there got to be atleast one which isn't interpreted?
    Suggestions are more than welcome.
    • Yeah java, yippie, not like that never makes computers crash. (sorry freenet just crashed my pc again)

      C is like steel. Sure you can make cars from different materials. Sure certain cars are known to be unsafe. Certain cars are in fact known to be real deathtraps. These cars are made out of, shock and horror, steel!. Steel therefore is unsafe and we should all move to a different material. Then all cars will be safe and we can all rejoice in having squashed the evil and unsafe steel.

      C is a tool. Tools are

  • by Anonymous Coward on Sunday September 21, 2003 @04:05AM (#7016468)
    It is interesting to see the types of holes that have been found in OpenSSH to date - these are *far* beyond typical buffer overrun problems that some other software projects suffer. Because of its popularity, it has become an attractive target and thus something of proving ground for new attack methods - int overflows, malloc corruption / free() exploits. OpenSSH is getting the bugs slowly beaten out of it.
  • This bug doesn't surprise me - the previous line reads "EXCEPTION_RAISE ...". One would expect from the verb "RAISE" that it was going to jump out of line right there, and that the next line would be NOTREACHED.

    A proper fix for this would change the name of that EXCEPTION_RAISE macro to something that doesn't suggest out of sequence execution.

    Someone should grep through the source for lsh, and see if there are any other places where after this macro is called, the code really is expecting execution to

  • by Anonymous Coward on Sunday September 21, 2003 @07:12AM (#7016870)
    There's always Dropbear [ucc.asn.au], which seems fairly small and useful, and does SSH2.

    Mmmmm. monoculturelicious.

So... did you ever wonder, do garbagemen take showers before they go to work?

Working...