On 11/11/2015 08:15 AM, Roger Oberholtzer wrote:
On Wed, Nov 11, 2015 at 2:07 PM, Anton Aylward
wrote: On 11/11/2015 04:56 AM, Roger Oberholtzer wrote:
But, if it ain't broken...
Perhaps this is evidence that it is "broken".
Perhaps the fact that you are running old software that hasn't been brought up t date to the recent patches is an adequate definition of "broken"?
I suspect that the way the Trojan got in was more to do with allowing ssh logins with passwords. This configuration would have been the same with a newer system. Installing a new version will not correct inadequate configuration. I will take blame for that. But I am not convinced about the age of the software leading to this. Especially as this specific trojan does not take advantage of any such that-is-old-and-it-has-been-fixed type of issue. It is more clever. It exploits bad configurations. For which, once again, I take the blame.
I will grant you that bad configurations (which probably includes lack of or weak authentication in its multitudinous forms) is in the top 5 security failings globally. But a walk through the CVE database will also highlight many flaws, including ones in libraries used by otherwise OK applications, that have been fond and addressed. Please note that this also includes the Linux kernel, drivers and networking code. So your "Oh I've fixed the problem with ssh logins with passwords" is good going but inadequate. Rather like saying, on the Titanic, "Oh we've new supplied to lookout with a set of binoculars...". -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org