Re: Security Documentation, SSH

Re: Security Documentation, SSH

[John van V.]

Wow, maybe the language was a little strong but really folks...

The 8 millions dollars spent on a Manhattan apartment was real enough, and
stung like hell, I might add.  In 1990 I ended a 10 yr battle w/ realtors,
arsonists, corrupt police and crack gangs in the business of forced evictions
to try to help bring the world together with the newly emerging public network.
 I was on board when Linus was still undergrad.

I have recently re-entered that battle because of bird poisonings which were
featured in National Geo special just yesterday.  There is no mystery as to who
is doing it as they implied, it is a coalition, if you will, of real estate
managers, I caught one red-handed where I live.  And Red Hat... oh well never
mind.

Really lame flames like:

> Where the &#*@&!#$ did you EVER get that idea?
and 
> Cygwin is free, you ingrate; appreciate what you're getting!

Can be answered by saying something like 

"you get what you pay for"

which is exactly what I hear whenever public s/w falters.  Usually it gets
followed by some remark about how easy it would be to replace the admin who
brought in the s/w in the first place.

Others like:

>you've suffered some kind of severe brain damage.

make you look like a &#*@&!#$ 'n newbie.  Its better to say something like "you
are obviously running low on cranial fluid."  And they said the net was dead.

Obviously this is not the first time I heard cygnus ask for huge sums for
minute work or I would not have phrased it the way I did.  About six months ago
I had to listen to a cygnus sales staffer literally scream the gnu copyleft
contract at me like it was the riot act.

She (oops) wanted $30,000 for a 5 minute fix which I got later that day from
the NOAA.

More numbers:
The cygnus buyout was for $700,000,000 dollars, read it, NEARLY ONE BILLION !!!

Red Hat was at $10,000,000,000 the last time I looked.  COUNT THE ZEROS !!!

My SSH suggestion was simple, it would mean going back to the code used in the
original source, NOT writing any new code.  Plus I hoped that hint would be
taken that perl fixes would be available from me for the admin side.

Admin and evangelism are all I do.  Everybody in the free s/w arena is still
scratching gravel w/ the exception Red Hat and VA and cyngus.  Throw the
$8,000,000 apartment in and I do think I have a case in suggesting a tiny
security adjustment to SSH.

I dont want to get involved w/ cygnus interal affairs, but I will give the
following advice:

Security is the primary issue to IT executives  Cygwin is a sellable product
because they, well, basically think Gates is something like God, despite recent
decisions by the DOJ and federal courts.  My boss wants it but...










> I don't live in New York.  I
> live in a house with a mortgage.  AFAIK, we've only got one NY employee
> and he has contributed more time to free software than anyone else I
> know.
> 
> I have to wonder if you are devoting your time so freely, why not devote
> a little of it to the Cygwin free software project?  If you want
> something done, then dive right in and do it.  I'll set up a mailing
> list for you if you want to do this.  I'll set aside space on our web
> and ftp servers.  I, personally, however, don't feel like taking on the
> this project as an after business hours venture right now.  I will
> applaud you or anyone else who wants to consider doing it.
> 
> The bottom line is that neither I, nor Red Hat, is obligated to embark on
> a project simply because you think it is a nifty idea.
> 
> >Linux and the whole public s/w venue is a gift, but only if the given
> >to keep on giving.
> 
> If you are going to imply something, why not come right out and say it?
> I have no idea what you're talking about.
> 
> Are you implying that Red Hat has not given enough to the free software
> community?  Are you saying Cygnus has not given enough?
> 
> Are you implying that if you see a need in a free software project then
> the developers should immediately jump on it and give you what you need?
> 
> Or is this just a lofty statement meant to inspire us towards greater
> effort towards working on Linux?  Hmm.  How did Linux suddenly enter
> this equation?
> 
> >Consider this in the light that it is meant.
> 
> You have used phrases like "getting a little tired of hearing this",
> made unsubstantiated assertions of million dollar apartments, and
> discounted the years of contributions to the free software community
> that Cygnus and Red Hat have made.
> 
> So, I am considering this in *exactly* the light in which it was meant.
> 
> -Christopher Faylor
> -Cygwin Engineering Manager
> -Red Hat
> 

=====
John van Vlaanderen

      #########################################
      #    CXN, Inc. Contact:                 #
      #    john@thinman.com, www.thinman.com  #
      #    1 917 309 7379 (cell, voice mail)  #                   
      #########################################
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: Security Documentation, SSH

[Chris Faylor]

Thank you for your thoughtful analysis and interesting story.

As I mentioned, we will not be changing our statement regarding security
since we believe that most people are not as expert as you appear to be
and we do not feel that the current version of cygwin is secure enough
for a non-expert user.  On this we will have to agree to disagree.

As I also hope I mentioned, it is not impossible that Red Hat will
devote some time towards making Cygwin more secure.  I do not see it
happening anytime soon, however.  Personally, I have been devoting my
unsponsored Cygwin activities in other areas and do not see that
changing soon either.

I applaud your dedication to free software and wish you all of the best
in that endeavor.

cgf

On Sun, Jan 16, 2000 at 05:02:21PM -0800, John van V. wrote:
>Wow, maybe the language was a little strong but really folks...

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: Security Documentation, SSH

[John A. Turner]

"John van V." wrote:

> > We would certainly consider changing this if a customer wanted to pay
> > for this work.  It would be a very interesting project.
> 
> I, for one, am getting a little tired of hearing this from your organization.

And I get tired of hearing people like you dump on those who have given
so much to the open source community.

No one is forcing you to use anything from Cygnus (oops, Red Hat), so if
you're tired of them, find another solution.  Many of us are incredibly
grateful for all they've done, and understand the balance between what they
provide for the community and what they charge for.  If you can't, fine.

> I am founding a perl group which will not only preach to educators the cost
> effectiveness of our swiss-army-chain-saw, but teach business types as well,
> for free.

Great, but irrelevant.

> An this w/o the support of our employers.  You guys, on the other hand are
> rolling in dough, spending millions on NY apartments, etc, etc...

OK, it's all becoming clearer now - you've suffered some kind of severe
brain damage.

> Linux and the whole public s/w venue is a gift, but only if the given to keep
> on giving.
> 
> Consider this in the light that it is meant.

Right.  In light of your obvious insanity, it all makes much more sense.

Good luck with your endeavors.

-John

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: Security Documentation, SSH

[John Fortin]

> You have used phrases like "getting a little tired of hearing this",
> made unsubstantiated assertions of million dollar apartments, and
> discounted the years of contributions to the free software community
> that Cygnus and Red Hat have made.
> 
> So, I am considering this in *exactly* the light in which it was meant.
>

	It is sad that the cygwin contributors have to put up with stuff like
this.  It seems there are people who want everything given to them on a
silver platter, for free, and complain if it is not EXACTLY what they
want.  

	Personally, I think Cygnus, now Red Hat, has done a fabulous job with
Cygwin.  It meets a definite need
and is improving daily.

	All I can say is if you don't like what is available, don't use it and
buy a "Commercial" product. 
See if you get as responsive support as you do with this FREE product.

John Fortin

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: Security Documentation, SSH

[Chris Faylor]

On Sun, Jan 16, 2000 at 07:17:53AM -0800, John van V. wrote:
>> This is not going to happen.  We understand the security vunerabilities
>> of Cygwin very well.  The security model is basically security through
>> obscurity which, I'm sure you are aware, is no security at all.
>
>But from what I read, it is an issue of using an NT box as a multiuser
>system.  Now my post suggesting using the regular UNIX login system for
>SSH and limiting the box to a single user makes even more sense.
>Telent could also be ported in this way.
>
>>Although, now that I think of it, if you're running any CGI scripts on
>>this theoretical web site then you are at risk since Cygwin's security
>>model is wide open to a craftily written perl script.
>
>Perl is equipped to solve these problems, if you know the language.
>You simply encapsulate the input to prevent it from being evaluated.
>The input struture, for instance, keeps scalars as elements of an
>array.  Side effect or clever feature, I'm not sure...

If you know exactly what you are doing, and if you can severely limit
access, you may be able to make any system secure.  This does not mean
that the underlying software (i.e., cygwin) is secure.

If I told you that you could drive my car but you needed keep it below
40 MPH or it might explode, would you want to drive it?  Would you
consider it a safe machine since you understood the parameters for
keeping it intact?

We're not going to advertise something as "secure if you know what
you're doing".  That would be ludicrous.  What are the parameters for
"knowing what you're doing"?

>>We would certainly consider changing this if a customer wanted to pay
>>for this work.  It would be a very interesting project.
>
>I, for one, am getting a little tired of hearing this from your
>organization.  I am founding a perl group which will not only preach to
>educators the cost effectiveness of our swiss-army-chain-saw, but teach
>business types as well, for free.
>
>An this w/o the support of our employers.  You guys, on the other hand
>are rolling in dough, spending millions on NY apartments, etc, etc...

I have no idea what you're referring to.  I don't live in New York.  I
live in a house with a mortgage.  AFAIK, we've only got one NY employee
and he has contributed more time to free software than anyone else I
know.

I have to wonder if you are devoting your time so freely, why not devote
a little of it to the Cygwin free software project?  If you want
something done, then dive right in and do it.  I'll set up a mailing
list for you if you want to do this.  I'll set aside space on our web
and ftp servers.  I, personally, however, don't feel like taking on the
this project as an after business hours venture right now.  I will
applaud you or anyone else who wants to consider doing it.

The bottom line is that neither I, nor Red Hat, is obligated to embark on
a project simply because you think it is a nifty idea.

>Linux and the whole public s/w venue is a gift, but only if the given
>to keep on giving.

If you are going to imply something, why not come right out and say it?
I have no idea what you're talking about.

Are you implying that Red Hat has not given enough to the free software
community?  Are you saying Cygnus has not given enough?

Are you implying that if you see a need in a free software project then
the developers should immediately jump on it and give you what you need?

Or is this just a lofty statement meant to inspire us towards greater
effort towards working on Linux?  Hmm.  How did Linux suddenly enter
this equation?

>Consider this in the light that it is meant.

You have used phrases like "getting a little tired of hearing this",
made unsubstantiated assertions of million dollar apartments, and
discounted the years of contributions to the free software community
that Cygnus and Red Hat have made.

So, I am considering this in *exactly* the light in which it was meant.

-Christopher Faylor
-Cygwin Engineering Manager
-Red Hat

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Re: Security Documentation, SSH

[Charles S. Wilson]

"John van V." wrote:
> 
> > We would certainly consider changing this if a customer wanted to pay
> > for this work.  It would be a very interesting project.
> 
> I, for one, am getting a little tired of hearing this from your organization.
> I am founding a perl group which will not only preach to educators the cost
> effectiveness of our swiss-army-chain-saw, but teach business types as well,
> for free.
> 
> An this w/o the support of our employers.
---------------------------

> > We would certainly consider changing this if a customer wanted to pay
> > for this work.  It would be a very interesting project.

This is a perfectly reasonable statement. Cygnus in business to make
money. Since their current personnel are already overworked, the massive
overhaul required to make cygwin "secure" -- when it runs on top of an
inherently insecure base (NT) -- implies the need to hire more people.
People cost money. Who's going to pay their salaries? A CUSTOMER!

And don't go off about how Chris & friends should do it in their free
time. From what I can tell, they already are working on cygwin during
their "free" time! Chris has been 'on the list' answering questions and
responding to posts past midnight, and on the weekends -- he's already
putting in his own time to this project, as are many Cygnus employees.
One of the *dis*advantages of working at a company (like Cygnus) whose
business is growing faster than its headcount is that there is always
more work than there are people; hiring just can't keep up. Yet, in
spite of this, these guys are putting in extra time for free to support
cygwin.

Since there are only about a dozen non-cygnus employees who contribute
ANY code to the cygwin base, but over 2000 people subscribed to the list
-- folks who in many cases never bother to RTFM or search the archives
or read the FAQ -- it's no wonder that Chris & co. are getting a little
tired of the constant refrain:

"Why don't you add X" 

Get off your high horse, stop preaching to the Cygnus guys that they
ought to work even harder than they already are, and YOU help them. If
you can't code, compile and publish. If you can't compile, document and
publish. (I can't code well, so I try to help by putting up an archive
of precompiled stuff for others to use. http://cygutils.netpedia.net )

>  You guys, on the other hand are rolling in dough, spending millions on NY apartments, etc, etc...

Where the &#*@&!#$ did you EVER get that idea? Even if the employees got
much personal financial benefit from the Red Hat buyout, Cygnus is
CA-based, and RH is based in NC. None of 'em live in NY. Geez. Cygwin is
free, you ingrate; appreciate what you're getting!

--Chuck

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com

Security Documentation, SSH

[John van V.]

> This is not going to happen.  We understand the security vunerabilities
> of Cygwin very well.  The security model is basically security through
> obscurity which, I'm sure you are aware, is no security at all.

I personally appreciate candor in this area having experineced breakin attempts
amied at such insider plums as the Moody's Ratings DB, or the Barings
Securities Position tables.

But from what I read, it is an issue of using an NT box as a multiuser system.
Now my post suggesting using the regular UNIX login system for SSH and limiting
the box to a single user makes even more sense.  Telent could also be ported in
this way.



> Although, now that I think of it, if you're running any CGI scripts on
> this theoretical web site then you are at risk since Cygwin's security
> model is wide open to a craftily written perl script.

Perl is equipped to solve these problems, if you know the language.  You simply
encapsulate the input to prevent it from being evaluated.  The input struture,
for instance, keeps scalars as elements of an array.  Side effect or clever
feature, I'm not sure...


> We would certainly consider changing this if a customer wanted to pay
> for this work.  It would be a very interesting project.

I, for one, am getting a little tired of hearing this from your organization.
I am founding a perl group which will not only preach to educators the cost
effectiveness of our swiss-army-chain-saw, but teach business types as well,
for free.

An this w/o the support of our employers.  You guys, on the other hand are
rolling in dough, spending millions on NY apartments, etc, etc...

Linux and the whole public s/w venue is a gift, but only if the given to keep
on giving.

Consider this in the light that it is meant.



=====
John van Vlaanderen

      #########################################
      #    CXN, Inc. Contact:                 #
      #    john@thinman.com, www.thinman.com  #
      #    1 917 309 7379 (cell, voice mail)  #                   
      #########################################
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com