1)maybe this will encourage openbsd to move to a(n even) stronger position, but it seems to take the "if you enable it you own it" position, but people run services, not just portmap and inetd (with nothing on) and sshd, but stuff like webservers.

2)this attempts to ridicule openbsd as "theobsd" but openbsd is the work of a lot of talented people, so really the snub is at the deprecation of all of their efforts, more than finding one bug in a piece of widely used software

3)I guess monkey.org getting broken into is a good indication that there is something as yet unseen on the security horizon

4)the goal here is to hit the at the rep of openbsd, but the 5 year claim is a silly claim anyway, really showing the difficulty of evaluating how secure software is.

5)there is no proof that prosecuting crackers like gobbles would remove these kinds of tools from many security oriented bug researchers. It would definitely make the process of getting fame for their exploits more hazardous. But if (the/any) criminal justice system really worked, why is there still rampant crime?

6)My guess is that ISS was aware of this exploit in the wild when they decided to "discover it".

7)Maybe the OpenBSD model really isn't paranoid enough.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/493/13203#13203