(no subject)

(12:17:57) rao hdc: don't forget to vote
(12:18:02) rao hdc: rent control is on the ballot
(12:18:06) ***novalis nods
(12:18:24) novalis: Somehow, I think you and I will not be voting the same on that one
(12:18:39) rao hdc: you're voting against it?
(12:19:03) novalis: You're voting for it?
(12:19:08) rao hdc: yes
(12:19:14) novalis: Some libertarian you are.....
(12:19:22) rao hdc: haha
(12:19:26) rao hdc: yeah, is sad, I know.

(no subject)

From http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html

OpenSSH Security AdvisoryCollapse )

Sanely formatted patch here.

The official word is that the openssh developers don't know if the bug is remotely exploitable. But given all I've heard over the past couple of weeks, plus the increased port 22 scanning reported at http://www.heise.de/security/news/meldung/40331, I'm inclined to assume the worst -- remote root exploit is out there in the wild.

Update:
The bug will be assigned CAN-2003-0693. Number was assigned on 2003-08-14. Looks like a botched coordinated release.

Update 2:
new Debian x86 debs have been uploaded to security.debian.org.

Update 3:
Red Hat has new RPMs now.

(no subject)

From CNN:
Parson also admitted that he renamed the original "MSBlast.exe" executable "teekids.exe," after his online name 'teekid,'" according to the FBI case.
From Reuters:
While the Web site [t33kid.com] is no longer active, a cached version of it stored by Google refers to a computer program called "p2p.teekid.c," which is described as "my little p2p worm" that spreads via peer-to-peer, or p2p, computer file-sharing methods.
S-M-R-T

(no subject)

The amount of misinformation regarding the ftp.gnu.org compromise is annoying.

The FSF does not run wu-ftpd, nor does it run proftpd. We've been running vsftpd since shortly after the initial public release. vsftpd is one of the best pieces of free software out there.

ftp.gnu.org was compromised from a local shell account. Maintainers had shell accounts in order to put up releases. This is no longer the case.