Summary and Review:

This talk was given on Jan. 4, 2001. The comments from many was "You'll be making a fool of yourself". Perhaps I should have changed the title to read, "Jesse, your nuts for doing this talk". Certainly it drained me.

While this talk was not what I hoped (it was way too long 2+ hours) I think the end goal is being accomplished. What enticed me to do this talk was hearing may people at local computer club meetings say, "Anyone using telnet any more is nuts!" After the talk was completed someone told me that Bruce Schneier had give a talk stating similar words (the origin was revealed.).

As such, I found many problems. The first, and most difficult to overcome, was my peers stating that, "I was not qualified". Certainly, I am not a security expert or an encryption expert, but a I had knowledge of logic, mathematics, computer hardware & software, security and some common sense. These things, and my good friends from work and local clubs, drilled me to find the flaws in ssh. However, some, without their knowledge, would argue for ssh only to reveal a classic error in logic.

The Points listed below are points that I made during the talk. Any person disputing these points is welcome to come to San Jose and give opposing points of view durning a regular scheduled meeting of SVBUG You may schedule your rebuttal by emailing the webmaster.

Errors in this presentation are mine alone. No error here should be attributed to the origin, whatsoever. I take full responsibility for errors, misinformation, mis-attribution or falsehoods presented here.

Lastly, this is labeled "Work In Progress" for two (2) reason:

1. I have a job, that work takes priority.
2. More facts are being uncovered everyday, I'll post them when available.

Major Discussion Points

• What I won't be saying
• My frame of reference
• What I will be saying
• Why I'm doing this
• My Personal Complaints
• What people have to say
• SSHv1 vs. SSHv2
• SSHv2 Features
• The SSH Specs (the problems)
• Authentication/Encryption -Two methods to argue
• SSH(v2) Faults
• Who wants your data
• What is the Man-In-The-Middle
• Your Governments Involvement
• What SSH program there are
• What alternatives you have
• Last words

Updates To Information

Note: Information in this area may be incomplete until I have time to fill it in. That might be never, given the situation. If you feel you need more information on any area below, please email me.

• 2000-01-10 During the talk I recommended people move to Bind v9.x, I now recommend against it.
• 2000-01-08 During the talk I underestimated the problems with the r* tools (rsh,rlogin,rcp). The r* tools have major problems, given their nature I don't blame people for trying to fix things by implementing ssh.
• 2000-01-12 A new countermeasure worth considering is a "sacrafical lamb" or "open target" to redirect bot-attacks to.
• 2001-02-09 A new vulnerability in SSH Daemon; DEAD: See: http://razor.bindview.com/publish/advisories/adv_ssh1crc.html Thanks to James @ OpenCountry.org

Security Issues on FreeBSD with SSH as of this date.

Talk given Jan. 4, 2001

Security Issues on FreeBSD with Telnet as of this date.

Talk given Jan. 4, 2001