FTP and port 80? //at 14:18 //by abe

Hmmm, I never thought that a URL could look some kind of schizophrenic or paradox, but this one truly does: ftp://ftp.port80.se/. (Found in ftp://ftp.*.debian.org/debian/README.non-US.)

The Software Museum inside the Software Museum //at 02:06 //by abe

Most Linuxers know that Debian and most of its users prefer stable software over up-to-date software. So do I, but sometimes this goes a little bit too far, e.g. when I find software which has been compiled years before the first line of Linux kernel code has been written:

C:\>ls +version
GNU ls, Version 1.4.0.2 (compiled Sep 19 1990 12:43:10 for MS-DOS)

C:\>ls -alF gnu\
total 521
drwxrwxrwx   1 anonymou anonymou     4096 Mar 26 23:16 ./
drwxrwxrwx   1 anonymou anonymou     4096 Mar 26 23:17 ../
-rwxrwxrwx   1 anonymou anonymou    17868 Sep 19  1990 cat.exe*
-rwxrwxrwx   1 anonymou anonymou    20028 Sep 19  1990 cmp.exe*
-rwxrwxrwx   1 anonymou anonymou    26780 Sep 19  1990 cp.exe*
-rwxrwxrwx   1 anonymou anonymou    17948 Sep 19  1990 cut.exe*
-rwxrwxrwx   1 anonymou anonymou    27138 Sep 24  1990 grep.exe*
-rwxrwxrwx   1 anonymou anonymou    16572 Sep 19  1990 head.exe*
-rwxrwxrwx   1 anonymou anonymou    27756 Sep 19  1990 ls.exe*
-rwxrwxrwx   1 anonymou anonymou    23100 Sep 19  1990 mv.exe*
-rwxrwxrwx   1 anonymou anonymou    19820 Sep 23  1990 rm.exe*
-rwxrwxrwx   1 anonymou anonymou    37644 Sep 19  1990 tac.exe*
-rwxrwxrwx   1 anonymou anonymou    20188 Sep 19  1990 tail.exe*

C:\>

And yes, this looks like DOS. This is FreeDOS (1:0.0.b9r5a-3) inside of dosemu, packaged for Debian 4.0 Etch and installed from the original Debian archives.

BTW, the date looks quite authentic: According to the ChangeLog, Version 1.4 of the GNU Fileutils have been released on the 9th of September 1990. The oldest version of the GNU Fileutils (nowadays coreutils) available on the GNU FTP server is version 3.13 from July 1996, though.

I really wonder how many buffer overflows this version has. And I wonder if there’s really a scenario in which this combination (Debian → dosemu → FreeDOS → GNU fileutils) could be exploited.

Mailing lists made my day //at 13:58 //by abe

Today actually two mailing lists made my day:

First Theo de Raadt’s mail to the FreeBSD security mailing list:

Date:       Mon, 02 Oct 2006 14:00:11 -0600
From:       Theo de Raadt <deraadt@cvs.openbsd.org>
To:         freebsd-security@freebsd.org
Subject:    Re: FreeBSD Security Advisory FreeBSD-SA-06:22.openssh 
Message-ID: <200610022000.k92K0B5P009759@cvs.openbsd.org>

> The OpenSSH project believe that the race condition can lead to a Denial
> of Service or potentially remote code execution
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Bullshit.  Where did anyone say this?

Why don't you put people in charge who can READ CODE, and SEE THAT
THIS IS ABSOLUTE BULLSHIT.

and Colin Percival’s dry reply pointing out who made the “ABSOLUTE BULLSHIT”:

Date:       Mon, 02 Oct 2006 14:25:05 -0700
From:       Colin Percival <cperciva@freebsd.org>
To:         Theo de Raadt <deraadt@cvs.openbsd.org>
Cc:         freebsd-security@freebsd.org
Subject:    Re: FreeBSD Security Advisory FreeBSD-SA-06:22.openssh
Message-ID: <452183B1.7000306@freebsd.org>

Theo de Raadt wrote:
>> The OpenSSH project believe that the race condition can lead to a Denial
>> of Service or potentially remote code execution
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Bullshit.  Where did anyone say this?

The OpenSSH 4.4 release announcement says that, actually:

 * Fix an unsafe signal hander reported by Mark Dowd. The signal
   handler was vulnerable to a race condition that could be exploited
   to perform a pre-authentication denial of service. On portable
   OpenSSH, this vulnerability could theoretically lead to
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   pre-authentication remote code execution if GSSAPI authentication
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   is enabled, but the likelihood of successful exploitation appears
   remote.

Colin Percival

Well, looks like an exquisite own goal. (Found by Squeeeez.)

Then, _rene_ cited a mail from the current Debian Project Leader Anthony Towns on debian-devel in #debian.de, who thought that »Switzerland was some foreign word meaning “snowy place”«:

Date:       Tue, 3 Oct 2006 15:52:38 +1000
Subject:    Re: Bits from the DPL: Looking forward
From:	    Anthony Towns <aj@azure.humbug.org.au>
Message-ID: <20061003055238.GA4841@azure.humbug.org.au>

On Tue, Oct 03, 2006 at 03:39:20PM +1000, Anthony Towns wrote:
> BSPs in Vienna (Switzerland) [3], 

I was assuming, of course, that "Switzerland" was some foreign word
meaning "snowy place", but apparently it's actually a country all of
its own, entirely separate to Austria...

On Tue, Oct 03, 2006 at 03:43:52PM +1000, Anthony Towns wrote:
> (b) Firmware vote
> proposal, as amended by Manon Srivastava (Message-id:

And while _Manon des sources_ might've been a neat French film, I don't
think it's actually got all that much to do with Manoj...

Cheers,
aj

And contrary to the usual biases, this geographic unawareness comes from Australia (which is unequal to Austria ;-) and not from the US. :-)

Guys, you all made my day. Kind regards from a currently not so snowy snowy place. :-)