default, superpanda, panda

A Public Service Announcement.

When you are getting a Blowfish order delivered to your office, do not then ask a co-worker to swap out a failed disk for you, as said co-worker will think that the unopened, newly arrived package addressed to you is in fact the replacement disk, and hilarity will, as they say, ensue.

That is all.
  • Current Mood: amused amused
"Dude. We've worked together for a long time and I'm willing to do a lot of things for you, but I am not swapping out your dick."
"When you are getting a Blowfish order delivered to your office" is itself a statement that makes me flinch. The rest was merely history.
Uh, what's blowfish? My company filters it. I thought it was some manner of security software, but apparently not.

Isn't there some manner of security software with a blowfish as its icon?
Uh, what's blowfish?

In this context, a place which sells many fine sex toys.

Isn't there some manner of security software with a blowfish as its icon?

You're probably thinking of OpenBSD - a varient of BSD which has security as a development focus. They use a puffer fish as their logo. There is also the related OpenSSH project which also has the same fish as a part of their logo as well.
I find it ironic that this discussion is comming up when discussion on OpenSSH and a nasty security hole is raging across the net right now.

As I've said in the past. "OpenBSD, Wide open by default."[0]

[0]: I've nothing against BSD in general, but OpenBSD has Theo issues, and OpenSSH has had more than it's share of issues in the past and present.

With regards to blowfish, it predates SSH in any form, and was originally developed by Bruce Schneier of Applied Cryptography fame.
Re: Ironic.
It should be noted that whilst there is the current buffer issue with OpenSSH, there isn't an actual exploit to run code remotely in the wild yet and from comments made it may not be possible to exploit it to that level. A denial of service attack on the sshd so that it crashes is possible however; which whilst not as bad as a remote attacker being able to run code on your system, still sucks.

It should probably be noted as well that the code in question is present even in the old (i.e. pre OpenSSH days) ssh as well.
Re: Ironic.
The general rule is that if you can get the app to crash, you can get a root shell. Naturally there are exceptions, and heap overruns are much harder to exploit.

I think it's a bit irrelevant that the code is old. With the way a lot of the OpenBSD/OpenSSH people talk about their magical Code Review process, one would have hoped that they would have caught something like this a long time ago. (For when they originally swiped the commercial ssh code amounts of long time ago.)