the recent bash exploit seems to have all the hallmarks of a sophisticated nation-state attempt to insert backdoors into debian and lots of embedded devices. Any thoughts? How do you defend against an adversary that uses social engineering and psychology to convince developers to add a new feature to an 'essential' package that can then be exploited? To any of you in the NSA and NNSA with clearances, here's a question for you: how many US government systems have bash installed, and can your admins running the world's largest supercomputers run them without having a pre-loaded exploit train pre-installed? This is like the mother-of-all advanced persistent threats, so it would be a good idea to figure out a way for those of you might know, but can't publicly disclose to figure out how to let the rest of us know how to defend against this. Maybe DARPA will post some interesting new RFPs? -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer@hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash