Update on RegreSSHion

Rene Malmgren rene.malmgren at redtoken.ae
Fri Sep 5 08:24:36 AEST 2025 

Its difficult to talk about what a real man is, but I can assure you that for most professional organizations that handle digital assets need to access them, usually on a regular basis.

If you take a look at what happened at ByBit you see that even assets that are "in cold storage", can be accessed by a third party. Ssh is one of the most common ways that people use to administer systems, including systems that handle digital assets.
________________________________
From: hvjunk <hvjunk at gmail.com>
Sent: Thursday, September 4, 2025 9:41 PM
To: Gert Doering <gert at greenie.muc.de>
Cc: Rene Malmgren <rene.malmgren at redtoken.ae>; Stuart Henderson <stu at spacehopper.org>; openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org>
Subject: Re: Update on RegreSSHion



> On 04 Sep 2025, at 18:48, Gert Doering <gert at greenie.muc.de> wrote:
>
> Hi,
>
> On Thu, Sep 04, 2025 at 02:46:22PM +0000, Rene Malmgren wrote:
>> Would you put 1000 BTC on a system and have OpenSSH as a frontline software to protect it?
>
> I would not put 1000 BTC on a system that is accessible via any means
> from the Internet.  This is how real men do "security".

Yeah that  one… the only secure computer, is one buried in a 100feet thick and deep steel enforced concrete container with no network en electricity supply… and even then I’ll have my doubts ;)
I do believe the only fail safe firewall is the side-cutter applied to both the network en power cables.
>
> But if I had to, OpenSSH would be the least of my worries.  I guess I'd
> ensure that only pubkey auth is possible, that there is a firewall in
> the way that only allows specific subnets that I trust, etc. - but that
> is general good hygiene.  Reduce blast radius.  Bugs happen.

Even subnets can’t be “trusted” once you’ve traversed an untrusted network… which makes for an interesting thing I can now do with IPv6… I have typically 64bits to use for a hash/mac to communicate with 0_o thanks that is an interesting  toy R&D

> Like, kernel bugs that are exploitable remotely... so, "do not put things
> on the Internet".

I’ll add that I’ll also NOT use a public Linux Distro, but OpenBSD that was  audited (Somebody once said: Trust, but verify) the the borders too..

>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
> feed honest figures into a computer, honest figures come out. Never doubted
> it myself till I met a computer with a sense of humor."
>                             Robert A. Heinlein, The Moon is a Harsh Mistress
>
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list