Fwd: Followup on Inquiry about regreSSHion postmortem

hvjunk hvjunk at gmail.com
Thu Aug 21 06:02:35 AEST 2025 

Okay Rene,

 I’m going to take your own words and philosophy below and make the statement: You are maliciously attacking OpenSSH for your own malicious ideas and greed (the facts at hand at this point in time using your own philosophy below)


Now lets answer it as a person that had been using SSH since like version 1.1.x, before OpenSSH was a twinkle in the developer’s eyes, and not as a project member, just a supporter that likes to stay abreast of things:

> On 20 Aug 2025, at 20:40, Rene Malmgren <rene.malmgren at redtoken.ae> wrote:
> 
> I make an assessment based on the facts at hand,

You know the folklore about Ronald Opus? check Wikipedia so you obviously have not investigated and double and triple checked stuff before you just make your first and half baked half informed blatantly malicious claims… 

> Now the trouble when you try to distinguish between malice and insanity is that malice is usually hidden as insanity.

Seems you totally confuse the wording and meaning’s of Hanlon’s Razor. Refer to Wikipedia 

> My personal rule of thumb is not to attribute to insanity what could be attributed to malice unless other data point in that direction.

Yeah, that is the problem, looking for the devil behind each rock, instead of understanding the problems with humans making mistakes, and your own actions. In fact, the issue at hand (and here your lack of the English vernacular is starting to show) is NOT insanity, but rather “stupidity”… or just plain common human error and oversight. Quite… different from the word insanity :P

> So, a programmer that makes a "mistake" that is way below their expected performance and then says oh it was a mistake, well usually you should take a very much closer look.

Nope, I’ve made SEVERAL mistakes as a seasoned sysadmin MANY times… and usually when under pressure or lack of sleep. I owned up to those mistakes, and corrected it and took the rap and put the next thing inplace to try to prevent similar in future… and then pressure caused me to take yet another short cut for time/monetary reasons as pressure by the clients and I made the mistake again.. sorry, 30+years in IT as sysadmin is showing my B.o.F.H. side

> So no, I did not assume you had a process that was so hazardous, and that you cared so little for the safety of your non OpenBSD users.

Again you are mistaken, and assigning the wrong faults to the wrong (persons) processes. The “Portable" version is not a first class citizen in OpenBSD, and OpenBSD team I have respect for (I wish I could’ve used it at the same scale and deployments I am using Linux, but that is a financial discussion outside of this one)

That said, I’ll refer you to the Qualsys report on this issue !

> Obviously coming from the outside, you have to make assumptions,

No, you first have to LEARN and ASK and UNDERSTAND *before* you make assumptions.. like the saying: To ASSUME, is making an ASS of U and ME. Assumptions in the mother of all wars… and other cluster<french_word>s .. so when you make assumptions, you are already in the wrong and have to understand that

>  that is a disadvantage.

No, it is malicious, ie. what is your malicious intent here Rene? you want to show a client to buy something else from you as they went instead of OpenSSH and you want to get back at them? that is the facts I see at hand here Rene.

> You are also not colored by loyalty to the project or organization, that is an advantage.

Depends, from an auditors perspective perhaps, but then I’ve had to endure so many audits, and everytime they’ve come back with stuff similar to your “audit” and once they’ve been educated.. the reports suddenly change from the whacking red to more peaceful yellow and green… much like the South African Springboks' Green and Gold… but now I’m digressing late at night.

> Now the way you structure your organization does not help.

Does not help your malicious intent (which based on your, that is Rene’s philosophy to assign malice instead of stupidity first), it does however assist the OpenBSD and OpenSSH *official* in their design testing and operations of a security first Operating System. GO install OpenBSD and try find that exact same problems you’ve been complaining about and then come complaining again

> It was your collogue that wanted to have a public discussion, so we are having a public discussion. I think it's good because these questions need to be answered (or not answered) so that we know where we stand.

No Rene, you started to maliciously (again, following your own philosophy here) attack the project’s porter of official to portable (for your client’s convenience...) and there by blaming OpenSSH in totality by claiming malice and naming it regreSSHing

Question, if they (your clients) and you are so security conscious Rene, why aren’t you using and advocating OpenBSD to them? Then you would not have had this problem to worry about in the first case!!!

> It's generous that you are providing "free" software for us, unfortunately SAFE provided free software for ByBit and that kind of free cost ByBit 1.5 BUSD, and yes SSH is used to protect way more in assets than ByBit has / had.
> 
> No, on a bit of a different topic, do you know why your server, when asked about a file that looks very similar to a file a regular diff from your repo, easily posted as a reference in an email.

That was me, a outsider seeing a malicious attacker named Rene Malmgren and trying to educate him in his malice.. eh.. now shown to be an insanely stupid person after evidence presented ;(

> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/log.c.diff?ipk=fF83_JCDCKqCJ85QEwn7jbP5Ag2cF3ZCTZ6QbjGp4RE&r1=1.52&r2=1.53&f=h
> 
> Redirects your browser via 301 to https://theannoyingsite.com/

don’t know where you get that, unless your own browser is compromised, and I pointed you to the direct source to show you your malice.. apologies you’ve now brainwashed me .. your stupidity/insanity of not investigating and asking the right questions before jumping on the blame game bandwagon… 

> Is this that standard way of handling discussion regarding security in OpenSSH?

When you assign malice where human error was at fault, you are asking to be ridiculed. 

W.r.t. Security: AGAIN GO INSTALL OpenBSD and stay away from anything Linux if you are really valuing your and your clients' security as much as you claim, as Linux, even though it is my bread an butter,  is not as secure as I wanted it to be… but that is a personal point of view and financial decisions as Linux is a business/money maker, and decisions are monetary based not security first, unlike OpenBSD and OpenSSH *official*.

Hendrik Visage

---
Hendrik Visage
Director - HeViS.Co Systems Pty Ltd
T/A  Envisage Cloud Solutions
Mobile: +27-84-612-5345
hvisage at hevis.co.za <mailto:hvisage at hevis.co.za>
hvisage at envisage.co.za <mailto:hvisage at envisage.co.za> 
Instant messaging: https://t.me/hvisage

> 
> /Rene
> 
> 
> 
> 
> 
> 
> 
> 
> ________________________________
> From: Theo de Raadt <deraadt at openbsd.org>
> Sent: Wednesday, August 20, 2025 6:09 PM
> To: Rene Malmgren <rene.malmgren at redtoken.ae>
> Cc: Stuart Henderson <stu at spacehopper.org>; openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org>
> Subject: Re: Followup on Inquiry about regreSSHion postmortem
> 
> Rene,
> 
> You have already
> 
> - decided to not figure out how -portable merges are handled,
> - written a long conclusion accusing malice
> 
> Now, after that long conclusion you have "questions" ?
> 
> I'm pretty sure nothing will change your mind.
> 
>> Ok I should be clearer here, yes there are merges, but explain to me how a merge conflict would remove the two critical flags. I am not talking about surface here. I am talking about a clear step by step analysis, that shows how the flags got removed.
>> 
>> /Rene
>> ________________________________
>> From: Stuart Henderson <stu at spacehopper.org>
>> Sent: Wednesday, August 20, 2025 3:07 PM
>> To: Rene Malmgren <rene.malmgren at redtoken.ae>
>> Cc: openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org>
>> Subject: Re: Followup on Inquiry about regreSSHion postmortem
>> 
>> On 2025/08/20 10:41, Rene Malmgren wrote:
>>> Actually, there is no evidence in the available data that such a merge even has happened
>> 
>> This is simply the way that cross-platform OpenSSH commits are done:
>> 
>> - they are first made to OpenBSD's CVS tree
>> 
>> - then they are later merged to openssh-portable git with an "upstream:
>> XX" comment and OpenBSD-Commit-ID line (with the RCS ID line synced with
>> that from the OpenBSD tree in the commit)
>> 
>> there is plenty of evidence of this, and nothing on the surface unusual
>> about this merge commit compared with others
>> 
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

---
Hendrik Visage
hvisage at hevis.co.za

HeViS.Co Systems Pty Ltd
https://www.envisage.co.za
 
 

> 

---
Hendrik Visage
hvisage at hevis.co.za

HeViS.Co Systems Pty Ltd
https://www.envisage.co.za
 
 

>

More information about the openssh-unix-dev mailing list