This thread has the typical "useless thread on NANOG" problem.
It attepts to be tangentially relevent but really it just is not.
Certainly, the initial thought -- to communicate that
www.rootshell.com was compromised -- was not relevent to north
american network operators.
Next, a discussion of what it means to be secure, and of course this
wasn't relevent for NANOG either, but some well-meaning competant
individuals got roped in, presumably in the hope that the discussion
would terminate. After all, a little bit of off-topic discussion is
fine and useful -- if we tried to find the right mailing list for
absolutely *everything*, no one would ever get anything done. But we
went long past that point.
Discussion of compromises in application programs (ssh), even ones
widely used in the network community, is not very appropriate for
NANOG either. We could discuss compromises every time Sun released a
security patch, or every time rootshell.com posted an exploit -- we'd
have more traffic than bugtraq (not hard, it's a moderated list...)!
The latest stuff about ftping through SSH tunnels just kicks the
bucket even further, beneath the lower standard of conduct to which
some of us hold NANOG (because the community seems to be comprised of
a more-childish and less-responsible set of individuals than most
other communities, so it's foolhardy to try and hold it to high
Please try not to dignify any of the traffic in this thread with a
reply. If you really feel that your commentary is useful and
relevent, please direct it to the authors in private email. Similarly,
if you feel a burning need to know the resolution of an issue raised
by some individual, please send them private email and I'm sure
they'll be happy to forward you the relevent discourse they've
received, or direct you to a venue more suited for the discussion.
I, for one, am disgusted, but you already knew that.