Bug 2026

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: OpenSSH client leaks username to server
Context: Some issue tracker that includes portable openssh (https://bugzilla.mindrot.org)

When connecting to an SSH server, OpenSSH will send your username as the SSH username if you don't provide one explicitly. This is an information leak.

Why is this bad?
Imagine Bill Gates is using linux to hack into apple.com. He was told Linux is good, and he is planning on making the next release of windows be an open source Linux distribution. He gets the root password for the SSH server on apple.com. He tries to get on by running "ssh apple.com", it fails for wrong password, then he realizes he forgot to set the username so he runs "ssh root@apple.com". But now apple.com has a login attempt in their logs for the account "billgates" (he was using a botnet which is hardcoded in every Windows kernel, providing an anonymity network to Bill Gates, so apple.com didn't get his IP address). So after Bill Gates changed apple.com to show bad financial reports and say that they're closing down (making them lose all their investors/market share etc), Bill Gates gets arrested because of this irrefutable evidence left in the log file. Now Bill Gates hates Linux forever and will never make Windows be Linux based.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlAIK0cACgkQ3PGpByoQpZHNQACgr6hjOAUzkt23kcMFiIN5r17h
jesAniXPMtaT3/bSgegF36gWrVwiJC1W
=GDxu
-----END PGP SIGNATURE-----