[$] OpenSSH and the dangers of unused code

Unused code is untested code, which probably means that it harborsbugs-sometimes significant security bugs. That lesson has been reinforced by the recent OpenSSH"roaming" vulnerability. Leaving a half-finished feature only in the clientside of the equation might seem harmless on a cursory glance but, ofcourse, is not. Those who mean harm can run servers that "implement" thefeature to tickle the unused code. Given that the OpenSSH project has astrong security focus (and track record), it is truly surprising that ablunder like this could slip through-and keep slipping through for roughly six years.

Subscribers can click below to read the full story from the week's edition.