Alarming Open-Source Security Holes

[iMav]

How a programming error introduced profound security vulnerabilities in millions of computer systems.

Back in May 2006, a few programmers working on an open-source security project made a whopper of a mistake. Last week, the full impact of that mistake was just beginning to dawn on security professionals around the world.

In technical terms, a programming error reduced the amount of entropy used to create the cryptographic keys in a piece of code called the OpenSSL library, which is used by programs like the Apache Web server, the SSH remote access program, the IPsec Virtual Private Network (VPN), secure e-mail programs, some software used for anonymously accessing the Internet, and so on.

Less than a day after the vulnerability was announced, computer hacker HD Moore of the Metasploit project released a set of "toys" for cracking the keys of these poor Linux and Ubuntu computer systems. As of Sunday, Moore's website had downloadable files of precomputed keys, just to make it easier to identify vulnerable computer systems.

Full Article

So much for being secure & not hackable

 

[praka123]

well,the title of that article is very misleading.this is although true and it was fixed by OSS devels fast.the real reason for openssl vulnerability supposed to be caused by packaging for debian?
every code in the world is not fool proof.but BETTER,if it is open source!
but this article is a sure FUD -"alarming oss security holes?where?in Debian Etch for eg:you get patches in a matter of minutes!

So,This is one way to confuse possible movers to Linux and FOSS unlike the proprietary OS which hides security vulnerabilities Linux/OSS got it fixed in open.

but sure,this is a vulnerability which failed to get noticed fast
well,I and cadcrazy already posted this here in tech section but you got the news with a FUD!

for all interested,this is a plain neutral article reg openssl vulnies:
*www.heise.de/english/newsticker/news/108058

It is perfectly normal for Linux distributors to fiddle around in the source code to integrate patches and security updates into their packages. For smaller projects in particular, it can take a good deal of time for changes and bug fixes to be integrated into the original source code. Since, for stability reasons, distributors do not generally use the latest versions, they often need to backport patches into older versions. Martin Schulze and Florian Weimer from the Debian Project confirmed this to heise Security. They note that according to the developer guidelines, Debian maintainers are expected to work closely with upstream developers so that any changes can be integrated into the original source code.

 

[iMav]

i did not change the original article's title

 

[praka123]

well,I said that the title of the original article is a FUD!

 

[gary4gar]

After all To error is Human

Btw, is MS better?
i don't think so

Two years ago, Steve Gibson, a highly respected security consultant, alleged that a significant bug found in some Microsoft software had more in common with a programmer trying to create an intentional "back door" than with yet another Microsoft coding error.

Its the same thing with Microsoft, even its closed sourced.
So, mistakes do happen but its does not mean all Open source software are bad, this can be seen as a isolated case

 

[iMav]

i don't think so, a vulnerability in an OS platform that is trumpeted as being this great unhackable OS, a vulnerability such as this has major consequences. Anyone saying that this is not something major is making an attempt to slide things under the carpet

 

[praka123]

what @gary said is agreeable .well,with security holes in vista or xp,microsoft can sit quietly until a warez hacker group make it open

but with opensource,it is found any how,fixed!thats how collaboration works!not like sitting,sweating in a redmond closet!

 

[MetalheadGautham]

One of the reasons OSS is so secure is because when a hole is spotted, there are a huge number of people competing against each other to fix it.

Whereas in windows and macintosh, due to shortage of staff, holes take months, infact years to get fixed, a time frame in which deadly large scale attacks can be leisurely planned and executed.

 

[praka123]

^well,they hide their Bug reports inside closets you know!

this is the human understandable report of the same.the original article is plain FUD!it purposefully wanted to portray OSS in a bad way.

Debian Linux got a bit of a black eye this week with the announcement that a nasty cryptographic vulnerability exists in its version of the OpenSSL package.

Debian, especially its stable branch, is widely regarded as perhaps the most bulletproof Linux distribution.

Debian also has the not undeserved reputation of being difficult for those new to Linux to install and manage.

The Debian maintainers apparently created the vulnerability by deleting code that seeded the random number generation used to calculate encryption keys.

The result was that the random number generator used in Debian's OpenSSL package was predictable, leading to cryptographic keys that might guessable.

Debian Security Advisory DSA-1571-1 states: "Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though."

The advisory also publishes the URLs for a detector of weak encryption keys, as well as the location of instructions about how to implement key rollover.

The vulnerability only exists in Debian and Debian derived Linux systems, but those also include the Ubuntu versions of Linux that have lately become quite popular among casual desktop Linux users.

The problematic OpenSSL code appeared in the Debian unstable distribution on September 17, 2006 and has since been propagated into the current stable and testing distributions named Etch. The previous stable Debian distribution named Sarge is not affected.

Many Debian Linux desktop users shouldn't be affected by this Secure Sockets Layer (SSL) bug unless they've generated cryptographic keys for Secure Shell (SSH) access between systems or digital signing or authentication certificates.

However, techies who administrate Debian based Linux systems that traffic in certificates might be scurrying about somewhat in coming days as they apt-get the upgraded OpenSSL package and regenerate and roll over cryptographic keys and certificates.

*www.itnews.com.au/News/76080,openssl-bug-found-in-debian-linux.aspx

 

[iMav]

One of the reasons OSS is so secure is because when a hole is spotted, there are a huge number of people competing against each other to fix it.

Whereas in windows and macintosh, due to shortage of staff, holes take months, infact years to get fixed, a time frame in which deadly large scale attacks can be leisurely planned and executed.

so true The 25 Year Old BSD Bug got fixed

and really don't understand the concept of hiding a flaw, in OSS there is a community development and hence it is essential that the bug is known as metal said there is competition between people to release a patch, but Windows is not a community based OS it is a proprietary software, MS comes out with updates from time to time for flaws and expects people to update their copy, the kb articles explicitly mention the flaw being patched, there is no need for MS to talk about a flaw

oh damn i forgot who i was explaining things to

btw where does MS fit in, why are making desperate attempts to turn this thread into a flame war and get it locked, this is the problem of you OSS guys, everytime u start comparing OSS with Windows (and get pwned)

 

[praka123]

oh well!OS structure is NOT so simple to get!many OSS devels are teens even you know!they are helping the community driven OS to be more secure day by day!
well,my ignorant os lover,M$ is NOT opening or showing what all bugs it have!their community thing is a mere exercise to put sand on the eyes of viewers

well,it is pointless to argue to ppl like "...." who supports m$ be it whatever!It is like you want democracy(India/FOSS) or Shari-ath(Saudi arabia/microsoft and apple)

I thing,m$ is anyway going down on OS business na?I am happy thankfully ppl will move to Linux I believe

 

[MetalheadGautham]

so true The 25 Year Old BSD Bug got fixed

and really don't understand the concept of hiding a flaw, in OSS there is a community development and hence it is essential that the bug is known as metal said there is competition between people to release a patch, but Windows is not a community based OS it is a proprietary software, MS comes out with updates from time to time for flaws and expects people to update their copy, the kb articles explicitly mention the flaw being patched, there is no need for MS to talk about a flaw

oh damn i forgot who i was explaining things to

the 25 year old BSD bug ?

That was a big exeption, and was present even in macintosh. The problem was, people are always looking at outer services and kernel code, because they feel the core is perfect. This was a programming mistake in the very heart of the kernel. Nobody expects such stupid mistakes. Its like finding there to be an error in iostream.h. Its totally unexpected. And its not even security related, hence 70% of the institunal developers, like google, CERN, etc, whose main concern is security, then features, never bothered with it.

And you pinpointed the problem with MS. If they talk about the flaw, someone may exploit it before a patch is released. But if they keep quite, it may be discovered by a few people who will exploit it for a long time, since patches from MS take time to arrive.

PS: whats kb ? you had said something about kb articles...

oh well!OS structure is NOT so simple to get!many OSS devels are teens even you know!they are helping the community driven OS to be more secure day by day!
well,my ignorant os lover,M$ is NOT opening or showing what all bugs it have!their community thing is a mere exercise to put sand on the eyes of viewers

well,it is pointless to argue to ppl like "...." who supports m$ be it whatever!It is like you want democracy(India/FOSS) or Shari-ath(Saudi arabia/microsoft and apple)

I thing,m$ is anyway going down on OS business na?I am happy thankfully ppl will move to Linux I believe

please don't start arguing again. He was acting very civil. It was you who went biff biff bang bang on him this time.

 

[iMav]

PS: whats kb ? you had said something about kb articles...

kb stands for Knowledge Base, every update MS releases has a corresponding kb article which gives all the details about the particular update, all MS help & support articles on MS site are numbered by KB xxxxxx

not sure about xp, but Vista update center shows the basic details about the update and has the link to the complete KB article of the update

 

[techtronic]

I accept what praka123 says when it comes to cross platform compatibility.
Linux Distros atleast recognize NTFS Partitions and allow read option.Using ntfs-3g and FUSE, writing to NTFS Drives in Linux is possible.
On he other side, Windows recognizes ext3 partitions as unrecognized in Disk Management Tool.

Even after a deal with Novell, Microsoft is not very open in supporting Open Source Platform.

 

[iMav]

where the f did Microsoft come in this topic

 

[CadCrazy]

So much for being secure & not hackable

How about one hole in thousand years(Linux) & thousand holes in one year(Windows) ??

BTW Praka and I already posted the news

*www.thinkdigit.com/forum/showthread.php?t=87864
*www.thinkdigit.com/forum/showthread.php?t=88142

 

[iMav]

BTW Praka and I already posted the news

*www.thinkdigit.com/forum/showthread.php?t=87864
*www.thinkdigit.com/forum/showthread.php?t=88142

oh i see, i request the mods to lock those threads

 

[MetalheadGautham]

oh i see, i request the mods to lock those threads

rofl

 

[Cyrus_the_virus]

Finally, after years of trying to dig hard to find security holes, Anti OSS dumps found out 1 vulnerability when MS products had over 1000+ vulnerabilities in the same time.. whoa, we should congratulate iMav for posting it here

hypocrites!!

 

[MetalheadGautham]

Finally, after years of trying to dig hard to find security holes, Anti OSS dumps found out 1 vulnerability when MS products had over 1000+ vulnerabilities in the same time.. whoa, we should congratulate iMav for posting it here

hypocrites!!

dude, don't forget you are in FOSS. Here, we congratulate finders of bugs as much as patchers of bugs, because here there is nothing called pride. We just strive for perfection. If MS bugs are given out in public, they complain defamation. But here in GNU, its very much different.

The biggest thing microsoft can do to help linux is use all its resources to find linux bugs, then publish exessive advertisements everywhere saying linux sucks. Its full of bugs. See here, here and here. This supposedly anti linux operation of MS would ensure that Linux stays secure