Posted on 05/25/2008 3:18:15 PM PDT by PapaBear3625
Not to minimize the magnitude of the oversight. Its huge. But the fallout appears to be limited to the (not inconsiderable) inconvenience to administrators having to reissue valid keys. Just as no white hats noticed the hole in the system (as they should have) no black hats appear to have either. Hence, there's been no rash of reports of linux systems being pwned as a result of the bug. There are reports of an upswing in attempts to exploit the bug of course, but by now distro maintainers have plugged the hole, and one hopes that any user savvy enough to use install and use an SSH server are savvy enough to have regenerate secure keys. Ubuntu, for instance, doesn't install the server by default
Admittedly its nothing more than dumb luck that the bug was found by the good guys first, but regardless, this huge hole was thus far not been widely traveled before (hopefully) being plugged.
Not "would"--"could" is the operative word here. Just think if this was a MS programmer. The number of people affected would be much greater, and no one would have found it before it got exploited.
Personally, I was not affected as I don't use Debian-based distros. Not only was this limited to Linux, but it was limited to a small subset of linux users.
> It all comes down to the fact that Linux really is not ready for prime time.
I disagree. Possibly more significantly, IBM disagrees — they are giving up their own OS in favor of Linux, a process that started ten years ago now. If you’re arguing that IBM is no longer a going concern, well... between you and IBM, I know which company I’d rather have stock in.
I also have been in the IT industry for more than 20 years. At home, I have Mac and Linux servers, but my main machine is a laptop PC running Windows — because I must have Windows when I interact with people like you — with my real work done in Linux virtual machines. Because Windows is such a dog, it *must* be the host until I get a laptop with virtualization technology built in. In the nearly four years I’ve used this laptop, I’ve had to reinstall Windows three times — in three machines running Linux in that time (one physical and two virtual), I have *once* reinstalled Linux — and that was by choice, because I wanted to standardize on one distribution.
I wouldn’t use a Windows server if I had any choice at all — having been a consultant for more than ten years, I have watched Windows servers actually nearly close two different small companies. When Unix servers are in use, then typically the only problems are human error... and a decent backup strategy is all you need for recovery.
Setup times, like all other tasks, depend on what you are familiar with. If you want printer and file sharing, if you’ve installed any recent GUI-based distribution, you can do it pretty much the same as you do on Windows: look for “Network”, then “Sharing”, in the menus.
If you can’t get a good Linux person, there’s a problem with your interview process, not the lack of candidates.
Ask for 128-bit and only get 15-bit? That’s a big screw-up.
Meanwhile, companies like the New York Stock Exchange are pulling it back in rather quickly.
Plus, Mac uptake is drastically on the rise, and OS X is crammed full of free software.
BTW, every one of your W2K3 servers has free software on it.
You see, I can say almost the exact opposite in regards to Linux. I guess it all comes down to the sheer moments of terror one has experienced and which OS has more than often been the culprit (for you Windows, for me Linux)
As for IBM I hesitate to support any OS direction of theirs since OS/2
as for “there’s a problem with your interview process, not the lack of candidates.”, maybe so.
Instead of 128 bits there are only 15?
Ouch.
That's a decent summary of the problem, yeah.
The good news is the bad code is fixable, and being Open Source, that's pretty straightforward.
The bad news is there are tens of thousands of bad keys, generated over the past two years by Debian, Ubuntu, etc. users, and copied to all variety of systems (Unix, Linux, Mac, Windows) that are compromised and have to be re-generated and replaced.
That programmer should be made to write on the blackboard (NOT using a text editor, using CHALK!):
"I will not change code I don't understand."
"I will not change code I don't understand."
"I will not change code I don't understand."
"I will not change code I don't understand."
"I will not change code I don't understand."
...
Dang, that's one hell of a drop!
I haven't seen it anywhere, has he been identified? Gotta think this is the kind of thing that can follow a guy around.
> I haven't seen it anywhere, has he been identified? Gotta think this is the kind of thing that can follow a guy around.
I think I saw a name (or names) associated with the error, which was made at Debian. Maybe on the original Slashdot post a couple weeks ago. But the responsibility actually extends farther within the Debian group than just that programmer.
That individual was responding to automated "bug-identification" software, which flagged things like reading uninitialized memory locations. Well, hell, that's a randomizing variable! But the programmer, not understanding the point of the code (good lord), eager to get the code to compile without warnings, COMMENTED OUT the randomizing lines, leaving in only the one that used the current process-id, which is 0-32767.
A larger problem was that his/her group at Debian apparently approved the changes! So there's plenty of poop to pass around.
Overall, the apparent feud between Debian and the other Open Source (OpenSSL) folks, in which Debian personnel refuse to communicate with original authors when changing code, is the most responsible aspect. That's just stupid, stupid, stupid -- and completely avoidable.
Note that I'm not personally involved in any of those projects; so not only don't I have an axe to grind, but all the above is 3rd-hand. So there could be errors in my re-telling.
Let's hope it's not as buggy as this LOL. Someone commented out the functioning areas, and not one of the supposed "many eyes" caught it for years? So much for the theory open source helps security. This appears to be one of the primary security algorithms for Debian/Ubuntu Linux and all their derivatives, of which there are many.
The BSD FTP and Telnet clients in Windows are pretty solid.
Someone commented out the functioning areas, and not one of the supposed "many eyes" caught it for years? So much for the theory open source helps security.
Poor programming can slip through any development process, and this is a very good example of stupidity in programming getting through. OTOH, at least we know this will get fixed quickly. MS and Apple have been known to sit on bugs for a while. How long did MS take to fix that really dumb RPC rollover programming bug?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.