Print 101 comment(s) - last by bigdawg1988.. on Jun 8 at 10:49 PM

It is incredible just how big the effects of the newly discovered error in open source key generation is

For all the criticism of Microsoft and its security flaws, the software giant has made an impressive turnaround.  While Vista has been derided for a variety of reasons, most would agree that it’s much more secure than Windows XP.  Recently, a hacker conference showed just how vulnerable systems running Mac OS X are, due to their slow rate of patches.  The Mac machine was hijacked within 10 minutes, while the Linux and Windows boxes survived the day.

Now an even worse security flaw has been found in some of the basic code used by a wide variety of Linux security programs.  The error originated back in May 2006 when workers on the open-source security project committed a grave and unrealized error. 

A simple programming error reduced the entropy in the generated program keys created by the OpenSSL library.  Why does this matter?  The OpenSSL library's key generation and other routines are used by the SSH remote access program, the IPsec Virtual Private Network (VPN), the Apache Web server, secure email clients, programs that offer secure internet portals and more.

Just two lines of code created crippling security holes in four different open source operating systems, 25 application programs, and millions of internet-attached computer systems.  The vulnerability was publicly discovered for the first time May 13, after having left the door open nearly two years.  A patch has been distributed, but that can do nothing to repair the damage that has occurred to compromise systems.  Worse yet, it appears that through the installation of compromised keys on other systems, numerous systems not even running the code have likely been compromised.

To understand the error fully, a basic discussion on cryptography is essential.  On a network anyone can peek at traffic, which is bad news for anyone sharing personal information.  However, by using keys, information can be encrypted and then decrypted on the other side by a friendly computer with the proper key.  As a "secure key" is typically 128 bits, which is 2128 or about 3.4*1038, the possibility of breaking the key by merely by a brute force attack is out of the realm of modern computing power.  A brute force attack simply involves guessing every single number, but to try to do this on a number of this size would take many years.

However, the system falls apart if the computer can only make a small set of keys, despite the large key size.  To a normal user the key looks fine, it’s the right size, and the data is being encrypted as it’s sent out.  However, to the malicious user they can now use brute force attacks to guess the key and monitor your activity, opening the door to surveillance and exploitation.  This is exactly what has resulted based on the newly discovered error.

The error reduced the number of keys that Linux can generate from 2128 to approximately 215.  The error was not caught until now because the keys were still 128 bits and to the human eye looked random.  If the system had consistently produced one key, this problem would have been caught, but instead it produced a variety of keys, but a much smaller variety.  The number of keys the system can generate varies with processor architecture, the size of the key, and the type of the key, but all keys using the flawed code will be greatly reduced in their number of possibilities.

Now that the floodgates are opened, a hacker HD Moore of the Metasploit project has released "toys" to help malicious users crack the poor defenseless Linux and Ubuntu boxes.  Moore's website provides lists of precalculated keys based on the bug, to allow malicious users to easily identify vulnerable systems.

Fixing the key problem is not as simple as fixing a buffer overflow vulnerability, another typical security flaw.  As the keys generated our actual files, merely patching the system will not change these files.  Every single key will need to be replaced in a difficult and time consuming process.  Further keys need to be certified and distributed, which takes more time and is error prone.

Debian, the Linux variant used largely by security professionals, and Ubuntu, the variant most commonly used by home users are both affected.  Furthermore, Windows servers may be compromised as well if they are using keys generated on Linux systems. 

Ironically the bug originated from an automated tool known as Valgrind which is supposed to reduce programming bugs which lead to security vulnerabilities.  It found that a block memory was not being properly initialized, meaning that it would contain random information.  The automated tool politely inserted code to clean up the block of memory making it all zeros.  The only problem was that the system was intentionally using the block's unknown to get randomness to generate the keys.  The library also gets randomness from mouse movements, keystroke timings, network packet arrival timings, and even microvariations in hard drive speed.

The Valgrind code caused errors, so the programmers simply commented out all the code, including the other methods of generating randomness on accident.  Only the code which utilized the process ID, an integer ranging from 0 to 32,767, remained to provide randomness.  It turns out the "fix" turned grievous error was not the work of the OpenSSL programmers themselves, but of the Debian team, known for their security expertise. 

OpenSSL developer Ben Laurie raged, "Never fix a bug you don't understand!  Had Debian [sent the bug to us] in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to 'add value' by getting in between the user of the software and its author."

One developer more alarmingly points out that the vulnerability has showed a perhaps fatal flaw in the state of the open source industry and in the computer security in general.  One programmer can make a major change which can be blindly accepted by other developers with little understanding of the implications.  This reckons back to controversial statements made by Steve Gibson, a highly respected security consultant, when a major bug was found in Windows.  Gibson suggested that rather than dumb error, it was an intentional attempt to create an open back door.  While hopefully the Linux vulnerability was not maliciously created, the possibility of such a development remains.

Like Alice in Wonderland, it is often amazing to see just far down the rabbit hole goes in terms of the breadth of these kinds of problems.  And this problem is clearly illustrative that unless a more comprehensive methodology of security development is adopted, these problems will only persist and multiply with time.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Join the open source movement
By gmw1082 on 5/23/2008 11:19:06 AM , Rating: 3
Linux is much safer than windows. It even includes a super secure 128 bit....wait what did you say?...errr...16 bit encryption.

RE: Join the open source movement
By MAIA on 5/23/08, Rating: 0
RE: Join the open source movement
By michal1980 on 5/23/2008 11:54:35 AM , Rating: 4
oh right, now that excuse comes out, for years the linux/unix crowd has been on their high horse about how great open source is...

and bashed windows at every mistake, never have I heard Stuff happens from their mouths

RE: Join the open source movement
By Adul on 5/23/2008 12:22:21 PM , Rating: 3
You do realize this is limited to debian/unbuntu distributions only.

RE: Join the open source movement
By jonmcc33 on 5/23/2008 12:39:48 PM , Rating: 4
Ubuntu, isn't that the most used Linux distro out there? Something like 60% of Linux users using it? That's a huge chunk!

RE: Join the open source movement
By omnicronx on 5/23/2008 12:49:41 PM , Rating: 2
Ubuntu is not widly used as a server OS. In fact I would have to say I would personally never use it as a server OS at all, there are many better distros out there for that purpose. That being said, although this is a big setback, it is no worse off than the countless amount of unprotected users running windows on a workgroup. I would also assume that most people do not even have ssh enabled by default(last time I checked you have to install it manually). All in all, this probably effects a smaller amount of users than one might think, and with automatic updates present on most peoples machines, I would assume that within a month the issue will be almost non existant.

RE: Join the open source movement
By leexgx on 5/23/2008 8:37:13 PM , Rating: 2
but you still need to reset all your keys your self (as the update does not reset all keys on an system)

RE: Join the open source movement
By eion on 5/24/08, Rating: -1
RE: Join the open source movement
By omnicronx on 5/25/2008 2:38:24 AM , Rating: 2
but you still need to reset all your keys your self (as the update does not reset all keys on an system)
No you don't, not unless you issued those keys on that workstation(which would not normally happen). As I said, chances are your server is not debian based, and since these keys are generated by the server, and not the workstation connected to it, there would not be a problem. Have you ever even issued keys in general? Its not something an end-user would normally do, especially not in a workstation environment.

By bigdawg1988 on 6/8/2008 10:49:07 PM , Rating: 2
Oops, my company uses Ubuntu for their servers!
I wonder if our IT people even know?
No, I will not tell you the company name!

RE: Join the open source movement
By wvh on 5/26/2008 12:39:59 AM , Rating: 2
This bug is really mostly relevant to servers. Most people running Ubuntu do so on desktops. I'm a sys admin for several companies, and I don't know any company that runs Ubuntu on servers (yet). I think Ubuntu is not old enough to have replaced other systems.

Debian, that's another story though...

RE: Join the open source movement
By omnicronx on 5/23/2008 12:42:06 PM , Rating: 1
You do realize this is limited to debian/unbuntu distributions only.
And we all know how many people use ubuntu as their primary server OS<caugh>

Systems which are running any of the following releases:

* Ubuntu 7.04 (Feisty)
* Ubuntu 7.10 (Gutsy)
* Ubuntu 8.04 LTS (Hardy)
* Ubuntu “Intrepid Ibex” (development): libssl <= 0.9.8g-8
* Debian 4.0 (etch) (see corresponding Debian security advisory)
I am not too worried, as far as I can tell an update was issued (showed up in auto updater) soon after the bug was announced. I am not downplaying the bug, it was a major mistake, but its not going to bring anyone running a linux server to a hault.. Its not like having access to a workstation is going to give you full access to the server.

RE: Join the open source movement
By leexgx on 5/23/08, Rating: 0
RE: Join the open source movement
By Totemic on 5/23/2008 5:23:05 PM , Rating: 3
You do realize this is limited to debian/unbuntu distributions only.

Actually, the article indicates it affects the keys generated by OpenSSL. Which means ANY OS or application depending on those keys would be vulnerable, not just Debian/Unbuntu.

In fact, the article goes on to mention that even Windows, if it's using a key generated by the flawed library would be vulnerable. I don't think this is an isolated problem.

RE: Join the open source movement
By gss4w on 5/23/2008 7:53:00 PM , Rating: 5
The article is misleading because it does give the impression that it is a flaw in OpenSSL. In fact the flaw was only present in the Debian OpenSSL implementation.

It is true that anyone using compromised keys would be vulnerable. This is why the flaw is such a big deal, you can't just patch the bug in the OS, you also need to reissue the keys.

RE: Join the open source movement
By geddarkstorm on 5/23/08, Rating: 0
RE: Join the open source movement
By omnicronx on 5/23/2008 12:54:07 PM , Rating: 4
I assume that if you have the encryption keys, you can also find out the username and logons of users using ssh as theintruder will be able to see the contents of your traffic. My guess is that this would include authentication, which is what I would consider the main concern of this problem as the intruder could now have full access to the workstation in question.

RE: Join the open source movement
By emboss on 5/23/2008 2:24:15 PM , Rating: 2
The main "problem" is logging the traffic in the first place. The attacker would have had to compromise (to root access or equivalent) a router/machine in between the client and server. While not impossible - some home modem-routers in particular would make tempting and easy targets - it's definitely not script-kiddie stuff. It's far from being a case of simply identifying a machine using a weak keys and owning it.

RE: Join the open source movement
By randy915 on 5/23/2008 6:37:58 PM , Rating: 3
I'm actually glad this happened because the elitest open source people need to be taught a lesson that no platform is ever perfect.

Like Michal1980, get off your high horse.

RE: Join the open source movement
By DeMagH on 5/24/2008 5:27:27 AM , Rating: 2
Well, hopefully windows-haters-bashing-crowd AKA linux-intimate-lovers will shut up for a year or two after this piece of information, and hopefully we won't hear comments everywhere on every forum as before:

- want an antivirus + firewall ? === LINUX PWNS YOU SUCKERS
- want full SECURITY against user stupidity and malware? == LINUX YOU SUCKERS

Then again ... hopefully

RE: Join the open source movement
By shamgar03 on 5/24/2008 5:53:55 PM , Rating: 2
Can gentoo users still do that? =)

By Jack Ripoff on 5/25/2008 12:06:22 AM , Rating: 3
No, only BSD users.

RE: Join the open source movement
By DeMagH on 5/25/2008 1:09:48 AM , Rating: 2
On one condition, also bash those Linux users using ubuntu and Debian distros


RE: Join the open source movement
By mathew7 on 5/26/2008 4:02:31 AM , Rating: 2
I'm sure linux-lovers will still not "shut up". They will say it's 1 bug compared to xxx on Windows. Although I don't like MS, I'm a gamer so I still need Windows, so I tend to do everything in it.

Regarding the Windows-Linux security debate, I have these points:
1.Design:Windows was not designed secure by default (I'm talking about default installations, default user=admin)
2.Majority:Windows is sold with new computers, which means it has a majority of installs (I'm excluding servers, as a well-mantained Windows server is "malware-resistant")
3.Variety:In 10 years, there are less than 20 "kernel binaries" (2000 SPx, XP XPx etc) for Windows, whereas linux has thousands (every kernel version, different distros).

So if you would be a malware-design company, don't you think you would get better profit by targeting a few binaries that are predominant (like Windows XP SP2, SP3)? By targeting linux, you need to invest heavy money and uncover vulnerabilities to exploit in many binaries. And "your client" will pay on "install-base", not on "install-variety".

So for the moment, linux is a safe bet, but if 1 distribution, like ubuntu, catches on, and if they could get 40-50% install base, I'm sure malware designers will start looking at them.
Of course, even in current Ubuntu, the default user is not an admin. So the malware could be contained within 1 user. But this cannot be confirmed, only denied (if someone can do it).

Having said this, the bug that this article describes can be exploited by spies, which get paid by targeting one computer/network. This bug, even if it gets exploited, will not get the media attention that Windows bugs usually get, because it will surely be exploited in corporate network, and those events are usually contained.

By Locutus465 on 5/27/2008 10:26:15 AM , Rating: 1
"Variaty" as you put it can also make it more difficult to do legitimate work like write drivers... I took a kernal driver writing class once and one thing that really stuck out in my mind is that durring the corse of 1 semester there was at least one kernal release that broke all of our work. We seriously couldn't update to the new kernel with out having to relearn some of the driver authering basics we were tinkering with.

Not that we were extreamly knowlegeable driver authers or anything, I'm sure there must be some ways to mitigate the impact. But still, it's a pain that must be delt with on the platform. Consitancy can be a very good thing, just look at vista... Microsoft finally made some long needed chages to the Windows system which did infact break compatibility and now we get to see the entire IT industry (nearly) cry like babies. Everyone keeps talking about waiting for Windows 7, and most don't realize that Windows 7 probably isn't going to be getting rid of most (if any) of the core changes Microsoft made to the API.

I'm sure people will complain less by that point though, mostly because by then they will have finally bit the bullet and started developing for vista.

RE: Join the open source movement
By mindless1 on 5/24/2008 3:38:56 PM , Rating: 2
Actually no. You're trying to arbitrarily stereotype an entire group(s) of users based only on the rantings of a few. However there is something "great" about open source. By it being open the flaw was found. What do you want to bet there are windows flaws that haven't been found only because everyone doesn't have access to the source?

I'm not saying that makes 'nix inherantly better, I'm saying it makes having source available, better, for windows too.

Any OS has enough vulnerabilities that someone given sufficient motive will get in.

Anyone looking for glory will post their exploits and show how.

Windows is simply targeted more often, THAT makes it less secure.

To put it another way, which is less secure?

A) Your car parked in a ghetto with all the doors locked and a $100 bill lying on the dash.

B) Your car parked out in a field with no doors locked.

The former has more security measures but is less secure. Now suppose your wife could see the "source" of the insecurity, if she could see you were about to park in the ghetto with a $100 bill on your dash, she might call you and say something about it being a potential problem, but not sharing this information with those concerned about your security won't necessarily keep it hidden from anyone checking your car with an intent on personal gain.

This wasnt' the first 'nix flaw and won't be the last, but let's face it - the bot armys out there are primarily windows boxes not 'nix. Disagree about why if you like but nevertheless that's the reality of the situation. Similarly IE is the target of exploit far more often than Firefox, Opera, etc. That's not trying to pick on MS, it's just recognizing the state of things as they are.

RE: Join the open source movement
By deeznuts on 5/23/2008 1:40:48 PM , Rating: 2
I don't have a horsse in either race, but:

<S.hit happens ... on every single OS. Did you kow about that ?

It's not supposed to happen on open source though, right? I mean millions of eyes, instead of a team at one company?

RE: Join the open source movement
By Oregonian2 on 5/23/2008 1:50:50 PM , Rating: 4
Difference is that if Microsoft did it, they'd be crucified over hot coals. Linux does it and it's "oh! How dumb, but bugs happen".

RE: Join the open source movement
By omnicronx on 5/23/2008 2:29:05 PM , Rating: 3
The difference being, if this happened to Microsoft, they would have kept it hush hush just so they could not be crucified over hot coals. Every OS is going to have bugs, its inevitable, what it really comes down too is how well these bugs are handled. In this situation I think it was handled pretty well, just as Microsoft has delt with issues very well in the past. Really it comes down to if your sys admin is keeping your systems up to date, if they are, you should not have a problem, if not you are begging for trouble.

This is FUD.
By greyfade on 5/23/2008 12:21:40 PM , Rating: 5
Be careful. This whole article implies that the problem is more widespread than it really is.

Only distributions (like Ubuntu) that use the Debian repositories were affected. NONE of the commercial vendors and most of the other major distributions (RPM-based, source-based, etc.) are completely unaffected. This also only affects keys generated on Debian derivatives.

Further, Ubuntu is distributing with the updated OpenSSH packages a key blacklist and vulnerability assessment utility. Users who have bad keys are being notified at the time of update that their keys may be compromised.

Please don't imply any differently. The situation is under control.

RE: This is FUD.
By mmntech on 5/23/2008 1:33:30 PM , Rating: 2
I agree. People have to keep in mind too that these Linux distros are community developed and offered free of charge. Given Windows swiss cheese security record (IE6, XP pre-SP2), I wouldn't be laughing, especially considering the huge amounts of money backing it. For the record, I wouldn't call myself a Linux fanboy. There's a lot about it I don't like. However, there's an awful lot of Windows Vista fanboys on DailyTech that talk out their butts and they haven't a clue what they're saying.

RE: This is FUD.
By 16nm on 5/23/08, Rating: 0
RE: This is FUD.
By FITCamaro on 5/23/2008 2:16:14 PM , Rating: 2
So if Microsoft has a security vulnerability that affects 1 machine in 1000 they're the dumbest company on the face of the earth. But if a Linux bug that affects the majority of consumer users out there (since Ubuntu is by far the most used consumer variant of Linux), its ok?

And just because the patch exists, doesn't mean people update their software. Granted, if someone is running Linux in the first place, they're likely smart enough to keep their system up to date.

RE: This is FUD.
By omnicronx on 5/23/2008 3:22:49 PM , Rating: 4
And just because the patch exists, doesn't mean people update their software.
If you have ever used ubuntu, you would realize this is probably not the case. As patches are released on a daily basis, there is almost always an updater blinking at the top of your screen informing you of an update.

As most nix users are probably at least 'intermediate to advanced' users, one would think they would probably update on a regular basis. Its also much easier then windows to update and rarely requires a restart. On the other hand I rarely update windows, unless something is not working, or I was heard there was a major security flaw.

RE: This is FUD.
By esandrs on 5/23/2008 3:44:35 PM , Rating: 1
Consumers using Linux as their Desktop OS (the most likely location of Ubuntu) do not generate or issue security keys for secure websites and such - so they will never be affected by the issue.

I believe the affected distros have auto software updating - so unless the user went and turned it off they will be patched.

Feel free to try again to make this bigger than it is...

RE: This is FUD.
By sprockkets on 5/23/08, Rating: 0
RE: This is FUD.
By johnsonx on 5/24/2008 11:47:24 PM , Rating: 2
yes, but how many people use openssl on ubuntu boxes to generate encryption keys? Ubuntu really isn't targeted at servers. That it affects a debian release is somewhat more troublesome.

I don't agree about this being FUD though... it is a big deal. It's an example about a CDT - Certified Dumb Thing - that was done a year ago on a key security system and has not been noticed until now.

RE: This is FUD.
By mathew7 on 5/26/2008 4:13:13 AM , Rating: 2
So if Microsoft has a security vulnerability that affects 1 machine in 1000 they're the dumbest company on the face of the earth. But if a Linux bug that affects the majority of consumer users out there (since Ubuntu is by far the most used consumer variant of Linux), its ok?

When a MS vulnerability appears, it usually means you can run something with system-level access. This bug can make only interception easy, not access. You still need to use another method to gain access. SSH example: you need to intercept a connection to the affected computer and see the users id and password and you still are limited to that users account. Most of known MSs flaws are buffer overflows in services that run at system-level. While some (old) linuxes and BSD still do the same, the trend is to use service-user security. So even is a service is cracked, it still cannot access everything.

RE: This is FUD.
By eegake on 5/23/2008 2:31:46 PM , Rating: 5
Keep in mind that sites like DailyTech, ZDNet, and their ilk puff every bit of reporting up as big as they can.

There's nothing funnier then the sensationalized humdrum that appears on a slow news day/week, watch for it with that in mind and the pattern will be evident.

RE: This is FUD.
By mikefarinha on 5/23/2008 4:04:26 PM , Rating: 5
You say:
Be careful. This whole article implies that the problem is more widespread than it really is.

The article says:
The vulnerability was publicly discovered for the first time May 13, after having left the door open nearly two years .

You say:
The situation is under control.

I say: Who knows how many systems have unknowingly been compromised due to this? The end of the linked article mentions the possibility of having unscrupulous people/governments implement hidden back doors into open source apps... If a simple error of this caliber can stand for two years, how long would an intentional hidden breach disguised as functionality go undiscovered?

I think this is debunking the 'many eyes' argument yet again.

RE: This is FUD.
By Alexstarfire on 5/23/2008 5:19:17 PM , Rating: 2
Probably quite long, but that depends on what it really is. Do you think they are really going to take the time to test out all 2^128 keys that it's supposed to be able to generate? I think not. That'd be an incredible waste of time. Hell even 2^15 would take quite a while to check.

I think that his point of saying the situation was under control is that the update was issued pretty quickly. Sure, it's been vulnerable for 2 years, but it was going publicly discovered 10 days ago. Not that having it open for that long is good, but once it was known they tried to fix it ASAP.

RE: This is FUD.
By radializer on 5/23/2008 9:17:22 PM , Rating: 3
Hell even 2^15 would take quite a while to check.

Seriously? Or are you kidding?

2^15 allows 32768 individual keys. At even a very pedestrian rate of 1sec per generation and checking of each key, that would take all of ~ 9.5hrs roughly.

Even if we were to assume a deathly slow rate of 10secs per generate+check event, it is still less than 4 days.

The trick obviously is suspecting a problem in the first place. That being said, I'm really not too sure how much of the "raging" by Ben Laurie is just a case of hindsight being 20/20.

RE: This is FUD.
By Alexstarfire on 5/24/2008 8:44:26 AM , Rating: 2
I guess you're assuming they'd use a computer to check them. As you said, they'd have to suspect something first. I was simply talking about noticing the problem. While 2^15 is paltry compared to 2^128; how many people honestly even look at the encryption key? I'm betting not many. Also, even those that do likely wouldn't even notice a difference. And that was kind of my point.

RE: This is FUD.
By JPForums on 5/29/2008 10:48:52 AM , Rating: 2
I second the comment on 2^15 being a quick check. They moved away from 64 bit (2^64) because brute force attacks on it were viable. However, I would be remiss not to point out the flaw in this comment:

The trick obviously is suspecting a problem in the first place. That being said, I'm really not too sure how much of the "raging" by Ben Laurie is just a case of hindsight being 20/20.

Ben Laurie didn't author the error. The error doesn't exist outside of Debian based distros (Read: Distros that didn't modify his code don't have a problem). Why would he suspect a problem if he wasn't told his code was modified? Further, why should he scrutinize someone else's variation of SSL when it would be easier for him to fix whatever problems may or may not exist with his code and give an updated version and/or support to the distribution?

I'd be "Raging", too, if someone screwed with my code and a bunch of "tech" sites jumped on it without clearly defining that it wasn't my library with a problem, but rather someone else's mod. In fact, the OpenSSL library should not have been mentioned directly, as it doesn't contain the flaw. Rather, the issue should be clearly defined as a distribution issue that stems from Debian's version of SSL, based on the OpenSSL library. Any article should then be quick to mention that OpenSSL doesn't contain the flaw.

The Debian writers either didn't understand the code in the first place, or didn't check their code checker to make sure it didn't do something stupid. In either case, I have to wonder at their reasoning for not disclosing the fact that they had issues with the library to the library writers. (I.E. Our code checker says your code is wrong. Please fix it.) Seems to me that they wanted to be the only ones with a "Fixed" OpenSSL library. Not exactly in the spirit of the open source community IMHO.

I'm not a Debian (or derivative) user, so I have to ask whether or not the average user would know that Debian was using a modified library. The whole "Many Eyes" theory kind of breaks down if many eyes are looking at the original OpenSSL source (which didn't have a problem) and relatively few are scrutinizing the Debian specific code.

I should also mention the problem isn't limited to servers. The largest part of the problem is limited to servers (of which Debian distros are a minority), but there also exists a remote access problem in that Debian's OpenSSH keys will inherit the vulnerability. That said, the damage would ideally be limited to the account in question. Of course, this assumes you aren't SSHing into root access accounts, or switching to a root access account while your remote terminal session is being sniffed.

By L33tMasta on 5/23/2008 11:07:17 AM , Rating: 4
-Bill Gates

By JasonMick on 5/23/08, Rating: 0
By EntreHoras on 5/23/2008 12:08:22 PM , Rating: 2
You can ask for a job in SNL

By odessit740 on 5/23/2008 12:24:29 PM , Rating: 3
That wasn't Gates, it was Sean Connery.

By FITCamaro on 5/23/2008 2:00:58 PM , Rating: 3
Does it matter? It's still awesome. One of the best SNL moments ever.

By i3arracuda on 5/23/2008 11:33:09 AM , Rating: 2
Commence primary ignition!

By exploderator on 5/23/08, Rating: 0
Open Source
By michal1980 on 5/23/2008 11:10:19 AM , Rating: 4

Who do you blame now? everyone!

RE: Open Source
By rippleyaliens on 5/23/2008 11:48:11 AM , Rating: 5
Bill Gates=

"Everything is going as planned."


"You dont know the POWER of the Dark side"

RE: Open Source
By nosfe on 5/23/2008 12:03:17 PM , Rating: 3
come to the dark side, we get fresh eggs, daily

RE: Open Source
By FITCamaro on 5/23/2008 2:01:31 PM , Rating: 2
And bake cookies.

Affects Debian and it's variants only
By dlapine on 5/23/08, Rating: 0
RE: Affects Debian and it's variants only
By Spivonious on 5/23/2008 12:39:43 PM , Rating: 4
From the same article you quoted:

"The number of virus infections found by a virus vendor does not necessarily equal poor security," wrote Kleef in a blog post. "In many cases it equals poor user behaviour. If I, despite all prompting and consent behaviour, choose to go to a (probably dodgy) Web site, accept the ActiveX control prompts to download (probably dodgy) code and I actually choose to execute that code then I'm hosed."

This is not a Windows/Vista issue. It's a user knowledge issue.

RE: Affects Debian and it's variants only
By michal1980 on 5/23/2008 1:53:45 PM , Rating: 2
Even with constant UAC prompts it looks like 26% of people are just computer noobs

By FITCamaro on 5/23/2008 2:12:11 PM , Rating: 3
UAC doesn't stop you from doing something stupid. It just tells you when you're about to. Whether or not you know its stupid is the problem. Most people don't. UAC just pops up and people click continue.

I like it how they compare Vista with 2000. First of all, far fewer people are using 2000. 2nd, even when it was in wide use, there were far fewer people with computers.

It is a battle that Microsoft will never be able to win. People will continue to get even more ignorant about the operation of their PCs. As long as Windows remains the OS the majority of people use, it will be exploited.

By PWNettle on 5/23/2008 3:34:14 PM , Rating: 2
Indeed. The best OS security in the world can't prevent user-driven stupidity.

In most cases it's stupid user behavior, not OS vulnrabilities, which Windows has had too.

I'm sure Linux has other vulnrabilities. If more people used it and hackers gave a crap they'd get found more frequently.

It's tempting to say "hah, take that Linux users" with a discovery like this but I don't really see anything positive about security issues of any kind affecting any OS, especially with an issue like this that could affect servers and thus affect any of us regardless of your home or work server OSes.

RE: Affects Debian and it's variants only
By Yawgm0th on 5/26/2008 3:46:15 AM , Rating: 1
This is not a Windows/Vista issue. It's a user knowledge issue.

While I agree that it's largely an operator error, the truth is that for the most part, almost no web-based malware of any kind exists that does anything to a Unix-like operating system. What little there is targets Mac more than Linux. Active X specifically is an inherently insecure technology used on Window. It is used by many sites for malware distribution, and without it web browsing would be a much safer experience on Windows.

By Spivonious on 5/28/2008 11:15:58 AM , Rating: 2
Since IE5, the user has had to give explicit permission for embedded ActiveX controls to run.

How Ironic (XKCD)
By mikefarinha on 5/23/2008 11:16:11 AM , Rating: 2
The Valgrind code caused errors, so the programmers simply commented out all the code, including the other methods of generating randomness on accident. Only the code which utilized the process ID, an integer ranging from 0 to 32,767, remained to provide randomness.

This is exactly what the XKCD comic joked about last Friday!

Insider knowledge?

RE: How Ironic (XKCD)
By PJMODOS on 5/23/2008 11:28:42 AM , Rating: 3
This is exactly what the XKCD comic joked about last Friday!
Insider knowledge?

No just old news.

RE: How Ironic (XKCD)
By fezzik1620 on 5/23/2008 11:55:34 AM , Rating: 2
Yeah, it says right in the article:
The vulnerability was publicly discovered for the first time May 13...

RE: How Ironic (XKCD)
By fishmahn on 5/23/2008 11:29:08 AM , Rating: 2
This error has been known for a week or so (in the security 'industry'), so maybe not.

RE: How Ironic (XKCD)
By tayhimself on 5/23/2008 11:48:54 AM , Rating: 2
There are already updates to fix this in Ubuntu (6.06 and above). Remember to regenerate your SSH keys though.

whats the big deal?
By Falloutboy on 5/23/2008 12:12:05 PM , Rating: 2
what is the big deal? bug was found and very quickly after it was found a patch was released. all software will have vulnerabilities, and the only real fix to that is having the ability to quickly patch when they are found, which open source software allows for since your not relying on Msoft to do it, anyone can get in the code find the problem and fix it.

RE: whats the big deal?
By FITCamaro on 5/23/2008 2:07:23 PM , Rating: 2
Yes but the problems of people getting the patch still exist. Microsoft publishes patches for security vulnerabilities usually within a few days.

Hopefully examples like this go to show that not all is perfect though in the world of open source. Linux is not a magical OS that has no issues. It is software just like Windows, and bugs can exist or be introduced.

RE: whats the big deal?
By the goat on 5/23/08, Rating: 0
RE: whats the big deal?
By FITCamaro on 5/24/2008 2:17:06 AM , Rating: 2
Go out and read the actual facts on Microsoft's patch history. Most critical security vulnerabilities are patched in a few days. Dr. Ford at Florida Tech even did a paper that showed Microsoft on average patched security issues faster than Linux. I remember when he published it. He had 10,000 hate emails in his inbox the next day. I remember joking with him about it.

RE: whats the big deal?
By mathew7 on 5/26/2008 4:22:55 AM , Rating: 3
Just curious: the patches were a few days after being found, or after being published? I don't know the answer, but I know that some security companies find bugs and give MS some time to fix them before releasing the bug to the public.

Maybe I'm just paranoid, but conclusions/statistics can be skewed towards a goal.

grave and unrealized error?
By Baked on 5/23/2008 12:19:18 PM , Rating: 2
I think not! Isn't it obvious that they inserted the so called "error" by "accident" so while everybody got the false sense that *nix is the sh1t, they can go around hacking into people's network w/ the master key. There are no accidents, everything's planned. GG.

RE: grave and unrealized error?
By omnicronx on 5/23/2008 12:57:25 PM , Rating: 2
The thing you have to remember about open source, is that when problems like these are found, they are actually documented and released to the public. If anything like this ever happened with a microsoft product, we would probably never even hear anything about it, you would just see yet another 'critical windows update' in windows update, with no description ;)

RE: grave and unrealized error?
By just4U on 5/29/2008 4:11:36 PM , Rating: 2
Perhaps, but I've always wondered about open source. If you know enough about the code doesn't that give you a leg up on cracking into systems... as compared to not knowing it all?

What I am thinking here is this. If linux were used by 90% of all computers would it be safer then say.. 90% of all users using Windows?

Somehow I just get the feeling it wouldn't be as more is known about it's whole makeup. Just a thought tho. I haven't used linux.

Mac OS X
By Flunk on 5/23/2008 1:19:58 PM , Rating: 2
I know that OS X includes a version of OpenSSL, does this flaw also affect Macs?

RE: Mac OS X
By Digimonkey on 5/23/08, Rating: 0
RE: Mac OS X
By crimson117 on 5/23/2008 2:38:01 PM , Rating: 4
Only if Mac OSX uses Debian-modified code to call OpenSSL; which is very unlikely.

Glaring inaccuracies
By chsh1ca on 5/23/2008 9:18:03 PM , Rating: 1
Apart from the lack of clarity on precisely what is affected, I also found this to be entertaining:
On a network anyone can peek at traffic, which is bad news for anyone sharing personal information.

This is only true of non-switched networks and/or if you are acting as a router.

Just a question, but does DailyTech have editors and/or verifiers? If not, it might be worth investigating because it seems like lately there's been a much higher rate of failed wording, typos, and quality research being put into articles.

I get this is a big deal for Debian-based Linuxes, but the problem is overstated slightly, through a clear lack of thorough research.

RE: Glaring inaccuracies
By Yawgm0th on 5/26/2008 3:41:39 AM , Rating: 2
or if you are acting as a router.

Yes, as an ARP-poisoning router. Which any host on almost any network can do. I'm not sure which decade you're in, but switched networks are only slightly harder to sniff than networks with collision domains.

Of course this article does have many inaccuracies, and even what you quoted was very poorly stated, but it is not incorrect in spirit. Sniffing traffic within the same subnet in a LAN is extremely easy with ARP poisoning, and very few networks implement anything to prevent ARP poisoning.

RE: Glaring inaccuracies
By chsh1ca on 5/26/2008 9:35:40 AM , Rating: 2
I'm well aware of ARP-poisoning attacks, however that really depends on the hardware available, and it's trivially avoided through broadcast isolation.

Many ISPs prevent this (at least the last three I've had do). Maybe that's unique to Canada or something.

Tired of hearing how quickly the Mac was hacked..
By KeithP on 5/23/2008 1:18:57 PM , Rating: 1
Apple certainly has been slow to fix known problems but I am so tired of hearing how OS X was hacked so quickly. From what I have read, it took weeks to develop the code/web site that was used for the hack. Of course, once all that work was done it wouldn't take long to infect a system.

Second, the Linux box was basically ignored by everyone at that "contest" so of course its security wasn't breached.

Again there is no doubt OS X has security problems. However, there is also no doubt that the outcome of this hacking contest has been completely overblown and distorted by the "press" in regards to the Linux box not being breached.

By BCanR2D2 on 5/24/2008 5:32:45 PM , Rating: 3
I am sure any of the tools at the 'contest' weren't developed there and then, so I don't understand your point???

If you have a prize such as this, of course people will spend time and resources to hack a vulnerability, REGARDLESS of the OS. Apple seems to be gaining a level of animosity amongst the community, therefore is now being targeted in this manner.

Patched but....
By Darkk on 5/23/2008 2:09:46 PM , Rating: 3
Your Debian system maybe patched but what about all those servers? Even Windows server can be hacked using keys generated by Debian OpenSSL code.

It's more widespread than you think considering this been going on for two years. While this was talked about on a utility was posted on how to identify bad keys. I was like...DOH!!!! Yes, they posted ALL the known bad keys on the net so that made things worse and easier for the hacker to get into your systems.

All those Debian admins have work cut out for them to check every server and every app that uses those keys and regenerate them. Then go back and verify the new keys are working as intended. Even systems never used the bad code they still have to check.

Lucky my Debian based router is using an older OpenSSL code that does not have this bug so no worries about my OpenVPN stuff. I even inspected the code to be sure.


bound to happen
By Nyarlathotep on 5/23/2008 3:19:41 PM , Rating: 1
Yeah it was bound to happen. But still you can not ignore the fact that almost all hackers will not damage the free linux community. That makes Linux one of the most secure OS`s what ever security issues come up, they are more likely to get reported instead. I would say windows home server killing peoples data is way more damaging.

Server 2008 is a great OS by the way. Vlited it down to 700 mb. Good stuff, Conan Dx10 here I come.(whenever that happens).

RE: bound to happen
By rs2 on 5/26/2008 12:16:32 AM , Rating: 2
Yeah it was bound to happen. But still you can not ignore the fact that almost all hackers will not damage the free linux community.

That's a rather naive viewpoint. It's kind of like saying if a former bank robber opened up a bank, that would be the safer bank to use because all of his bank robber friends would leave his bank alone. That just doesn't make sense. Bank robbers will rob whichever bank makes the easiest target, and hackers will hack any system that they can easily break into. In fact, given that most "professional" hacks focus on stealing sensitive information (credit card numbers, email addresses, user/pass combos, etc.) off of webservers (most of which are running some flavor of linux/unix OS and various open-source applications), I think your point is invalid on its face. Hackers have no qualms whatsoever with respect to targeting linux systems. Or any other kind of system, for that matter.

By TimberJon on 5/23/2008 11:53:42 AM , Rating: 2
The Net!

Mozarts Ghost man.

poor sad penguin
By kattanna on 5/23/2008 12:13:19 PM , Rating: 2
man that pic is a riot.

Old news, fixed already...
By thornburg on 5/23/08, Rating: 0
RE: Old news, fixed already...
By the goat on 5/23/2008 3:38:43 PM , Rating: 2
Agreed. This article is completely blowing this event out of proportion and giving readers an inaccurate picture of what really happened.

Ubuntu pushed out an update for this last week, mere hours after the bug became public knowledge. The update includes a dialog box that explains the bug. The fact that it has been around for two years and how to regenerate new more secure keys.

Has Microsoft or Apple ever done anything close to that? Their patches take weeks or months to be released after the vulnerability becomes known. And they certainly don't take the time to explain the bug and how it happened to the user.

Has any important person ever actually said, "it is impossible to have a security bug in open source software?" So why are all you windows lovers celebrating this like it proves open source software has failed at something?

A good test for Open Source
By LyCannon on 5/23/2008 8:07:02 PM , Rating: 2
While no one can truly dispute that there will be vulnerabilities is code regardless that it's open source or closed source, the true test for the open source community is:

What will they do about it?

Obviously they have repaired the code, but how will they do with the notification of updates and the reissueance of keys?

I understand that people like to bash Microsoft...hell, so do I :) One of the bashes is not necessarily that they have vulnerabilities, but how quickly they patch that vulnerability AND how quickly do they get machines patched.

We all know about the slow patching of Apple, but I am interested in how quickly these compromised machines will get patched, and how long it takes to reissue all the keys that are weak. If the process is unduly slow, then the community and the world has reason to be upset.

ubuntu = linux?
By larson0699 on 5/24/2008 11:15:11 PM , Rating: 2
I'd like to see ubuntu go the way of Windows. It's as if every noob nowadays blindly settles with such an overrated distro. Yeah, that's right, I said overrated.

It's based on debian for one. I like debian quite a bit as it sets the standard for *cough* other distros, be they debian-based or not (what desktop distro doesn't want to live up to 0day repos).

It's this ubuntu/beryl-on-youtube craze that drives the Linux veteran mad. Give it some more attention, why don't you...

...or opt for a less universal, more tailored OS. And lend your security concerns to its respective forum. Seriously.

it's all Debian's fault actually
By mforce on 5/25/2008 8:01:21 PM , Rating: 2
The way things work with Linux distros is this : You take the open source package from the developers and compile it with your options and stuff and give it to the users. If you have to, I mean really have to, you apply one or more custom patches to it.

Applying patches should only be done if you really have to and you really know what you're doing. Obviously the Debian people in charge of the OpenSSL package only though the knew what they were doing. Had they left the OpenSSL code as is none of this would have happened.

I really liked Debian once , it was the first Linux distro I really liked but just goes to show you that you're much better off with Red Hat or SuSe commercial Linux for your servers ( you can even get a free exact copy of Red Hat Enterprise Linux like CentOS ). Let's not forget Debian is a free community based distro , if you rely on it for your server needs well , it's your problem if something like this happens. Who are you going to blame ?

As for Ubuntu , it's a desktop OS mainly , they're probably going after the server market also but they're going to have to do a much better job then blindly following Debian in their mistakes. And yeah , it's probably overhyped.

By oneforall on 5/25/2008 9:32:38 PM , Rating: 2
Ubuntu != Linux
Linux is the kernel. Slackware,Ubuntu,Red hat ,FC etc are all distributions with the Linux kernel.
This story should be retracted if it was done in a real news paper etc it would have to be. It is false and misleading and not properly thought out. It is ONLY Debian and the other distros based on Debian that used the patch,from back in 2006 onward. Slackware, Red Hat/FC and other rpm distros etc are NOT effected .
for people here that abviuosly can't check things out first before commenting. Their own page admits to it. Yet people are to dumb to check it out and assume its all distros of Linux that are to blame. Linux/distros aren't perfect but strive to be perfect and are a lot more secure than windows.

Grudge against Open Source?
By wvh on 5/26/2008 12:58:05 AM , Rating: 2
You really ought to try harder to write a neutral article. After all, I'd like to get my hands on Windows source code and see how many glorious bugs pop up from that cesspool. You just want to make this a bigger deal than it is.

I do wish that Debian would follow the original source more, though... And keep up a bit better with newer versions. While Debian developers and maintainers do a great job, they have a lot of responsibility and no review of their work. In a way, source can be too open, and some projects too socialist rather than appropriately aristocratic or merit driven.

By greylica on 5/24/2008 2:42:01 PM , Rating: 1
Come on guys, our system is being updated faster, today for example, I received more updates and got a list of killed keys, but my system didn't shut down stupidly like it was done in the Past Blaster/Sasser advent...
And more, before that news break down here on Dailytech, we are receiving updates from Debian and Ubuntu, I've counted at least 10 days after I received the first updates.
And Yes, I am feeling more safe and secure with Linux, than being spyed, blocked, tracked and hijacked by Microsoft Windows Vista DRM schemes.

Anyone with a substantive comment?
By carls on 5/24/2008 5:39:56 PM , Rating: 1
Tho this has degenerated into name-calling and OS bashing, could we just pause for a moment and consider the author's prediction?

And this problem is clearly illustrative that unless a more comprehensive methodology of security development is adopted, these problems will only persist and multiply with time.
***end snip***

In thinking about this, I can't see any warrant for this assertion. In fact, the way this security hole came to light seems to warrant the opposite prediction. My conclusion would be that transparent development helps expose and limit problems. Would this all have come to light if the system had been closed and proprietary? (Oops - didn't mean to continue the bashing. <g>)

Different weights
By thartist on 5/26/2008 1:39:07 AM , Rating: 1
It's known that if it had happened to MS they'd be terribly crucified but...
The difference to my eyes is that MS is much more often caught for security holes and failures than anyone else, be it for it's popularity or faulty coding, so now that a big problem appears for Linux, it sounds much louder.

How serious it is per sé compared to other OS's holes... i can't judge, i don't know.

But don't buy noise.

By Yawgm0th on 5/26/2008 3:54:03 AM , Rating: 1
This is yet another ridiculously slanted, hyperbolic article on operating system security from Jason Mick.

This vulnerability only affects keys generated by Ubuntu and Debian systems. Please, please find me statistics showing that there are millions of users that need OpenSSL connections generated by a system affected with this vulnerability.

While Ubuntu is a very popular distribution on the desktop or laptop and is very user-friendly, the vast majority of Linux users with a serious need for SSL are most likely using servers based on Gentoo, Slackware, Fedora, or SUSE. Debian does have its uses, but is has a relatively low market share. Ubuntu is hardly a real operating system in Linux terms -- as Randal Munroe put it, it's "Windows Vista with a few custom themes" -- and very few serious users will be generating keys on it.

In short, very few users are actually affected by this -- probably not millions -- and few with any real know-how and a serious need for security are affected by this at all. It is not a massive failure on the part of open-source software or the Linux kernel -- just the Debian Project.

By monkeyman1140 on 5/30/2008 12:06:44 PM , Rating: 1
Eh, it will get patched in about 3 days.

Microsoft's holes go unfixed for 6 months at a time or more, no wonder its spyware paradise.

"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive
Related Articles

Most Popular ArticlesTop 5 Smart Watches
July 21, 2016, 11:48 PM
Free Windows 10 offer ends July 29th, 2016: 10 Reasons to Upgrade Immediately
July 22, 2016, 9:19 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki