Debian needs help
|
Author | Content |
---|---|
gus3 May 16, 2008 9:52 AM EDT |
http://wiki.debian.org/SSLkeys contains a discussion of how to find and replace weak SSL/SSH keys. Among the comments I find there (all emphases added):Quoting:It looks likely that the only remaining source of entropy in the generated keys comes from the PID of the process. This is 16 bits, typically much less effective entropy. So there may, in fact, be just a few thousand possibilities for a specific key size. Looks like 'dowkd.pl' lists about 262,000 entries. -- MarshRayCritical miss: on first boot of a fresh install, when keys are generated, that PID will have one of just a few likely values, based on general configuration (server/desktop type, pluggable hardware). For those keys, figure 7-9 bits of entropy. Quoting:Do the following for each SSL-encrypted keyfile, replacing with the path to the actual keyfile.One problem: thanks to disk caching, only the final write will reach the platters on a file that small. [EDIT/clarify:] Disk forensics can still recover the original key file's contents. Quoting:I have as yet not determined how accurate this method is, but it seems to work reliably.And right there, in a nutshell, sums up the entire attitude that gave rise to this problem. That is the completely wrong attitude to take w.r.t. cryptography fundamentals. You must be prepared to prove, mathematically, that your edits do not compromise key security. The same could be said for most other complex systems (email, FTP, WWW) which have suffered severely compromising exploits (sendmail, WU-FTP, IIS). Did Debian report this bogus "bug" upstream? I suspect not, or they would have found out that it was an entropy source, not amateurish programmer negligence (of which Debian now appears guilty). Is the Debian dev who did this on some kind of probation, at the very least? OpenSSL and OpenSSH are what they are, for a reason. Debian devs had no business tinkering around in the crypto source, just to silence Valgrind's complaints. In fairness, I'm glad to see the discussion as open as it is. Security students can learn a lot from it, both "should-do" and "should-not-do" for handling security incidents in software. But until I see help from OpenSS[LH] to set this situation right, Debian et al. are on my "avoid" list. |
garymax May 16, 2008 11:00 AM EDT |
I heartily recommend Slackware. But I am biased! :-) |
bigg May 16, 2008 11:17 AM EDT |
Out of curiosity, as I haven't seen it addressed anywhere, why did the Debian devs mess with it in the first place? |
garymax May 16, 2008 11:18 AM EDT |
bigg, Steven J. Vaughan-Nichols covers this in his blog @ http://blogs.computerworld.com/fixing_debian_openssl |
bigg May 16, 2008 11:31 AM EDT |
Good grief. Not to trash Debian, but there are serious problems with the development process if something like that slipped through. How can you possibly be allowed to make changes to a package so critical if you don't know what you're doing? This is inexcusable. |
Laika May 16, 2008 12:25 PM EDT |
Well, the openssl maintainer in Debian seems to have first asked about his patch in the openssl-dev mailing list and a guy from openssl.org showed green light for the patch. So it looks like the Debian guy wasn't careless, he just made a human mistake in applying the patch. Those who have never made mistakes can start throwing stones. http://marc.info/?t=114651088900003&r=1&w=2 |
bigg May 16, 2008 12:41 PM EDT |
> Those who have never made mistakes can start throwing stones. Sorry, but that's not a valid response. I've never made a mistake on something so vital, so indeed, I can start throwing stones. This is not just an innocent mistake. It's a problem with an entire development process. Debian cannot survive if this is the best it can do. |
tuxchick May 16, 2008 1:27 PM EDT |
Geh. NIH and a lack of a systemic perspective infests FOSS just as much as the proprietary world. This business of left hands having no idea of what right hands are doing goes on all the time. A recent example is the GRUB vs. inodes silliness- e2fsprogs now defaults to creating 256-byte sized inodes for Ext3, rather than 128. This is laying the groundwork for Ext4 compatibility and easier migration. But GRUB legacy only understands 128-bit inodes, so some various new distribution releases failed to boot. Yeah, you'd think someone would at least make sure the sucker boots before kicking it out the door, but no.
http://www.linuxplanet.com/linuxplanet/tutorials/6480/1/ I wonder why someone on the OpenSSL thread didn't jump up and down yelling "leave it alone! let valgrind complain! Ye know nowt what ye're mucking with!" They were pretty blase about something that turned out to be such a major problem. |
Steven_Rosenber May 16, 2008 1:38 PM EDT |
Four things: -- It's not the error so much as it going undetected for two years. -- Part of the problem is the lack of randomization for process IDs. Instead of assigning process IDs in running order, they should be assigned with a random-number generator, like they are in OpenBSD. I don't wish all the rest of the OpenBSD B.S. on anybody (mainly its "can't stand the heat, get out of the kitchen" mentality), but this is a feature that should be implemented in the Linux kernel. -- This should have been caught in a security audit ... don't they do that sort of thing in Debian? -- Imagine the boost that Red Hat ... and every other non-Debian distro ... is going to get from this situation. |
bigg May 16, 2008 2:53 PM EDT |
> Imagine the boost that Red Hat ... and every other non-Debian distro ... is going to get from this situation. I don't know. I guess the BSD's will get a boost, but it may be at the expense of all Linux distros. If the patent deal with Novell was bad because it gave Microsoft ammunition, how many times worse is this? Should I now look forward to boycottdebian? Microsoft is likely to get a lot of mileage out of this, and it is mileage against Red Hat and every other Linux distro. |
garymax May 16, 2008 3:29 PM EDT |
bigg MS won't be able to get too much mileage out of this because it would be very easy to show the who, the what, and the why of how this came about. A Debian developer tweaked some code without sending the patch upstream and it went undetected for two years or so. Like Steve said, the problem was not the mistake as we all make them; the problem is that it wasn't caught for two years. This is more egregious and speaks to the quality of code auditing--at least within Debian. This may shake up Debian for the better because being the highly political organization that it is maybe it will concentrate on detecting security issues like this instead of being worried about a little logo on a web browser. Just my two pence worth... |
tuxchick May 16, 2008 3:41 PM EDT |
Oh garymax, it's obvious you have a severe lack of perspective. That lil logo has earth-shattering importance. Dare I say the survival of humanity itself? . . . . . For the humorless overliteral contingent, this is meant to be funny. See: :D :D :D ;) |
Laika May 16, 2008 3:59 PM EDT |
Quoting:This may shake up Debian for the better because being the highly political organization that it is maybe it will concentrate on detecting security issues like thisYes, Debian takes code quality most seriously and I have no doubt that they will do their best to learn from the lesson this mistake teaches. The new Debian Project Leader has recently commented on this security bug and he writes: "I have seen a few suggestions of how to increase the amount of review our patches are getting and how to improve our processes. Let's see what we can do to learn from this and do better in the future." http://lists.debian.org/debian-devel-announce/2008/05/msg000... |
Steven_Rosenber May 16, 2008 4:07 PM EDT |
If I could only figure out how to run cgi/perl scripts in the chrooted Apache environment of OpenBSD, I'd be halfway there, but my brain hurts too much at this point ... |
Bob_Robertson May 16, 2008 4:19 PM EDT |
This is exactly the sort of thing that causes shake-ups for the better. Oh, sure, it's big. It's wide spread. It's a mess. But it's being done in the open and clear, for everyone to see and learn from. I like that very much. So, how long did Microsoft keep the BSD TCP/IP stack, bugs and all, after it had imported it into Win95? Just a thought. (What? Comparing Debian to Microsoft? HOW DARE YOU! HERATIC!) I do have a vested interest in Debian getting all this straightened out quickly and for the better. I don't want to have to learn another distribution. I also use only RSA authentication for SSH, a left-over from more openly paranoid days of tax protesting and other silliness. (They don't care how much you protest, as long as they get their pound of flesh.) |
bigg May 16, 2008 4:31 PM EDT |
> MS won't be able to get too much mileage out of this because it would be very easy to show the who, the what, and the why of how this came about. The problem is that Microsoft does marketing. Linux companies don't do marketing. Microsoft likes to sell the entire open source development process as being suspect. Just a bunch of kids writing code in their Mom's basement. They will paint the entire open source community with this brush. "There was no security at all on Debian and Ubuntu for two years. In contrast, we take security seriously. We're professional coders. If we don't get it right, we lose our jobs. With open source, on the other hand, it's a volunteer effort. Most of them don't understand security, and if they don't find someone in the mood to do security right, who's qualified AND willing to donate his time, you end up without security. For two years." We can debate it on LXer, but if I were a CTO with a wife and three kids and a mortgage, I'd be taking the phone call from Microsoft's sales rep. A screwup of this magnitude on a project the size of Debian could easily set Linux back five years. |
garymax May 16, 2008 5:26 PM EDT |
bigg Then MS will be shooting themselves in the foot. Remember, the other foot has Novell written all over it. They are just as guilty as all of the other Linux distributors since they gave out coupons. I guess MS' new marketing slogan will be "We only gave out coupons, not the code." NEWS FLASH: This is it! This is it! This is the moment that all Slackware users have been waiting for! Now, all Debian users will start their migration to Slackware. Welcome home! tee, hee, hee... :-) |
bigg May 16, 2008 5:40 PM EDT |
Well, I am planning to migrate my office machine to Slackware as soon as I get a chance, but only because Slackware is good, not because of flaws in other distros! It hasn't taken long for me to start using Slackware running in Virtualbox to do most of my work. Unfortunately it's a hassle to not have a hard drive install. If only there were a few more hours in the day... |
garymax May 16, 2008 6:06 PM EDT |
bigg, Welcome to Slackware! Although it appears you've been running it for awhile... You'll love the stability, security and reliability. |
jdixon May 17, 2008 5:20 AM EDT |
> Now, all Debian users will start their migration to Slackware. As nice as the boost of Slackware would be, I don't see Debian users giving up apt-get for anything. They might use Zenwalk though. |
bigg May 17, 2008 6:36 AM EDT |
> I don't see Debian users giving up apt-get for anything apt-get is great, no question about it. Nonetheless, I have found the claimed difficulties of installing software on Slackware to be largely a myth. Gslapt with slacky.eu as the repository has most everything and resolves dependencies. A complete installation of Slackware gives most of the low-level dependencies that you need. I haven't had to install a single low-level dependency, even though I've built a lot of my own packages. I haven't tried much in terms of non-FOSS, but apt-get isn't too helpful for that anyway. It's easy to install almost anything on Arch using the AUR. It can't be much different on Slackware. |
garymax May 17, 2008 7:00 AM EDT |
bigg The perceived difficulty of Slackware is just that: perceived. Installing software has never been a problem for me or the many others who use it because the system is designed with the expectation that you will do so at some point. As you say, low level dependencies are already included with a modest amount of builds required for most packages. What I like is that the packages you do compile are built for your box and work great. And, yes, I agree that Debian users will need a lot more than the current ssh crisis to make them give up their beloved apt-get. :-) |
jdixon May 17, 2008 6:21 PM EDT |
> The perceived difficulty of Slackware is just that: perceived. There have been rare occasions where the dependencies on a program were not given and I simply gave up after the fifth or sixth xyz library error. Probably no more than half a dozen over the 14 years or so I've been Slacking. 90% of the time, a package with clearly listed dependencies already exists. 90% of the time one doesn't, the program compiles cleanly from the source with no problems. Even commercial programs (such as VMware Server, for example) usually install with few problems, though you may have to look for a how-to. |
Steven_Rosenber May 17, 2008 9:33 PM EDT |
I'm a big Slackware fan, but you just can't compare Slackbuilds, Linuxpackages.net, or any of that stuff to apt and the huge Debian and Ubuntu repositories. But if you like what you see in Slackware, it is a sweet system. I feel that way about Slack-based Wolvix, but I don't trust it like I do Debian ... but then this happened. |
garymax May 17, 2008 10:28 PM EDT |
Steven_Rosenberg Nobody in their right mind would compare Linuxpackages.net, Slackbuilds, Gslapt and the like to apt-get or Debian. It's apples and oranges. But, to be fair, nobody in their right mind would ever compare Debian to Slackware. |
jezuch May 18, 2008 3:43 AM EDT |
But, but... Installing is only half of the story. How easy is it to *remove* packages too? ;) |
bigg May 18, 2008 5:25 AM EDT |
> How easy is it to *remove* packages too? ;) Just use the removepkg command. Or you can use pkgtool for installation and removal of packages. > you just can't compare Slackbuilds, Linuxpackages.net, or any of that stuff to apt and the huge Debian and Ubuntu repositories. The Debian (and Mandriva) repositories are pretty deep. You can't beat either of those distros if all you care about is binary package selection. What they offer is sufficient for most users, so I don't expect to see a lot of movement to Slackware. I obviously haven't used Slackware for very long, but for the experienced Linux user, the differences in software installation are not a big deal IMO. What I had feared was the dependency hell from my earlier experiences with Red Hat/Fedora. Slackware is designed so much better. If you want cutting-edge applications, or want to customize your packages, it is difficult to beat Slackware, at the price of doing a little compiling. |
gus3 May 18, 2008 7:42 AM EDT |
I'll take a little compiling (made so much easier with Slackbuilds.org!) over the half-a.... er, half-baked tinkering of Debian. Yes, I am angry at them over this. |
garymax May 18, 2008 9:18 AM EDT |
gus3 While I believe Debian-based distros have done a pretty good job, it is kind of hard to believe that a distro like Slackware, with one person at the helm for the most part, does a better job at quality control then a distro with hundreds of developers... |
jdixon May 18, 2008 6:23 PM EDT |
> it is kind of hard to believe that a distro like Slackware, with one person at the helm for the most part, does a better job at quality control then a distro with hundreds of developers... Simply compare the official package list of Slackware with that of Debian and it suddenly becomes a lot more believable. Patrick supports a much smaller universe of packages out of the box (simply eliminating Gnome from the mix simplifies things a lot). It's only when you start adding third party repositories into the mix that you even approach the number of Debian packages, and Patrick isn't responsible for those. This isn't meant to downplay what Patrick does. Slackware is one of the fastest, most stable, most secure, and most maintainable systems out there; and that's all due to Patrick's work. It's also my preferred system, and it's capable of meeting the needs of most desktop users if set up properly to start with. But you can't really compare its breadth to that of Debian. |
garymax May 18, 2008 6:42 PM EDT |
jdixon As I have already stated, "Nobody in their right mind would compare Linuxpackages.net, Slackbuilds, Gslapt and the like to apt-get or Debian. It's apples and oranges." With that said, of course, the smaller OS footprint represented by Slackware means an easier time for Patrick Volkerding to develop and maintain the system. But it still gives one pause how a distro developed by nearly 1000 developers takes a quality hit of this magnitude? I agree that third party repos can present a problem. But maybe this is where Slackware and other smaller projects have a distinct advantage. By providing a great, functional base system the responsibility is left to the end user just what to add to their system to turn it into an environment that meets their individual needs. And by compiling your own apps you have control over the result and don't have to worry as much about back doors or malware being built into a binary. |
gus3 May 18, 2008 7:46 PM EDT |
Quoting:But it still gives one pause how a distro developed by nearly 1000 developers takes a quality hit of this magnitude?I had a response typed up to this, but I just couldn't manage to get it to make sense. So I'll just offer this as a parallel example: When a serious matter requiring expertise hits Slashdot, how long does it take for the true experts to get noticed? And until they do get noticed, how much ignorant "line noise" holds forth? A little knowledge is a dangerous thing! |
garymax May 18, 2008 8:32 PM EDT |
gus3 >>A little knowledge is a dangerous thing! If this is true then who has so much so as to be out of danger? :-) |
gus3 May 18, 2008 8:44 PM EDT |
Quoting:If this is true then who has so much so as to be out of danger? :-)One who realizes where that knowledge ends. Which apparently Debian missed. |
azerthoth May 19, 2008 8:41 AM EDT |
knowledge is power, power is dangerous, thus knowledge should be avoided at all costs. |
gus3 May 19, 2008 8:53 AM EDT |
What about "you shall know the truth, and the truth shall set you free"? |
azerthoth May 19, 2008 9:13 AM EDT |
I would point you to http://www.youtube.com/watch?v=ZtdnZNYN0MM for comparing opposite truths. Or in other words, what any individual or groups of individuals hold to be true may only last until such time as someone stands it on its head. |
number6x May 19, 2008 9:13 AM EDT |
In terms of third party software for Slackware... I was able to compile PostgreSQL on Slackware based zenwalk last year by following the directions in the PostgreSQL manual for a generic build from tarball. There were a few dependencies to add to Zenwalk. The make script told me they were missing, and I searched for them in slapt-get. Slackware is very different from the mid 1990's. No it is not debian with apt, apt-get, and aptitude. But it is stable and not hard to use. I was going to say 'not hard to use for someone familiar with Linux', but when I first used Slackware I was not familiar with Linux. I didn't think it was hard then, and it is even easier now. |
garymax May 19, 2008 10:17 AM EDT |
gus3 >>What about "you shall know the truth, and the truth shall set you free"? This is a timeless truth. :-) azerthoth >>Or in other words, what any individual or groups of individuals hold to be true may only last until such time as someone stands it on its head. A man with an experience is never at the mercy of a man with an argument. |
jdixon May 19, 2008 10:39 AM EDT |
> I was able to compile PostgreSQL on Slackware based zenwalk last year by following the directions in the PostgreSQL manual for a generic build from tarball. Yep. Yet some "user friendly" distros don't even include gcc by default. > But it is stable and not hard to use. Agreed. Slackware is a much better distribution than most people seem to realize. Installation is easy, it's fast, it's stable, it's easy to maintain (especially with slapt-get and gslapt), and it can meet most home user needs with no problems. |
Steven_Rosenber May 19, 2008 12:06 PM EDT |
I freely admit that apt allows you to maintain a box without having to think all that much. But it'd be nice if the people putting the packages together -- at least in this one case -- were doing a bit more thinking. As I've said before, I give Slackware-based Wolvix very high marks for usability, ease of install and overall software mix. |
tracyanne May 23, 2008 6:53 PM EDT |
http://imgs.xkcd.com/comics/security_holes.png |
jdixon May 23, 2008 7:20 PM EDT |
Actually, the Slackware one (gives root access if user says elvish word for "friend") would be a great hack to implement, especially since it would almost certainly only respond to voices it was trained for. I wonder how many flames have been generated by the Ubuntu one. :) |
Laika May 24, 2008 2:35 AM EDT |
Quoting:-- It's not the error so much as it going undetected for two years.It looks like Red Hat's patch review process is not perfect either. They have just fixed a security vulnerability that was introduced by a Red Hat -specific patch in 2006. http://blog.orebokech.com/2008/05/embarrassing-distro-patche... |
Bob_Robertson May 24, 2008 7:22 AM EDT |
> They have just fixed a security vulnerability that was introduced by a Red Hat -specific patch in 2006. Gee, people make errors? |
jdixon May 24, 2008 7:28 AM EDT |
> It looks like Red Hat's patch review process is not perfect either. No one has a perfect review process. Remember all those Windows "complete reviews". Then they get hit with a bug that went all the way back to Windows 3.1 in the meta file image fiasco. That's a bug that existed for something like 10 years or more. We're all human; perfection is too much to ask for. |
tuxchick May 24, 2008 7:54 AM EDT |
Yeah, jdixon, but when Microsoft does it it's extra bad. Just because it's them :) |
Bob_Robertson May 24, 2008 7:57 AM EDT |
> but when Microsoft does it... Microsoft also makes extravagant claims about their inherent security, then refuses to admit that they were wrong. Ever. I can respect someone who says, "Ooops, my bad, let's get this fixed". I cannot respect the kind of shell-game being played endlessly by the Microsoft marketing department. |
You cannot post until you login.