Steve Kemp wrote:
> The pain of this one is that a security update will only prevent you
> from creating weak keys in the future - it doesn't protect you in any
> way from any keys you've created previously which are now trivially
> crackable ..
However the end result is that Open Source model has allowed this error to
be spotted and fixed within the day. So many closed source products exist
and who knows how many security flaws they contain - it is likely most
will never be exposed. The fact the weakness has been available to exploit
is a bit scary, but, putting it bluntly, probably unlikely to have been
thought of as a viable exploit before now - real crackers look for the
obvious opportunities, like petty thieves. Granted this doesn't make it
better but Debian and Ubuntu have made an open and honest effort to ensure
users are informed and systems can be fixed with the minimum of effort;
that is actually worth a lot if you think about it.
If customers need re-assuring then deploy and run tools like rkhunter -
http://www.rootkit.nl/projects/rootkit_hunter.html as well as checking
logs and network traffic for abnormal activity. Run your usual system
security audit.
Furthermore this flaw *pales into insignificance* when compared with some
of the nasty Closed Source update and security blunders over the past few
years, I still vividly remember the SoBig Virus and the utter chaos it
cased for millions of users including my users at the time. One service
pack prevented the spread of another nasty which rendered an online PC
useless unless it was applied.
I can't speak as a Debian or Ubuntu user but can as a Linux user. The only
thing I am concerned about long term is that large organisation CEO's and
those rabidly against the use of Open Source for their own reasons will
take this way out of context and foster panic in all the wrong places. I
also hope the Vendors affected don't try to fix things by taking drastic
measures. Linux distribution vendors traditionally learn from each others
successes and failures and this should continue.
The lingering question many may be faced with; 'what other flaws exist
that we don't know about?' will remain, but will remain in equal measure
for every networked application in existence. Mathematically IT security
code must always benefit from having been seen by many eyes. Some of the
best security algorithms are open and proof of this concept.
[*] "Trade-secret cryptographic algorithms have a long history of being
both weak and leaked to the public. The tendency to weakness is due to the
fact that the only known reliable way to determine the strength of
cryptographic algorithm is to have a large number of cryptographers
examine itwhich is not possible to do while keeping it a trade-secret."
[*]
http://www.oss-watch.ac.uk/resources/security.xml
IMO
dlb
--
Damian L Brasher
http://www.diap.org.uk
