MetaFilter posts tagged with linux and security

Why Can't MS Do This?

DU — Mon, 17 Aug 2009 06:50:40 -0800

An 8 year old critical security bug in the Linux kernel? No problem, we can fix that without even rebooting. You heard me, it is possible to apply a source code patch to a running kernel without reboot.

15 bits of crypto should be enough for anybody

finite — Fri, 16 May 2008 22:01:42 -0800

On May 13, security advisories published by Debian and Ubuntu revealed that, for over a year, their OpenSSL libraries have had a major flaw in their CSPRNG, which is used by key generation functions in many widely-used applications, which caused the "random" numbers produced to be extremely predictable. [lolcat summary] How bad is it? It's pretty bad. Understand that these keys are used not only for encryption, but also for authentication. The keyspace has been reduced to a mere 32,768 possibilities, and you can already download them all, along with tools to use them. Worse still, in the days before the issue became publicly known, there was a noticeable spike in the number of brute-force attacks on SSH servers, indicating that there has already been significant exploitation of this vulnerability. Partial timeline of events: In May 2006, a bug led to a question which led to the fateful patch being applied to md_rand.c (in Debian's "unstable" development branch). In April 2007, Debian 4.0 "etch" and Ubuntu 7.04 were both released, which was the beginning of the inclusion of the buggy version of OpenSSL in officially-released distributions. The bug remained unfixed through the releases of Ubuntu 7.10 and 8.04. On May 7, 2008, the patch to fix the problem was committed to Debian's source repository, and on May 13 the issue was officially disclosed and updated packages were made available to users. (The patch's availability days before public disclosure of the bug appears to be a violation of Debian's policy.) Here are some responses from Debian blogs, and two from an OpenSSL developer.

fooljay — Wed, 28 Mar 2001 14:41:22 -0800

The Winux virus is reported to affect both Windows and Linux boxes/applications. The article says it's "written in a primitive computer language called 'assembly language'." On a side note, who do they get to write these articles? Certainly they are uncomfortable with technology...

borgle — Sun, 25 Mar 2001 17:27:41 -0800

Up to 20% of the internet vulnerable to a virus. There is a new Linux worm virus. Apparently, it steals passwords, installs and hides other hacking tools on infected systems, and then uses those systems to seek other servers to attack. Sys admins are advised to run a check on their servers and upgrade their BIND version.

mecawilson — Mon, 22 Jan 2001 09:35:48 -0800

Linux no longer foolproof? And a smile descened upon Redmond...

baylink — Sat, 23 Dec 2000 11:09:51 -0800

Well, we talked about NORAD a few posts back, I guess now it's time for everyone's *other* favorite agency: the NSA has a logo. That's funny. No, really, the topic of this posting is their release of Security-Enhanced Linux, including Mandatory Access Control and other cool B-1'ish stuff. Ted T'so has some interesting observations in this Slashdot thread on the topic as well.

m.polo — Wed, 20 Sep 2000 11:20:15 -0800

Apparently, the conventional wisdom is not quite right. The SDMI's Executive Director says they have "thousands of entries" in their contest to hack the various proposed digital music security schemes. As I pointed out recently in a similar context, the "Linux community" and the population of computer literate, financially motived, non-OS-sectarian hackers are far from being one and the same...

delfuego — Mon, 24 Apr 2000 21:38:33 -0800

RedHat Linux security problem uncovered. Today, apparently it was discovered that if you install the Piranha package with RedHat 6.2 (ostensibly part of the default installation, but there's controversy over this), a default password is installed that would give anyone access to the Piranha configuration package; from there, it is apparently trivial to execute any command on the box that you want.
I find it very interesting that the fact that Microsoft had a "backdoor password" in a DLL made huge news (and it turned out to be patently false), yet this has gotten almost no press. I'd like to think otherwise, but I know it's because people hate Microsoft, and thus are eager to deride it... and yet here's proof that even the mighty Linux is susceptible to the same exact problems.
Next time you reach for the keyboard to cry out "nyah nyah!" at the discovery of some problem with Windows, remember this...