Radified Community Forums - (In?)Security of Linux

Radified Community Forums › Rad Community Technical Discussion Boards (Computer Hardware + PC Software) › PC Hardware + Software (except Cloning programs) › (In?)Security of Linux

(Moderators: Rad, Christer, NightOwl, Pleonasm, MrMagoo, El_Pescador)

‹ Previous Topic | Next Topic ›

Pages: 1 2

(In?)Security of Linux (Read 15676 times)

Pleonasm

Übermensch

Offline

Posts: 1619

Re: (In?)Security of Linux
Reply #15 - May 18^th, 2008 at 11:09am

Oh, my – this isn’t good news: a highly significant flaw with a wide-ranging impact for users of Linux…

Quote:

A major problem has been revealed in Debian Linux and derivative packages, such as Ubuntu. Debian revealed the other day that a fix they made back in September 2006 had the unintended consequence of crippling the strength of their OpenSSL distribution.

OpenSSL is used, of course, for Secure Sockets Layer which provides authentication and encryption for web traffic, but it's also used for other cryptography functions. OpenSSL is a very important package that brought public key cryptography to the masses; prior to OpenSSL, https web sites were expensive and complicated to build.

The strength of public key encryption relies, in large part, on the large number of potential keys that could be used to encrypt data. Keys are often 1024 or 2048 or 4096 bits long; these store very large numbers so a brute force attack, trying all of the possibilities, could take a prohibitive amount of time.

But the bug introduced by Debian effectively reduces the strength of the key to 32768 permutations, which is 16 bits. Famed security researcher HD Moore has actually already pre-calculated all of the potential keys for the most common cases. It took mere hours. So now you can be hacked even without someone brute-forcing your encryption.

Because of it's centrality, Linux sites are often deeply-reliant on certificates generated by OpenSSL to encrypt network traffic. Fixing the problem is not just a matter of updating the software; you also have to go back and generate new certificates and have them signed. This is complicated stuff, not for the novice Linux user. Expect tools to come along soon to help.

Source: Major Cryptography Bug For Many Linux Users

ple • o • nasm n. “The use of more words than are required to express an idea”

IP Logged

zmdmw52

Radmeister

Offline

+ve rad.i.cal

Posts: 81

Re: (In?)Security of Linux
Reply #16 - Jul 3^rd, 2008 at 12:06pm

MrMagoo wrote on Apr 1^st, 2008 at 4:28am:

A laptop running MacOS, Vista, and Ubuntu were set up for contestents to attempt to hack.After 3 days, the Ubuntu laptop was the only one left.On the surface, this indicates that it was more difficult for contestents to find a security flaw in Linux than the other two OS's, however, it is difficult to say how many contestents attempted to exploit each OS.

Bayes' Theorem *may* be of relevance here ... i.e. how many people (in terms of proportions of total) actually use(d) Windows vs Mac OS vs Ubuntu Linux; in very simple terms- a greater no of Windows users (compared to Mac OSX and Linux) would mean greater familiarity with Windows flaws & loopholes and therefore above result.

This link and this example give a brief idea of Bayes' rule.

This likely is not the full explanation, but (IMO) is worth mulling over.

Linux User 483705 | (openSUSE 11.1, Ubuntu 9.04, i686) w/ Windows XP

IP Logged

MrMagoo

Übermensch

Offline

Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)

Re: (In?)Security of Linux
Reply #17 - Jul 4^th, 2008 at 4:52pm

The articles seemed to indicate that contestants knew ahead of time what software would be running on each laptop, and some of the interviews with the winners suggested that they selected the laptop they thought they could most easily exploit to focus on in the research leading up to the contest.

I'm sure that Bayes' Theorem applies, but one would think that the open source Linux laptop should present a juicy target if you thought there was something easily exploitable in there. Obviously this is a fairly small sample of targets and attackers and a very artificial environment with time constraints. I think the only conclusion we can draw from this is that the Ubuntu laptop was not trivially exploitable. Other than that, it's just an interesting result.

IP Logged

MrMagoo

Übermensch

Offline

Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)

Re: (In?)Security of Linux
Reply #18 - Jul 4^th, 2008 at 4:58pm

Pleonasm wrote on May 18^th, 2008 at 11:09am:

Oh, my – this isn’t good news:a highly significant flaw with a wide-ranging impact for users of Linux…

A sad day event, for sure, and a big mistake by the responsible coders. But, it is worth noting that this flaw was introduced when the SSH package was modified by a Debian developer and was not present in the base version. So, this flaw is only present in SSH versions downstream of Debian. This does include the widely popular Ubuntu, but Red Hat, SUSE, and all the *BSD versions do not contain this flaw. Also, it was quickly fixed by all affected distros.

IP Logged

Pages: 1 2

‹ Previous Topic | Next Topic ›

« Home

‹ Board

Top of this page

	Welcome, Guest. Please Login