Welcome, Guest. Please
Login
Home
Help
Search
Login
FAQ
Radified
Ghost.Classic
Ghost.New
Bootable CD
Blog
Radified Community Forums
›
Rad Community Technical Discussion Boards (Computer Hardware + PC Software)
›
PC Hardware + Software (except Cloning programs)
› (In?)Security of Linux
(Moderators: Rad, Christer, NightOwl, Pleonasm, MrMagoo, El_Pescador)
‹
Previous Topic
|
Next Topic
›
Pages:
1
2
(In?)Security of Linux (Read 15676 times)
Pleonasm
Übermensch
Offline
Posts: 1619
Back to top
Re: (In?)Security of Linux
Reply #15 -
May 18
th
, 2008 at 11:09am
Oh, my – this isn’t good news: a highly significant flaw with a wide-ranging impact for users of Linux…
Quote:
A major problem has been revealed in Debian Linux and derivative packages, such as Ubuntu. Debian revealed the other day that a fix they made back in September 2006 had the unintended consequence of crippling the strength of their OpenSSL distribution.
OpenSSL is used, of course, for Secure Sockets Layer which provides authentication and encryption for web traffic, but it's also used for other cryptography functions. OpenSSL is a very important package that brought public key cryptography to the masses; prior to OpenSSL, https web sites were expensive and complicated to build.
The strength of public key encryption relies, in large part, on the large number of potential keys that could be used to encrypt data. Keys are often 1024 or 2048 or 4096 bits long; these store very large numbers so a brute force attack, trying all of the possibilities, could take a prohibitive amount of time.
But the bug introduced by Debian effectively reduces the strength of the key to 32768 permutations, which is 16 bits. Famed security researcher HD Moore has actually already pre-calculated all of the potential keys for the most common cases. It took mere hours. So now you can be hacked even without someone brute-forcing your encryption.
Because of it's centrality, Linux sites are often deeply-reliant on certificates generated by OpenSSL to encrypt network traffic. Fixing the problem is not just a matter of updating the software; you also have to go back and generate new certificates and have them signed. This is complicated stuff, not for the novice Linux user. Expect tools to come along soon to help.
Source:
Major Cryptography Bug For Many Linux Users
ple • o • nasm
n. “The use of more words than are required to express an idea”
IP Logged
zmdmw52
Radmeister
Offline
+ve rad.i.cal
Posts: 81
Back to top
Re: (In?)Security of Linux
Reply #16 -
Jul 3
rd
, 2008 at 12:06pm
MrMagoo wrote
on Apr 1
st
, 2008 at 4:28am:
A laptop running MacOS, Vista, and Ubuntu were set up for contestents to attempt to hack.After 3 days, the Ubuntu laptop was the only one left.On the surface, this indicates that it was more difficult for contestents to find a security flaw in Linux than the other two OS's, however, it is difficult to say how many contestents attempted to exploit each OS.
Bayes' Theorem *may* be of relevance here ... i.e. how many people (in terms of proportions of total) actually use(d) Windows vs Mac OS vs Ubuntu Linux; in very simple terms- a greater no of Windows users (compared to Mac OSX and Linux) would mean greater familiarity with Windows flaws & loopholes and therefore above result.
This link
and
this example
give a brief idea of Bayes' rule.
This likely is not the
full
explanation, but (IMO) is worth mulling over.
Linux User 483705 | (openSUSE 11.1, Ubuntu 9.04, i686) w/ Windows XP
IP Logged
MrMagoo
Übermensch
Offline
Resident Linux Guru
Posts: 1026
Phoenix, AZ (USA)
Back to top
Re: (In?)Security of Linux
Reply #17 -
Jul 4
th
, 2008 at 4:52pm
The articles seemed to indicate that contestants knew ahead of time what software would be running on each laptop, and some of the interviews with the winners suggested that they selected the laptop they thought they could most easily exploit to focus on in the research leading up to the contest.
I'm sure that Bayes' Theorem applies, but one would think that the open source Linux laptop should present a juicy target if you thought there was something easily exploitable in there. Obviously this is a fairly small sample of targets and attackers and a very artificial environment with time constraints. I think the only conclusion we can draw from this is that the Ubuntu laptop was not trivially exploitable. Other than that, it's just an interesting result.
IP Logged
MrMagoo
Übermensch
Offline
Resident Linux Guru
Posts: 1026
Phoenix, AZ (USA)
Back to top
Re: (In?)Security of Linux
Reply #18 -
Jul 4
th
, 2008 at 4:58pm
Pleonasm wrote
on May 18
th
, 2008 at 11:09am:
Oh, my – this isn’t good news:a highly significant flaw with a wide-ranging impact for users of Linux…
A sad day event, for sure, and a big mistake by the responsible coders. But, it is worth noting that this flaw was introduced when the SSH package was modified by a Debian developer and was not present in the base version. So, this flaw is only present in SSH versions downstream of Debian. This does include the widely popular Ubuntu, but Red Hat, SUSE, and all the *BSD versions do not contain this flaw. Also, it was quickly fixed by all affected distros.
IP Logged
Pages:
1
2
‹
Previous Topic
|
Next Topic
›
« Home
‹ Board
Top of this page
Forum Jump »
Home
» 10 most recent Posts
» 10 most recent Topics
Rad Community Technical Discussion Boards (Computer Hardware + PC Software)
- Norton Ghost 15, 14, 12, 10, 9, + Norton Save + Restore (NS+R)
- Norton Ghost 2003, Ghost v8.x + Ghost Solution Suite (GSS) Discussion Board
- Cloning Programs (Except Norton Ghost)
- NightOwl's Bootable CD/DVD
- PC Hardware + Software (except Cloning programs) ««
Rad Community Non-Technical Discussion Boards
- The Water Cooler
- YaBB Forum Software + Rad Web Site
Radified Community Forums
» Powered by
YaBB 2.4
!
YaBB
© 2000-2009. All Rights Reserved.