Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Discussion in 'all things UNIX' started by ronjor, Mar 4, 2014.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Ouch ouch ouch. Not happy about this (and some people I know will be even less happy). Thank you.
     
  3. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    I skimmed. Is there a patch/fix?
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Yes, it's been released for 3.x.

    Edit: 2.x has been updated in the Ubuntu repos.
     
  5. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    Good. I think this is one of the few times major Distros should update their currently distributed ISO to include the patch/fix.
     
  6. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    How surprising, yet another 'bug', just the right place, that makes transport-encryption useless ..
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    For what it's worth, most programs do *not* rely on the vulnerable code and will use other dependencies (openssl) before they try it.
     
  8. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
  9. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    IMO it's not so much a matter of "many eyes" not being implemented properly, as the concept being fallacious. I would guess that having more reviewers does not increase the likelihood of finding a bug in a completely linear fashion.

    Also, that's assuming people are actually reviewing the code. Most probably aren't, given the amount of effort that goes into maintaining rough feature parallel with Redmond and Cupertino (and also because bug hunting is boring).

    Edit: I would also point out that logic errors - especially those that cause silent failures - can be very, very difficult to find. Debugging generally involves seeing if a program works correctly, and if it appears to work correctly but actually does the wrong thing, that is not always easy to notice.
     
  10. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Thinking it over, you're probably right. I have problem visualizing people sifting through thousands of lines of code to find vulnerabilites. Not to mention it's unpaid work.

    It's just that the often touted argument that open source software (especially Linux) should be so much more secure than closed software just because there are, apparantly, so many people out there looking through the source code, is not going to win over people when these misfortunate things* happen.

    * like the Openssl bug.

    The silent failures you mention, the crypto bug was one of them but if I understood the article right, the bug was there because the coding and also checking were lax.
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Actually a lot of it is paid... Well, not sure about stuff like GnuTLS, but IIRC most Linux kernel developers are paid by one company or another. A lot of companies use Linux, and have stake in its future as a robust server OS.

    (Alas, the desktop side of things is terrible for non-geeks, and will probably be terrible for the forseeable future.)

    That said, paid developers doesn't necessarily mean better code. Sometimes the opposite perhaps. I haven't been working in the IT sector for very long, and the following is a bit of a generalization... But what I've seen a few times so far, is that sysadmins I know to be highly competent have ended up creating crude hackjobs, in order to meet unrealistic goals set by management. I wouldn't be surprised if the same happened with operating systems programmers.

    Edit: but as I said, I haven't been in this line of work very long, so take what I say with a grain of salt.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
Loading...
Thread Status:
Not open for further replies.