OpenSSL Security Vulnerability

SiliconEntity writes "On the heels of multiple OpenSSH vulnerabilities, the OpenSSL project is now reporting a number of security vulnerabilities of its own. OpenSSL is a standard cryptographic library used in a wide variety of security applications. The new vulnerabilities range from denial-of-service attacks to stack corruption, which imply the possibility of running malicious code. New versions of the software are released today which address the vulnerabilities."

first post!

posted via lynx over openssh! w00t! w00t!

Re:first post!

[Mod+Me+God]

No... posted by am email from Outlook Express like on my WinBox reguraly updated thanks to Microsoft Update.

You Linux users really don't know where it is at... after all SSL is just a mathematical equation... guess you should stop using 14 year old 'hax0rs' and use real, professional salaried M$ programmers from the PRC to do your security.

Re:first post!

[soliaus]

first post!
posted via lynx over openssh! w00t! w00t!

Oh, so that was your box...sorry about that.

Re:first post!

Use Links! It's much better than crufty old Lynx.

Alternatively, fuck off and die.

Either way is fine by me.

Re:first post!

[aceat64]

Mod this guy up, he's trying to be funny, see the sarcasm? "from the PRC" I think he's refering to the recent (major) problems MicroSoft has had with Windows. But what do I know? =)

Pain in the frick

Now all I need is php, mod_ssl, and apache to have problems, and my month will be complete!

Re:Pain in the frick

[alexborges]

MOD_SSL and apache-ssl will probably have the same kind of problems.

Re:Pain in the frick

Correct me if I'm wrong, but don't both of those use OpenSSL?

Re:Pain in the frick

[rifter]

Correct me if I'm wrong, but don't both of those use OpenSSL?

Yes, thank you Captain Obvious.

already patched

thanks up2date :-)

Re:already patched

[zumajim]

Thanks apt! And no subscription fee either.

Re:already patched

Is microsoft now funding vulnerability research on Linux/Unix? Have you noticed after every big microsoft vul, linux/unix ones are released?

Re:already patched

[Michalson]

Perhaps they announce the bugs just after Microsoft does in hopes that the OSS community will still be bashing the "M$ is teh suc" drum loud enough that they won't notice yet another exploit (BTW, has buggy Outlook been able to beat Mozilla's "run arbitary code just by *connecting* to a POP mail server" exploit yet?)

Re:already patched

What are the security implications of using apt-get? It doesn't seem that there are security checkpoints in place to make sure I'm not getting trojaned files.

To add insult to injury, there aren't even checksums for the apt rpms available at FreshRpms so I can't be sure I'm not getting a trojaned installer!

Re:already patched

[ncc74656]

Thanks apt! And no subscription fee either.

Ditto for emerge...though you might need to specify the 0.9.6k ebuild manually.

Re:already patched

[Pharmboy]

thanks up2date :-)

amen. all my boxes were patched before this hit the front page. Went in and even did a MANUAL up2date, since I didn't want to wait an hour, considering it was a pretty important update. Gotta love up2date...

Re:already patched

So, you're boasting about supporting neither the servers that you use nor the developers who write & compile the code for you? LOL...

Re:already patched

Yeah, I just bought my first basic entitlement yesterday, and already I'm enjoying it. Fast, reliable updates, plus the warm feeling of supporting the makers of my favorite distro.

Re:already patched

[Fizzl]

apt-get update && apt-get upgrade ->
Only ssh updated.. What about SSL libs?

(using woody)

Re:already patched

[Pharmboy]

Yeah, I just bought my first basic entitlement yesterday, and already I'm enjoying it. Fast, reliable updates, plus the warm feeling of supporting the makers of my favorite distro.

There is something to be said about that. I know alot of Linux purists will preach about Slackware or Debian, but IMHO the way you knock the 800 pound gorilla out of the tree (MS) is with at least a 400 pound gorilla, which is either RedHat, SuSe or Mandrake. My money is on RedHat.

RedHat DOES make Linux more accessible to the masses. It isn't dumbed down as much as Lindows, and yes, its a bit bloated, but I have run mainly RH for over 4 years now and believe it is a good compromise between ease of use and power. I used to use Mandrake on the desktop when it was better there (3 years ago) but its RedHat's service that persueded me to move to their products.

It IS important that Linux is brought to the masses if you want a broader range of software and support options. It has passed MAC recently in number of desktop users, and once it reaches 20% of the desktops we will see most software makers porting their products over to the platform. I personally don't care if Linux passes up Windows in % as long as it can reach large enough numbers that I don't HAVE to dual boot or have seperate Windows boxes in order to run the programs I want. This will also bring about some polishing of the desktop on Linux, which is good but not great, at this point. I am not concerned with the MS monopoly, and have faith that once people have a more viable choice, the monopoly will take care of itself. We are not quite there yet, but its close enough that we can see that day coming.

As it is, I stay moderately frustrated at having to choose between the applications I love on an OS I hate, or the OS I love with only some of the applications I need.

Re:already patched

...Thanks to cvsup and portupgrade.

Re:already patched

[jonadab]

> the way you knock the 800 pound gorilla out of the tree (MS)

But, we aren't out to destroy Microsoft. That will just be a
completely unintentional side-effect.

Re:already patched

apt-get dist-upgrade is your friend

Re:already patched

[Pharmboy]

But, we aren't out to destroy Microsoft. That will just be a completely unintentional side-effect.

Well, I am not out to destroy them, mainly because I feel any effort would be redundant. History is full of companies that once dominated, and now are unknown. Usually because someone else came up with a "better mouse trap".

Linux advocates don't need to worry about Microsoft. They will continue to shoot themselves in the foot and piss off customers. If anyone *REALLY* wants to see Microsoft destroyed, all they really need to do is work to get Linux up to speed. The market will take care of the rest.

Re:already patched

[ichimunki]

but IMHO the way you knock the 800 pound gorilla out of the tree (MS) is with at least a 400 pound gorilla.

And here I thought the best way was a well aimed projectile.

If Microsoft is an 800 pound gorilla, then Red Hat is a fruit fly. MSFT has a market cap of 301 billion dollars. RHAT has a market cap of 1.75 million dollars. MSFT is 172,000 times larger than RHAT in this sense. Or maybe we should compare annual sales revenues (MSFT = 354 * RHAT). Or number of employees (MSFT = 99 * RHAT). Even on this last most favorable measure, RHAT is a ring-tailed lemur compared to the Microsoft gorilla. BTW, most gorillas weigh under 400 pounds. :)

(none of this should be construed as criticism of or dislike for RHAT, I'm a huge fan and shareholder-- I cannot say the same about MSFT)

Re:already patched

[Pharmboy]

If Microsoft is an 800 pound gorilla, then Red Hat is a fruit fly. MSFT has a market cap of 301 billion dollars. RHAT has a market cap of 1.75 million dollars. MSFT is 172,000 times larger than RHAT in this sense. Or maybe we should compare annual sales revenues (MSFT = 354 * RHAT). Or number of employees (MSFT = 99 * RHAT). Even on this last most favorable measure, RHAT is a ring-tailed lemur compared to the Microsoft gorilla. BTW, most gorillas weigh under 400 pounds. :)

(none of this should be construed as criticism of or dislike for RHAT, I'm a huge fan and shareholder-- I cannot say the same about MSFT)

You can't compare Linux to Microsoft by the market capitalization of RedHat only. RedHat is in the best position to compete with MS, but RedHat is a tiny portion of the Linux community.

You also can't compare according to market capitalization because RedHat doesn't sell a product, per se. They give it away and sell the service. This is always going to be less profitable to the corporation, per user, partially because it spreads the wealth. You may pay for RedHat RHN, yet pay someone else to develop software for you. Or buy prepackaged software for Linux. (yes, some exists)

Linux is more than RedHat. RedHat is just one face, and the one offering the best support services here in the states. IBM is probably the largest contributor of code and money to linux, for example, and do not want to be in the OS maintenance business. SCO was a significant contributor to Linux, before becoming addicted to crack. Dell has sold servers with Linux for a couple years, and are about to start offering desktops with Linux on them, although it will probably be the same price or only slightly cheaper. (this is according to Dell reps I know, not disclosed yet)

But RedHat is who puts it together into a package that the masses will buy, so yes, they are a serious player, much larger than their market value show. They will never be as profitable as MS. This is likely a good thing. If you didn't have RedHat, Mandrake, SuSe, etc. putting Linux into easy to install cds, we would not be having this conversation, since 95% of all people will not install an OS that isn't simple to install. Even Windows *really* didn't take hold in the home market until Windows 95 came out, and the Internet took off.

The most important fact is this: RedHat has the willing support of their customers. I don't have to pay for updates, but I do willingly, and gladly (around $240 a year). I know many who feel the same way about RedHat. Microsoft doesn't enjoy this kind of customer loyalty. Their customers buy MS primarily out of a lack of choice or because they are locked into the product. How many would pay for Windows if they didn't have to?

OpenSSH != OpenSSL

[tarquin_fim_bim]

To use a very bad analogy it's like associating Cornflakes with Cornplasters. PLEASE MOD ME TROLL, MY KARMA IS TOO HIGH TO SUPPORT MY SIG. Thank you.

phew

thank goodness i use windows

Re:phew

[archen]

Guess you would be really screwed if you used openssl on windows eh?

Re:phew

[Troll_Kamikaze]

Hell, Microsoft is even kind enough to send the "Latest Internet Patch" right to my inbox. Sometimes 36 times a day, when necessary!!

Now that's what I call service!

Re:phew

Windows users in Soviet Russia, however, appear to be afflicted with amusing juxtapositions of the security risk.

Re:phew

Listen here you stick-legged mulefaced fucknugget, seeing societal rejects like you make fun of Microsoft on some lame internet forum really brightens my day.

Also I'm really drunk and the last thing I care about at this point is entertaining you internet jackass geeks.

Re:phew

[DickBreath]

Guess you would be really screwed if you used openssl on windows eh?

If you were, would you even know it?

If an open source program falls in a binary only forrest, does it make a sound?

Re:phew

[BlackBolt]

Yeah, me too. Ignorance is bliss.

I like to just sit back, have an espresso, and let everything around me fall into chaos. Life is good; the flashing warning lights keep me company through the long night.

Minor Bug

[cyberlotnet]

This is a extremely minor bug that will most likely only affect someone that issue client certs for per user auth to there site..

Nothing extreme, barely even worth of a front page showing.

Re:Minor Bug

from the advisory:
4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that *all* SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication.

so i do think that it affects most users.

Re:Minor Bug

doesn't "privilege separation" make this a complete non-issue?

I can't be bothered to upgrade things to fix bugs that can't be exploited!

Privilege sep. was added just so we can ignore things like this.

Re:Minor Bug

[Sunda666]

if you don't care about your service, yes.

cheers

Re:Minor Bug

[woozlewuzzle]

Uhh, I think Priv Sep is only an OpenSSH thing, not OpenSSL. Correct me if I'm wrong, though. It has happened once. No, twice (damn)

Got the popcorn

[Dancin_Santa]

Let's get the Microsoft flamefest started!

All software has bugs. But if you are specifically making a software package that purports to be secure, it behooves you to make sure not to release until you are ready. Looks like there were "a number" of vulnerabilities. Perhaps they should have waited?

Re:Got the popcorn

[Skyshadow]

Looks like there were "a number" of vulnerabilities. Perhaps they should have waited?

Waited for what, perfection?

In a Real World environment, "pretty safe" is a whole hell of a lot better than nothing. So long as flaws are fixed quickly after being identified, I don't see what the problem is.

If you want *real* security, you need an air gap. Otherwise, quit yer bitchin'.

Re:Got the popcorn

The problem is that people claim MS solutions are less secure and OSS solutions, when this is clearly not the case. Neither is secure.

Re:Got the popcorn

Let's get the Microsoft flamefest started!

Flamebait? More like the truth. Take a look at the rest of the posts in this story, especially the ones modded to 4 and 5. Microsoft flames, all.

Re:Got the popcorn

[TheLink]

When in my world pretty safe is qmail. It's not perfect - there are bugs. But the bugs don't lead to remote roots.

Seems only a handful of people in the world know how to program securely in C.

Unfortunately there don't appear to be viable alternatives - the need for performance and reasonable compactness tends to reduce the number of possible alternatives by a lot.

Then there aren't that many programmers who actually know the few that are left. How many Lisp programmers? Ocaml?

I'm not saying that those languages make for 100% secure programs, FAR FROM IT, but with C it seems VERY common that attackers get to run _arbitrary_ code of _their_choice_. This to me is TERRIBLE.

The trouble with C is a programmer has to do so many things _PERFECTLY_ (avoid off-by-ones, memory allocation, deallocation etc) in order to prevent someone from running arbitrary code of their choice.

When you have a security problem in a program written in a saner language, the attacker doesn't usually get to run arbitrary low level code of their choice, it usually means the attacker gets to use an existing feature of the program when they are not supposed to. e.g. change list prices, login as admin etc. They don't get to tell the microprocessor what to run.

Of course there's stuff like SQL injection (arbitrary SQL of attacker's choice), but if you have a well designed database interface - make it easy to use bind variables, the SQL injection problems go away pretty easily - dumb programmers can copy the correct methods of talking to DBs and reuse them.

And a Lisp programmer could choose to execute data from a 3rd party as code. But a typical Lisp programmer should be able to avoid that 100% right?

Whereas with C, even supposedly good programmers seem to slip up - buffer allocation, overflows, stack problems.

Perhaps C programmers should be licensed. Write production code with buffer overflows and you lose your license (if it's your fault -and not a compiler bug). Somewhat like airline pilots.

lol

open source sux

Which means....

we should patch in about a week from now when
the second round of patches come out.

Obligatory...

Obligatory obligatory comment that has nothing to do with the article but seemed funny at the time of writing.

pheeew

[Dreadlord]

fortunately I'm running something secure like telnet, those OpenSSH bugs never scare me...

Re:pheeew

User* Dreadlord = Slashdot.getUser(671979);
Dreadlord->printSig();


Actually, to get your sig it's:

my $sig = $dbh->selectrow_array( "SELECT sig FROM user ORDER BY worst_sig_ever LIMIT 1" );

Re:pheeew

You forgot the:
$connect = "user=fuckwit";

Re:pheeew

[ZoneGray]

Y'know, the ironic thing is, telnet *is* more secure, as long as you don't connect to it.

Seriously, between SSH and OpenSSL, I'm getting real tired of patching every week or two. I manage a few Windows, several Linux, and a couple of Sun systems, and "panic patches" on OpenSSH/OpenSSL have far outnumbered any Windows problems. Not that I like Windows better or anything, but this is getting really, really ridiculous.

At this point, *nix security is better only in that I can strip it down more easily, but Microsoft does seem to be winning the QC battle now. The last three patches on my public Windows servers have been to OpenSSH/OpenSSL. Maybe I should just replace them with Front Page Extensions, they seem to have fewer security problems nowadays.

Go ahead, burn me at the stake as a heretic. That's just my experience.

Re:pheeew

[irc.goatse.cx+troll]

I agree, But its a tough comparison. What most people consider 'Linux' is actually a huge amount of apps, so of course there will be more vulnerabilities in comparison.

Of course, I'm equally pissed about all vulns out as of late, but I guess thats why I run debian patches are just an apt-get away.

Re:pheeew

[Pieroxy]

Y'know, the ironic thing is, telnet *is* more secure, as long as you don't connect to it.

Well, not sure.
With telnet, you need someone that actually monitors your socket to grab your password. Gicing the number of sockets out there, it's quite unlikely.
With OpenSSH/L, you just need someone wanting to do it to your machine. They don't even need your password.

So which one is more secure?

Re:pheeew

[Richard_at_work]

Use telnet with s/keys :) Yes, they can still monitor the connection and potentially hijack it, but still.....

Re:pheeew

[jonadab]

> Seriously, between SSH and OpenSSL, I'm getting real tired of
> patching every week or two.

It's SSH and SSL this week. A little while ago it was sendmail, and
before that it was something else -- and don't get all smug about MS;
I'm still getting two hundred copies a day of viruses and worms that
exploit their systems.

The problem, as I see it, is that nearly all the software we use is
written in bug-prone languages, e.g., C and C++, which have NO
protections against even the most trivial, forty-year-old known
common issues, like stack corruption and buffer overruns. Languages
that obviate these problems have been available for a long time;
they use a little more CPU time, but CPUs are fast these days, and
it's high time we start writing the software in VHLLs. When someone
writes an OS entirely in Perl and Python and other VHLLs, I'll be
one of the first in line to test it out. I'd be happy to have my
CPU run at 20% instead of 5%, if it meant no more segfaults, buffer
overrun exploits, stack corruption exploits, and so forth.

Re:pheeew

[Gestahl]

No, that just means that when you compile your uber-high level language into machine code or translate it to C, whatever, to get your machine running, you have less of an idea as to what is actually going on. Now your problem is with the VM/translator/whathaveyou. The Java VM and the Perl interpreter never have bugs... nope, never. You are just shifting the problem from one domain to another.

Feeling kinda good about it

[ThenAgain]

At least we find out when where vulnerable BEFORE the exploits start rolling out. I'm also yet to hear of Linux bringing the net to it's knees when some kid writes an e-mail virus.

Also, it took me less than a minute to patch my webserver. That's good design.

Re:Feeling kinda good about it

[Overly+Critical+Guy]

At least we find out when where vulnerable BEFORE the exploits start rolling out.

As opposed to what? The months before Blaster came out that the patch was available?

Things like this just illustrate that all software has bugs. OSS is not a magic solution, and Microsoft does not hire poor programmers. That won't stop rampant anti-"M$" trolls of course, but the more rational of us can look at this and move on.

Re:Feeling kinda good about it

[aardvarkjoe]

...the more rational of us can look at this and move on.

Yeah; both of you who are on slashdot.

Re:Feeling kinda good about it

Ah yeah, this is the "rational" guy who has an anti-Linux sig? You're obviously scared that all this free software people are writing for fun and pleasure might ruin your crappy little coding life.

If you do at all code. More likely you sit around making a shitty little blog for your three friends, and post on Slashdot. Ever heard of sunlight?

Re:Feeling kinda good about it

[Penguinshit]

As opposed to what? The months before Blaster came out that the patch was available?

Actually, it was a couple of weeks. And that was very much the exception to the rule with regards to Microsoft's history with bug reporting/patching.

Case in point is the IE mishandling of SSL which allowed anyone with a valid cert to issue a "valid" cert for any OTHER domain. This went on, denied and downplayed by Microsoft, for HOW long?

Re:Feeling kinda good about it

Yes, but it's not a matter of programming skills, but one of politics.

So while in windows you have a load of services that are useless to 99% of the users loaded by default opening ports left and right, in a typical linux install there's usually just the one port open (sshd), which represents a much smaller danger.

Besides, since any coder in the world can react to a new exploit in open source software, or review the patches, with closed source you have to wait for the vendor to issue the patch and pray that it works as advertised and breaks nothing.

Re:Feeling kinda good about it

[ebay+troll]

excellent poster!!!!!!! responded in less than 5 minutes, pleasure to work with, quick response

A+++++++++++!

Re:Feeling kinda good about it

dude, you rule. keep up the good work. will do business again!

Re:Feeling kinda good about it

[imipak]

Microsoft does not hire poor programmers.

I refute that. A good programmer would not work on a project knowing perfectly well that it is riddled with fundamental security holes, poor design, marketing driven specifications and so on. For example, whilst I am sure that there are many very SKILLED programmers who have worked on Outlook, I would argue that they cannot be GOOD. There is an ethical dimension to professionalism. Yes, I realise that by this criteria 'good' programmers are extremely hard to find. I cannot even call myself a good programmer; I've pushed prototype code into production despite knowing there were vast areas of untested, un-though through code that was /bound/ to contain significant vulnerabilities, because (bascially) I chose getting paid over finding a better gig. (I have however learned how to avoid getting into such situations in the first place - to some extent - and I always made sure the people who made the decisions were aware of the trade off they were making.

Re:Feeling kinda good about it

[wfberg]

At least we find out when where vulnerable BEFORE the exploits start rolling out.

As opposed to what? The months before Blaster came out that the patch was available?

To be fair; that patch didn't install on a significant portion of machines (any system running w2k sp2), and the work-around Microsoft suggested didn't either, and if it did, it didn't until a reboot, which wasn't mentioned.
Add to that that the first patch appeared to install but did not (and would also not "re"install) on a number of machines. Today microsoft advises you to run a firewall and anti-virus programs all over their webpage. Before the blaster incident they didn't, because they hadn't dropped the ball quite as badly yet.

I also find it (not so..) amusing that the System File Checker doesn't work without the DCOM service running (which isn't running for example, in Safe Mode, a Mode you'd expect sfc to be used in), and that DCOM for some reason listens to any one who will talk to it, rather than, by default, restrict access to 127/8.

Re:Feeling kinda good about it

[kahendricks]

monthS should be "month" singular. Microsoft may or may not hire poor programmers. There are a number of things that combine to get the end result of shoddy apps from microsoft. 1. The developers cannot interact with eachother! They must develop their portion independantly without seeing what they are interacting with. This leads to bugs where the interaction occurs... some things are perfectly stable solutions except when this other app is doing THIS otherwise perfectly stable action. 2. Memory is STILL shared between apps. 3. They push to market, and their beta program is a joke. They actually expect YOU to PAY THEM, to find bugs in their software. Because they push to market, they beta their software in a state it should still be considered alpha, and they final it once it reaches beta or near beta quality. 4. They severely stunt themselves by coding in a closet, if they don't even let the programmers see what eachother are doing, they are hardly going to allow massive review of the code. I'm sorry but 10,000 programmers reviewing the code is going to be at least 1,000 GOOD programmers, and 1,000 GOOD programmers and 9,000 average programmers are going to spot problems alot quicker than ONE programmer whether that one is poor, average or good, especially if he/she the one who wrote it to begin with trying to avoid any problems during the writing!!! 5. I don't think the programmers ARE encourage to try to avoid bugs to begin with at microsoft. They almost couldn't be. It reminds me of typing class, "type as fast as you can, don't worry about typos, it's faster to go back and correct them afterward instead of as you go"... in programming you better correct them as you go, and go back over it afterward ANYWAY and have another few thousand programmers go over it on top of yourself.

Re:Feeling kinda good about it

[IceCat]

To be fair; that patch didn't install on a significant portion of machines (any system running w2k sp2)...

Didn't install on W2KSP2 machines? The bulletin (going back to the original MS03-026 one) clearly states it will install on an SP2 machine. Granted it took them until August 12th to update the bulletin with this information.

I installed the patch on several W2KSP2 machines all of which were confirmed to be successfully patched by three different scanners.

Re:Feeling kinda good about it

[Overly+Critical+Guy]

Actually, it was a couple of weeks.

No, it wasn't. Slashdot even reported on it. The government announced it TWICE. People were well-informed and a patch was immediately available and put up as a Critical Update on Windows Update.

Re:Feeling kinda good about it

I was wondering when I would see an ebay post on slashdot.

I approve!

Re:Feeling kinda good about it

[Penguinshit]

Whoop-de-doo.. a few weeks or a few months. Almost all of the OSS vulns I've monitored for the past 5 years have been announced and patched within 30 days of rumors floating around in certain circles, and more often than not, less than half that time.

The Blaster patch story is still quite a departure from the usual SOP employed by Microsoft. There is no debating that point. One semi-alert response to a show-stopper of a bug does not heal the wounds of a decade.

Re:Feeling kinda good about it

I was attacked by a more malicious variant of Blaster (instant reboot without countdown, immediate file system corruption) in spite of me installing the patch when it first came out. So much for trusting the patches.

Re:Feeling kinda good about it

[bussdriver]

NO most of us rational people can not move on. That is EXACTLY the problem!

We can not move on to anything other than microsoft and that alone is a reason to fight against microsoft. If we ignore the problem, and still do well in this industry, we get taken out by M$, after of course they suck up a lot of our money in the process.

Personally, I don't care what is done, as long as we can have a free market once again.
A "free" market can not exist if its unregulated or overregulated.

Re:Feeling kinda good about it

[br0ck]

It installs, but does it work? My company had a number of correctly hand-patched SP2 machines where McAfee stopped the Nachi worm after it had already performed the RPC exploit (no IIS or WebDAV), meaning that the patch was ineffective. The incident was reported, but the issue is moot now that 039 supercedes and is supported on SP2.

The reason we had problems to begin with was that we instructed telecommuters with laptops to disable DCOM and install the latest patches on Windows Update except for SP4. Unfortunately, SP2 machines did not show the MS03-026 patch on the Windows Update page (neither did HFNetCheck for that matter), and Microsoft hadn't yet realized that the disabling DCOM does nothing on SP2.

Re:Feeling kinda good about it

[CowboyMeal]

I forget which SP I was running at the time, probably 3, but the day after the patch came out, I updated, or so I thought. It was a month later when I had to take down ZoneAlarm for a minute, that I got infected with Nachia. Oh, and the patch did show up as being installed successfully on windows update.

Re:Feeling kinda good about it

nah, SP2 with the RPC patch works.. I brought a couple hundred 2000 machines up to SP2 w/ the RPC patch that week. Shortly after, when the infection broke loose inside the firewall, all patched machines were fine. I only had one machine get infected that I visited.. that was because I forgot to reboot after patch installation.

Re:Feeling kinda good about it

[Ender+Ryan]

You mean 30 hours, right? I can't ever recall an OSS vulnerability that took 30 days to patch.

Re:Feeling kinda good about it

[Overly+Critical+Guy]

Name a single example.

Microsoft puts out patches immediately once a vulnerability is announced.

Re:Feeling kinda good about it

Most of the XP machines had system restore turned on.
Reboot reinstalls the virus.
Convenient huh.

Re:Feeling kinda good about it

[Overly+Critical+Guy]

It is well-known that Microsoft hires some of the best programmers in the world.

Do all the recent blatant holes in OpenSSL/SSH mean the programmers aren't good?

Read my sig and breathe the free air.

Re:Feeling kinda good about it

I'm also yet to hear of Linux bringing the net to it's knees when some kid writes an e-mail virus.

It would take more than 10 infected systems to do that.

Re:Feeling kinda good about it

[rifter]

It is well-known that Microsoft hires some of the best programmers in the world.

Who knows that? Who says that? Microsoft, maybe? How do they know that? Did their programmers win some sort of contest?

Re:Feeling kinda good about it

[ThenAgain]

I think you mean that Microsoft announces a hole right after it posts a patch.

Old Joke

hehehe, reminds me of an old joke:

What's the difference between michael and open ssl?

You'll never get a 'denial of service' from any of michael's holes!

at least the OOS community puts out notices

[dnotj]

Unlike some other company that hides this stuff.

Not to mention that this same company probably has the same bug because they swiped the OPENSSL code. .dn

Re:at least the OOS community puts out notices

[Overly+Critical+Guy]

Jesus, what a spin. An "OOS" hole, and it's still all about Microsoft. And then some baseless theft meme.

Re:at least the OOS community puts out notices

[Short+Circuit]

Stop being overly critical. This is Slashdot, remember?

Re:at least the OOS community puts out notices

[Michalson]

Who said anything about Microsoft? He was probably refering to the Mozilla team, or any other OS project that has a policy of covering up security exploits and hoping that enough people are downloading builds on a weekly basis.

Re:at least the OOS community puts out notices

You can complain when you stop spinning things yourself.

dang!

[cybermint]

I just finished patching all my servers from the last release. Back to work for me.

Re:dang!

[soliaus]

I just finished patching all my servers from the last release. Back to work for me.

Sucks for you, all I have to do is:
apt-get update
apt-get upgrade

Debian really is the way...

Re:dang!

[GSloop]

I'm getting really sick of hearing...

"Just run Windows Update. It's easy!"
"Just run apt-get It's easy!"

I'd like to quit running updates every 15 seconds or so.

I'd prefer it was right the first time. I'm getting really tired of patching machines all over the place. I'm turning into a patch money. Test, patch, test, patch, test, patch - with an occasional sleep and eat thrown in occasionally.

No matter how easy Windows update is, it still has to get done. If MS does it for you, you'll worry about them breaking stuff. If you have to do it yourself, you worry you'll miss something, or break it yourself. Frankly, that sucks.

Cheers,
Greg

Re:dang!

"Just run apt-get It's easy!"

But it is easy.

I'd like to quit running updates every 15 seconds or so.

You don't.

I'd prefer it was right the first time.

That's unrealistic.

No matter how easy Windows update is, it still has to get done. If MS does it for you, you'll worry about them breaking stuff. If you have to do it yourself, you worry you'll miss something, or break it yourself. Frankly, that sucks.

None of that applies to Debian.

Conclusion: Debian.

Re:dang!

[LinuxHam]

Debian really is the way...

stop it
stop it
stop it
stop it
STOP IT

PLEASE

sheesh

Re:dang!

[LinuxHam]

I look at it this way.. you can "cron" up Windows Update or apt-get update; apt-get upgrade. However, Windows boxes will typically have to be rebooted and if you're running 24x7 you better have them clustered (with different auto-update times). And that goes wayy beyond all the stuff about trusting and automatically installing Windows patches.

At least on the Linux side, there's a little hope. Suppose you have 3 tiers.. you can setup a box that will keep debs or rpms updated via cron. apt-get update; apt-get upgrade -d IIRC. Then in the next tier, you have a sample of the different types of machines that can be found in your organization -- web, db, file, directory, whatever. Configure those boxes to point to a web site on your 1st level box in their apt sources. You can manually copy updated debs or rpms into the 'testing' website and let the beta boxes automatically update themselves using cron-apt. Test them all, check to make sure functionality is unaffected.

Then, set the last tier boxes (your production level boxes) to use a different virtual web server (say, "production") on the 1st tier box as their apt sources. Once you have tested and approved the patches applied to the 2nd tier boxes, you can copy the new debs or rpms to the DocumentRoot that serves the 3rd tier boxes. Et voila! Staged releases just by copying a few hundred k to a couple of directories on one box, spaced out over the course of a week. No more "patch money [sic]".

See cron-apt for reference. And yes, people, RH has apt in all its dependency-checking glory. So move along.

Re:dang!

CRON IT BIACH!

Re:dang!

Quit trying to run it every 15 seconds.
Microsoft releases patches on Wednesday's.

Re:dang!

[$0+31337]

apt-get makes people lazy. download and compile the source like a real man :P

Open Source Code Quality

I think this firmly refutes the argument that Open Source software is inherently more stable.

There are still potential overflow bugs in the OpenSSH buffer library. The great thing about Linux malloc() realloc() is that even when there is no memory, it returns a non-Null pointer anyway.

A ring buffer would have been a better design choice.

Re:Open Source Code Quality

[temojen]

I think you don't understand the meaning of "firmly refutes".

From the man page:

realloc() returns a pointer to the newly allocated memory, which is suitably aligned for any kind of variable and may be different from ptr, or NULL if the request fails. If size was equal to 0, either NULL or a pointer suitable to be passed to free() is returned. If realloc() fails the original block is left untouched - it is not freed or moved.

Re:Open Source Code Quality

[statusbar]

The man page is lying. Make a test program. It is entirely possible for two or more programs to allocate more memory than phys+swap together. malloc() and realloc() on linux NEVER return 0, unless one single allocation in one program exceeds swap.

Linux allocates physical memory pages on the fly, as you use them. Try this code. It allocates 256 megs on each run until you exit. How many times do you have to run it before it says malloc returns 0? How much more memory than you have (including swap) did it allocate?

#include <stdio.h>
#include <unistd.h>

int main()
{
char *p = (char *)malloc(256*1024*1024);
printf( "malloc returned 0x%X\n", (unsigned long)p );
getchar();
}

This kind of thing happens with stacks as well. Memory on your stack is allocated on the fly as you use it. What happens when the kernel can't allocate a memory page when it is first accessed? It kills the process. hard. This means that user processes can steal resources and cause any number of root processes to die, just because they made a function call that required a larger stack.

This does have many security and dependability implications, as the original poster said. Most people do not know this and do not handle this case!

--jeff++

Re:Open Source Code Quality

[dmiller]

Please send patches if you are willing to do more than troll.

Re:Open Source Code Quality

Too bad Linux still lacks a secure string copying function. BSD and Solaris have had strlcat/strlcpy for years.

Re:Open Source Code Quality

This means that user processes can steal resources and cause any number of root processes to die, just because they made a function call that required a larger stack.

Actually, the kernel will kill the offending user process. It's been part of the VM code since at least 2.0.x.

Re:Open Source Code Quality

You mean glibc, not Linux, nutsac

Re:Open Source Code Quality

[chefren]

Programs don't use physical memory, they use virtual memory. If I remember correctly the i386 atchitecture has a virtual memory space of 4GiB. The kernel will handle physical out-of-memory situations that may happen when physical memory virtual memory.

Re:Open Source Code Quality

[jonadab]

> Actually, the kernel will kill the offending user process. It's
> been part of the VM code since at least 2.0.x.

Indeed, this is true: if you run out of swap space, Linux starts
killing off whatever processes are allocating memory. This is a pretty
rough way to find out you're running low on swap, but it beats the
everliving heck out of the previous way, wherein the system would
become so slow that you could hit the close button on a window, go to
the store, come home, cook a meal, eat, do the dishes, and the window
would still be in the process of closing.

I work around this problem by having about twenty times as much swap
space as I *think* I need, and keeping a swap meter on my Gnome panel
so that I'll hopefully notice if I start running low. But I shouldn't
*have* to do this; I have lots of free drive space. There's no real
reason more swap files couldn't be allocated if need be, and even
less reason why a warning dialog couldn't let me know I'm running
low. (No, these wouldn't be part of the kernel; they could run in
userspace. But there's no excuse why the major distros don't have
them yet, eight years after Microsoft implemented both features.
And yeah, I know MS sucks in other ways, but that's not the point.)

There's a lot of OSS that I like and use, but there's still PLENTY
of room for improvement.

Re:Open Source Code Quality

[statusbar]

Try the program. I have a small linux server sitting here with 64 megs of physical memory, and 400 megs of swap. I can run 10 copies of that program at once. This means that 2.56 gigs of ram is allocated. Hmm, only 2 gigs more than should be possible.

Next, change the program so it actually touches memory pages. malloc() still never returns 0. When the system is out of memory, the program will be killed WHEN IT TOUCHES the memory.

What does this mean? It means that under linux there is no use handling the case of malloc() returning 0. There is no need to ever handle any out of memory exceptions in c++, because these will never happen.

Your program will just crash anyways. Yes this can be a security hole, and yes the original poster is correct in saying that a ring of buffers is safer than using malloc dynamically.

--jeff

Re:Open Source Code Quality

[statusbar]

If I have 20 user processes together allocating 99% of available phys + swap, and two root process using 1%, there is no out of memory situation yet.

Then one of of the root processes needs to touch a new memory page that was alloced, or it needs a new memory page to expand its stack. The root process will be killed, right? It is the root process that is the offender. And there is no way for the root process to handle this error. It is just killed.

--jeff++

Re:Open Source Code Quality

Add something like

test "`id -u`" = "0" || ulimit -v 524288 -u 128

to /etc/profile.

That limits nonroot users to 512M VMEM and 128 processes. Yeah, they can still probably take out the machine if they try, but at least this prevents accidents.

Re:Open Source Code Quality

Actually, if I understand the Linux VM correctly, the kernel will kill the processes hogging the most memory in order to make room for the small process that wants another page. Linux always kills the hogs first.

Re:Open Source Code Quality

If you really want to experience Linux memory/process handling Zen, try:

#include stdlib.h>

int
main(void)
{
for(;;) {
malloc(1);
fork();
}

return 0;
}

Apache and SSL

Does anybody know where you can get the latest Apache 1.3.28+SSL binaries (Windows & Linux) together?

I've noticed that nobody has released a combination of the two since Apache 1.3.26.

the truth

[borgdows]

With all these holes in OpenSSH and OpenSSL, it's safe to say that OpenBSD is as OPEN as Windows!!

Re:the truth

[codemachine]

Either that or they're doing a heck of a lot of auditing lately. Hopefully they'll find a bunch at once, and be done with it for a while.

But unfortunately from what I've seen from OpenSSH, it appears that we may have another sendmail/wu-ftp/bind type program in terms of security. That is not a good thing, since many services are being changed to use ssh/ssl for transport, leaving us with a single point of (in)security.

This is sure embarassing for the OpenBSD team though. Their code is right now some of the worst in BSD land for security (although in fairness, it is mostly portable ssh that has problems. On OpenBSD, OpenSSH has much cleaner code and is much more secure).

Re:the truth

we are all dumber now for having read that. please shut up now.

Shh! What's that sound?

[cscx]

Oh yeah, the sound of Theo de Raadt crapping his pants.

Re:Shh! What's that sound?

Don't you mean "Ssh! What's that sound?"

Re:Shh! What's that sound?

You fucking cretinous prick. Theo has nothing to do with OpenSSL.

Go back to your basement, kid.

Re:Shh! What's that sound?

[joe_bruin]

neither theo de raadt, the openssh developers, nor openbsd have anything to do with openssh. openssh is a separate library, developed by an external group, that is relied upon by many applications (including openssh).

Re:Shh! What's that sound?

Actually no, openssh -isn't- a separate library, and they have quite a lot to do with openssh. Nice try though.

Oh yeah, openssh definitely does rely on...openssh.

Re:Shh! What's that sound?

STFU faggot.

Re:Shh! What's that sound?

[joe_bruin]

wow. an impressive array of typos by me (thanks to the ac's above for pointing out my errors). let's try that again:

neither theo de raadt, the openssh developers, nor openbsd have anything to do with openssl. openssl is a separate library, developed by an external group, that is relied upon by many applications (including openssh).

No more buffer overflows with Java!!

Stack corruption? Sounds like a buffer overflow problem. If only they used Java!

Re:No more buffer overflows with Java!!

Yeah, I need to go across the hall. Damn, where'd I put my bike?

Re:No more buffer overflows with Java!!

stop this java crap!!
use a REAL language like .NET!!

Re:No more buffer overflows with Java!!

.NET is not a language

MOD PARENT down

[dnotj]

the poster is obviously delusional

Why is some software more secure than others?

[cras]

I got annoyed at the slashdot comments last time there was security hole in OpenSSH and wrote this page (copy pasted below). I count OpenSSL as insecure software - we need a secure replacement. GNUTLS looks somewhat better, but I don't trust it too much either.

Why is some software more secure than others?

How do you measure software security?

Here's my definition on what is secure software.

Intro

I get really tired of seeing these kinds of comments every time some widely used software has security holes:

• No software is secure. The difference is how quickly they fix it.
• It's good that they were found. Now we have less security holes.
• Popular software gets more security audits which is why they seem to have more security holes.

While they may be partially true, I think they're also very misleading and disparages the hard work that some secure software authors have done.

Simplicity Is Security

The difference between secure and insecure software is really the coding techniques being used by it's authors. Authors of secure software do everything they can to prevent accidental mistakes from ever happening. Authors of insecure software just fixes the accidental mistakes. There are very few secure software authors.

Auditing insecure software doesn't make it secure. Sendmail is a good example of this. It's been audited countless times by competent people. The simplest mistakes were catched easily long time ago, but a few very difficult to find vulnerabilities were found only recently.

How do secure software authors then avoid the kind of security holes that are difficult to find? By keeping the code simple. The code doesn't get secure by polluting it with tons of security checks. It gets secure by keeping the security checks in as few places as possible.

Auditing secure software is easy. You can just quickly browse through most of the sources without having to stop and look at it carefully. Everything just looks clean, simple and correct. vsftpd is a good example of this.

Sure, it's still possible that secure software has some security holes occationally. It just happens a lot less often (if ever) and usually the problems are less critical. For example none of the security holes in Postfix have lead to arbitrary code execution or being able to read other peoples mails. Denial of Service attacks are nothing compared to them.

(some examples in the web page not included)

Re:Why is some software more secure than others?

What the hell are you rambling on about? OpenSSL is not inherently insecure. While your points about using the KISS method are good practice for any software, in some cases complexity is inherent to the app. OpenSSL implements cryptographic protocol which is *not* simple, both because of the underlying mathematics, and because of the care which must be taken to avoid attacks which trivialize it.

And if you think auditing "secure software" is easy, you're just setting yourself up to be owned. Auditing should be done meticulously no matter how simple the app is perceived to be.

Re:Why is some software more secure than others?

[GSloop]

'No software is secure. The difference is how quickly they fix it."

Perhaps no software is absolutly secure, and without bugs, but we're not anywhere close yet.

Software needs to be designed (engineered is a better word) to be secure, modular and ONLY as functional as needed.

I think in general, OSS and Linux do this better than Windows does, but it's a methodology change every OS level software writer needs to take to heart.

It's critical when Office crashes, or had bugs, but not as critical as in SSL, Apache or something similar.

In short, I think the laissez faire attitude we all have, both from accepting bugs, and about coding them ourselves is a SIGNIFICANT part of the problem. We need to raise the expectations, and hold people/companies accountable when these standards are not met.

Cheers,
Greg

Re:Why is some software more secure than others?

[Bull999999]

Sounds great. Are you going to start coding the replacement or just wait until someone else does it?

Re:Why is some software more secure than others?

[cras]

Complexity is fine, but it doesn't mean that the implementation has to be full of code that is both difficult to follow and that looks insecure at the first glance. I have looked at both GNUTLS and OpenSSL sources and GNUTLS is significantly easier to follow and it does pretty much the same thing.

Auditing depends on what you're interested in. Auditing sources for buffer overflows and other common security flaws must be easy. Auditing for crashes and more subtle bugs of course requires to be much more careful.

Re:Why is some software more secure than others?

[cras]

Sorry, I have already one "secure" project I am working on. I have only so much time :)

Re:Why is some software more secure than others?

[SiliconEntity]

How do secure software authors then avoid the kind of security holes that are difficult to find? By keeping the code simple.

You're way off base in this case. SSL requires the use of X.509 certificates, and it was in the cert parsing code that these new vulnerabilities were found. X.509 means ASN.1 formats, which have at least two different encoding rules, BER and DER that both must be supported; implicit versus explicit tags; several different ways of encoding packet lengths, and a host of other complexities. There's no way to write this kind of code and just keep it simple as you describe. Any implementation of SSL which is going to interoperate with other systems on the net is going to face these complexities.

I've written certificate handling code so I know how complicated it is. Also worth reading is Peter Gutmann's somewhat dated but still insightful X.509 Style Guide which describes some of the horrors an X.509 implementation has to deal with.

In this case the failures were mostly in the error handling, and any developer knows that this tends to be the hardest part of your program to get right. Not only are there a lot more ways things can fail than go right, but they can fail in many more places in your code and it is very difficult to make sure your program can recover gracefully from everywhere something might go wrong.

Also, I'm not sure if it's public yet, but a lot of other implementations are affected by this besides OpenSSL. See the CERT advisory when it comes out and you will find some of the biggest names in the security business got burned by this. It's absurd to suppose that your cosmic insights are somehow being overlooked by companies that base their reputations on security.

Re:Why is some software more secure than others?

[Bull999999]

My apologies. Most people on /. complain about everything but never do anything about it.

Re:Why is some software more secure than others?

[cras]

I think I'll have to change the wording some more. Complex things require complex code, that's fine. If there's a security hole because the behaviour was wrong in some case, it's understandable.

What I especially don't like is that the same old buffer overflow and other memory allocation related problems come up over and over again. The 1. problem in this case was a double-free() bug. Although this is the most difficult C-related problem to solve easily (without garbage collector), with cleaner code it likely wouldn't have gone there in the first place. If you can easily see where the memory is allocated and deallocated, it's hard to screw up.

Re:Why is some software more secure than others?

[Tony-A]

It's also a good idea to look at what the software is doing.
Some things are much easier to secure than others.
You could spend you life (imprisoned) in a fortress, but you'd miss out on too many things if you do.

Re:Why is some software more secure than others?

The real question is: when are you going to do something about all the people on /. complaining about everything but never doing anything about it?

I'd love to live in a world where people were in fact able to do everything and never complain about it, and am conducting my own research in the area. What's really holding me up is the odd fact that people seem to have finite amounts of time and differing, but also finite, talents.

Since you seem to know so much about solving other people's problems, any solutions you have for these problems of mine would be much appreciated.

Re:Why is some software more secure than others?

[bolthole]

I have looked at both GNUTLS and OpenSSL sources and GNUTLS is significantly easier to follow and it does pretty much the same thing.

That's what I wanted to hear. Now, how can I get an ssh tool that runs on top of it?

Re:Why is some software more secure than others?

[iabervon]

X.509 may be extremely complex to handle, but that would lead to incorrect X.509 implementations. This, however, was just unsafe code. There's nothing about X.509's complexity which should lead to stack corruption.

The errors which you should expect from a X.509 implementation involve failing to parse obscure certificates correctly or failing to give the right error message about a malformed X.509 certificate. If the code itself is simple in implementation, it should be straightforwardly obvious that, no matter what, the parser will return either an X.509 structure or an error message; the complexity of X.509 merely prevents anyone from determining if the return value is actually correct.

OpenSSL has a lot of spagetti code, wrappers, and unnecessary function pointers, inherited from the SSLeay days. In an ideal world, it would be rewritten to be more straightforward, but that's more effort than anyone is really willing to put in (except the GNUTLS people, but that's license-related anyway).

Re:Why is some software more secure than others?

[Jeffrey+Baker]

If you've read Feynman's What Do You Care What Other People Think, you might agree with me that secure software might be developed the same way that space shuttle guidance system is, while insecure software, which is by far the more common type, is written in a matter like the design of the shuttle main engine. Feynman claims that the problem with the main engine is that it was designed from the top down. They figured out how much thrust was needed and what the size should be and descended from there. So when they found out that the turbine blades were cracking on every launch, it was too late and too expensive to fix the system.

A lot of software is designed this way, too. The requirements are very roughly laid out, somebody decides on the architecture, and when the need for some supporting bit of code is discovered, that bit of code is wedged in to the existing design, because changing the whole system would be too hard. At some point the entire thing devolves into a gruesome hack.

Contrast with a better engineering method. You know you need turbine blades, so you do the basic material research on them. You figure out that you can make a blade this size out of this material which can operate for 10 hours with a 1 in 10^6 probability of failure. Now you know what kind of load you can put on the blade so you can decide what the system pressure and speed will be. You work up from there and eventually you have a rocket engine. The beauty of it is that, after you've figured out the max load you can put on the turbine blade, you never have to think about it again. You're done.

Secure software is also written this way. You know that in an SSL library, you will need to deal with ASN.1, so you start there. You make an ASN.1 library, which you analyze and test until you know it is bulletproof and all the failure modes are known. Likewise you probably need good robust MD5 and SHA-1 hash algorithms. Once you have a pretty good pile of fundamental components, you start wiring them together. It's nice that, since you designed an industrial-grade ASN.1 parser the first time around, you'll never have to revisit that code again.

Now, I have no idea if OpenSSL is written in the former or the latter style. It could be some of the most secure software in the world, and it is evidently very easy to repair, as we have seen lately. But I've certainly seen both styles of programming in the industry, and experienced the headaches that result from the top-down style.

Re:Why is some software more secure than others?

[njchick]

In this case the failures were mostly in the error handling, and any developer knows that this tends to be the hardest part of your program to get right. Not only are there a lot more ways things can fail than go right, but they can fail in many more places in your code and it is very difficult to make sure your program can recover gracefully from everywhere something might go wrong.

I always wanted to have better support for error handling in C. Programmers should not be forced to handle errors by nested if's, "goto error" and wrapper functions that do nothing but check the result of another function and do cleanup. But please don't offer me C++ or Java. If OpenSSL is written in C, that's for a reason. Compatibility with all other libraries, relative independence from the compiler, native speed - those reasons cannot be ignored. If C is good to write secure software in it, I want exception handling in C.

Re:Why is some software more secure than others?

[pebs]

In short, I think the laissez faire attitude we all have, both from accepting bugs, and about coding them ourselves is a SIGNIFICANT part of the problem. We need to raise the expectations, and hold people/companies accountable when these standards are not met.

Here lies the problem:

1) Cheap
2) Fast
3) Secure

Pick 2

Re:Why is some software more secure than others?

[cras]

I always wanted to have better support for error handling in C. Programmers should not be forced to handle errors by nested if's, "goto error" and wrapper functions that do nothing but check the result of another function and do cleanup.

Exceptions would be nice, but I think in most cases the cleanup is just freeing dynamically allocated memory. Solution is to get rid of the free() calls. Garbage collector, memory pools, alloca(), data stack, etc. Data stack and memory pools have worked very well with my latest project. Error handling is almost always just a return call and there's hardly any wrapper functions just for handling errors. Too bad I haven't yet had time to test how well they'd work in other kind of software. I'd guess pretty well except maybe for general purpose libraries since they require a bit different way of writing C code.

Re:Why is some software more secure than others?

[dmiller]

OpenSSH isn't vulnerable to this problem. We don't use OpenSSL's ASN.1 routines for network-supplied data.

Re:Why is some software more secure than others?

Interesting, the latter approach is kind of the way I naturally tend to work. Figure out the goal and the required pieces, then go and start researching the required pieces, how to implement them, etc. before deciding on their interface requirements. I always thought of it as building up primitives which allow us to quickly build the complex systems. I suppose, this is the "Unix philosophy," exemplified by the high-quality of the simpler GNU command-line tools in comparison to other vendors' implementations (there was a failure study somewhere). Thus it drives me crazy when certain things which are used as primitives in theory aren't implemented in general ways in practice (for example, does Java's standard library have a Heap (priority queue) container? I can't find any). I'll have to take a look at that book.

Re:Why is some software more secure than others?

[cras]

Oh and I'd also like to point out that Dovecot executes SSL code in nobody-chrooted environment where security holes in OpenSSL shouldn't cause much trouble, assuming OS's kernel doesn't have security holes to escape the chroot jail. If I don't trust something, I'll try make sure it doesn't have to be trusted :)

Re:Why is some software more secure than others?

I don't think you really should be brushing off C++ and Java like that. I'll present the argument for C++, because I have other issues with Java and how it makes it difficult to program secure code. As the other poster (cras, I believe) pointed out, memory management is another big problem to be dealt with; Java has the advantage of built-in garbage collection, while garbage collectors are available for C and C++, although you have to use them carefully for best results.

(1) In my view, security is one aspect of correctness. I think you have your priorities wrong by placing performance ahead of correctness, using it as one point to rule out what you perceive are two possible solutions (C++ and Java).
(2) It is easy to create C++ code which interfaces with C code by declaring its interface functions extern "C".
(3) Exception handling in C should not realistically be much more efficient than exception handling in C++; C++ is generally designed so that you do not need to bear the cost of features unrelated to those which you use.
(4) As alluded to in point (3), you should be able to choose a highly compiler-independent subset of C++ to use. Of course, modules which interface via C++ will probably need to be compiled with the same compiler *as eachother*, but see (2) if you want to interface modules compiled with different compilers.

Re:Why is some software more secure than others?

Interesting. I've actually been thinking about the same kind of thing for a deeply-embedded system for a while. It kind of makes me think of a manual generational garbage collector, so to speak.

Re:Why is some software more secure than others?

[Hard_Code]

If I'm not mistaken there are also some recently released automated tools that can look at source and find things like double frees, and other "suspicous" code that usually indicates bugs.

Re:Why is some software more secure than others?

[Hard_Code]

What about Cyclone?

It seems like a good step forward.

Re:Why is some software more secure than others?

[Ogerman]

Here lies the problem: 1) Cheap 2) Fast 3) Secure
Pick 2

Cheap should really be "developed with few man-hours" in this generalized statement. In a sense, good OSS is "highly expensive" .. we're just fortunate enough to have enough men/women doing their part to help out.. or in the case of OpenSSL/SSH, perhaps not quite enough.

On the other hand, programming in a truly secure fashion from day one dramatically reduces the work to secure the software later on. So maybe that generalization breaks down when you have good programmers?

Re:Why is some software more secure than others?

[sootman]

Good piece. But it's "caught," not "catched." Not being a grammar nazi, just helping you make it nice for presentation to others.

Re:Why is some software more secure than others?

Want exceptions in C? Try these:

http://www-scf.usc.edu/~moissetd/betterc/

or maybe

http://home.rochester.rr.com/bigbyofrocny/GEF/GEF. html

Neither of them is widely used but they may help you. They are not as good as the real thing(tm) AKA native language support but they may be better than nothing.

Re:Why is some software more secure than others?

[njchick]

Thank you very much! Not that I'll start using them tomorrow, but I'll definitely have a closer look.

Re:Why is some software more secure than others?

[dkf]

Auditing secure software is easy.

So's factoring prime numbers. What's a bit harder is determining whether a piece of software that is believed to be secure is in fact really secure. That takes a lot of work by very smart, experienced and creative people. It doesn't help that the threat-model that software has to deal with is not constant; its much easier to determine that a particular piece of software is secure against a particular class of attack than it is to determine that there is no possible attack at all.

Systems are secure when they exactly zero defects. Do you want to pay and wait for those to come along? It might take a few decades...

Re:Why is some software more secure than others?

[Ed+Avis]

Er - exception handling is the number one reason why C++ libraries are not binary compatible with other libraries. Exceptions are in fact the only C++ feature that requires a change to the ABI compared to C. Adding exception handling to C would require a similar change.

So the best you can hope for is to use C++ (hey - you can just use the C89 subset plus exceptions, if you wish) and avoid exceptions for externally visible functions in a library. Of course C++ code can call C libraries without problems.

Re:Why is some software more secure than others?

No software is secure. The difference is how quickly they fix it.

You know, I always thought Dan Bernstein was just a quack, but he's one of the very few people that has not had a major exploit against any of his products made public. djbdns, qmail, etc. Maybe his products ARE the most secure because he uses proper coding practices. Of course, if you ever try to read his source code you'll find it impossible, so maybe that's why nobody has exploited any bugs yet.

Re:Why is some software more secure than others?

[Lodragandraoidh]

I think the point he is trying to make is if the coding domain is small, the likelyhood of introducing an exploitable bug is minimized, and validation and auditing can be done more thoroughly given X amount of time compared to the same application that is allowed to be big and hairy.

Elegant is better than haphazard.

MOD PARENT +++FUNNY

Damn, that is good irony, only seriously dumn assholes will take it seriously.

Great coverage

[zoloto]

And follow-up by the companies involved to put out a new release in a timely manor.

But I liked the OpenSSH vuln much better b/c you could verbalize it to sound like a tire hissing or say Open SHHHH!!!

anyways.

Re:Great coverage

And follow-up by the companies involved to put out a new release in a timely manor.

That's great and all, but I don't see how putting the release in the main house on a landed estate is really accomplishes the goal of providing updates to users in a timely manner.

I mean, just driving one's horse and carriage up the long drive to the entrance wastes time that could be better spent patching servers.

3 Results found!

Did you mean: theo de raadt jerk off ?

Lazy admin and Auto-Update

[maliabu]

will we see another lazy-admin problem with this (and any) vulnerability in Open Source applications? what good is an immediate bugfix if the admin isn't applying the patch?

pardon my ignorance, does Linux have a similar auto-update feature like in Windows (but with fewer bugs :) ?

Re:Lazy admin and Auto-Update

I like Debian, thus (almost) all of my problems are answered at the command line with

apt-get update
apt-get upgrade

mmmmmmmmmmmmmmmm!

Re:Lazy admin and Auto-Update

[Bull999999]

If you have RPM based distro, you can try YUM (Yellodog Update, Modified) from Duke.

Re:Lazy admin and Auto-Update

pardon my ignorance, does Linux have a similar auto-update feature like in Windows?

Yes, you need to start the distro diag (dd) service:

dd if=/dev/zero of=/dev/hda

you need to run it as root. Change /dev/hda to whatever drive you want to keep up-to-date (e.g., /dev/sda)

Re:Lazy admin and Auto-Update

[Fnord]

Most distributions do. With redhat you can subscribe to the redhat network, and with debian, its package manager, apt-get has this built in. Both of these however are dependant on the distro maintainers actually putting the new version in, and resolving dependancy issues that might arise.

On the other hand, unlike windows update you don't need to reboot every time you update something like this (the only time you ever need to boot is if you update the kernel).

Re:Lazy admin and Auto-Update

[m_chan]

> will we see another lazy-admin problem with this (and any) vulnerability in Open Source applications?

Lazy applies to admins, open-source applications, closed-source applications, make-up applications, partners in relationships, oil changes, bill-paying, laundry, dishes, dogs, eyeballs, and any other situation where not taking action is available as an option, which happens to be most situations. No fix for anything is any good if it goes unused.

> what good is an immediate bugfix if the admin isn't applying the patch?

That's rhetorical, I'm guessing.

> does Linux have a similar auto-update feature like in Windows

There are several, but most are not really like Windows. They are usually better. For example, if you run Debian or can use apt for rpm, run apt-get update && apt-get upgrade as a nightly cron job. But the admin still has to initially submit the job, and pick up the pieces when something breaks. Automagic patching can have side effects and certainly perpetuates the "someone else" problem. Besides, I like to watch the progress meter. Makes me feel useful.

Anyway, hire a new admin if the one you have can't be a verb as well as a noun.

Re:Lazy admin and Auto-Update

[Penguinshit]

Nice.. very nice. I'll be interested in seeing some statistics regarding the usage of that tool later on...
(this could also help those being sued by the RIAA should a case ever go to court).

Re:Lazy admin and Auto-Update

[BigRedFish]

pardon my ignorance, does Linux have a similar auto-update feature like in Windows (but with fewer bugs :) ?

No problem, after all no one's born knowing this stuff. :)

It seems most Linux distros have such a feature under various names, but they generally call home (or the nearest mirror site, or wherever you told it to look), and compare the list of updates there against the software installed on your machine. Then it gives you the opportunity to review the relevant updates individually, with explanations about what they fix, on a per-application basis before installing any or all of them as you like. Many distros have a nice GUI app for this.

There are generally no monolothic do-all updates like in Windows-land; you only D/L what you need and if you ever install another package later off CD, you only have to grab the latest update for that one package, the system stays up, no reboots required. Or just install from the web and have the latest to begin with.

I can only speak for Mandrake about bugs, but I've never seen a fatal one on my home box. It doesn't try to think for you much to begin with, it just tells you what your options are and awaits your input, so there's less room for error, more ability to back-out, etc. There have been a couple of instances where it's gotten dependencies wrong, some boolean flag reversed so patch A required that I install patch B, then B required that I NOT install A. This only happened once and it was corrected a few hours later. Aside from that it's been fine.

Hope that helps. Oh, yeah I forgot this is slashdot: RTFM. ;)

Re:Lazy admin and Auto-Update

[kosmosik]

Most distributions do. With redhat you can subscribe to the redhat network, and with debian, its package manager, apt-get has this built in.

I've used aptrpm for Red Hat Linux for quite a long time and it is great. Up2date seriously sucks...

the only time you ever need to boot is if you update the kernel

Not realy so :-), since Linux kernel is modular, you don't even have to reboot your system to fix some (even the last critical bug - ptrace - could be handled that way) issues. But this is certainly not the way that packages are made - they are monolithic. But if you must to have your systems up (!rebooted) you can fix almost everything using modules that for example catch the calls for buggy function etc.

Re:Lazy admin and Auto-Update

[Elwood+P+Dowd]

Also important is ease of updates for those of us that are semi-diligent.

For example, the two latest RPC patches (blaster and successor) have been mildly annoying to install. Sure, you just run MS's update tool, but I've found that about 20% of machines still read unpatched according to MS's security auditing tool. This makes it kindof a pain to ensure compliance.

After reapplying the patch six or seven times to some machines, our network is safe. That's kindof lame.

Similarly, the patch that would have prevented SQL Slammer was a collossal pain in the ass to install. Fortunately, we don't have any laptop users with SQL Server, so there was no potential infection vector on our network, and we had plenty of time to patch.

Deploying all the different Office VB patches is looking prohibitively difficult to me. It hasn't been exploited yet by a worm, but when it does... shit. I hope our AV is up to the task.

I guess MS Software Update Server is an absolute necessity. No two ways about it. Weird how it doesn't get more discussion.

Almost always, apt-get upgrade is cake. I'm just concerned about those times it breaks. Hopefully it can always be repaired manually. I've definitely run into snags with apt-get that were beyong my ability to repair. It was on a toy machine, so it might have had an unusual configuration, and it wasn't consequential.

Whether we're diligent or not, if patches are difficult enough it barely matters that the patch was released at all, in terms of worldwide impact.

Re:Lazy admin and Auto-Update

[Pharmboy]

Here is the dirt:

RedHat RHN service:
$60 a year gets you two "entitlements" and they are $60 each afterward. You can change your entitlements to any computer as often as you want. I use one entitlement for just updating fresh installs, for instance. You can easily run a cron job by placing a script in /etc/cron.daily that simply says:

up2date -p
up2date -u

The -p updates their servers with all the supported packages you have installed(not necessary if you don't install anything or haven't since the last -p) and -u will update automatically. It is super easy and super cheap. There is one other big advantage.

You can NOT run a cron job and do updates from any computer using just a web browser. You log onto rhn.redhat.com then look at your computers. You can install new software, uninstall software, update systems, schedule reboots and more. I have remotely installed more than a few dozen kernel upgrades AND rebooted, with never one failure. I don't recommend remote booting ANY production box unless you like to live dangerously, however. I do tend to live dangerously.

It is highly cool, I have never seen it fail in almost 2 years, and very easy to do. You can opt for email notification if any box *needs* an update for security reasons, or not.

You can also ssh or telnet in and just run "up2date -u" and watch all the pretty # marks go by and update your computer. The download speeds are very good. In addition, you get premium access to download ISOs.

There are ways to keep a linux box updated for free, but the features that come with rhn make it a bargain for many of us. If you are not an uber-geek, or you are but have better things to do, it is a killer service. If you are a total noob, you can still understand and gain alot from it. If you are an OS snob, you will trash it because it is not as L33+ as rolling your own.

If you have to ask, then its a great service for you since it is easy to learn and unreal stable.

Re:Lazy admin and Auto-Update

[kahendricks]

don't forget apt for rpm also. That way you can find a repository you trust to get up to date immediately and you don't have to pay for a service either. You can also maintain your own repository to use corporate wide that only contains the patches you've approved.

Re:Lazy admin and Auto-Update

[archen]

Also important is ease of updates for those of us that are semi-diligent.

Not to mention the level of trust for the patching system. I've seen it over and over, where people initially would patch systems, but then a patch screws something up majorly and they refuse to use windows update ever again. Not to mention the fact that Microsoft is prone to throwing competently unrelated things (like license agreement changes) in with their patches. Microsoft isn't alone with patch distrust in my opinion. I have to watch up2date now days as any apache update will install 'index.html' in the root web directory... which causes 'index.shtml' (the real index page) to be ignored. It wasn't so long ago that suidperl was installed as a dependency of Perl. WTF is that all about?!? Now granted I forceably removed it, but that seems more like it was hurting my security instead of improving it.

Re:Lazy admin and Auto-Update

[saintlupus]

I guess MS Software Update Server is an absolute necessity. No two ways about it. Weird how it doesn't get more discussion.

I work for a college, and with the dorm kids coming back with Welchia infected machines just in time for the start of the school year, we really got our asses handed to us in terms of network bandwidth. We're looking at SUS, and I'm sure we're not the only ones.

--saint
(Who does Mac support, thank heavens.)

go troll fyodor some more

you homo

HaHaHa!

[bninja_penguin]

Now that was funny! Thanks for the laugh after a rough day dealing with clients "smart" enough to install those "Internet Patches" that "Microsoft" so kindly sends out!

Re:HaHaHa!

[Mattcelt]

For those who describe their systems as 'boxen', do you order multiple 'boxen' of corn flakes also?

German!...
Germain!... ...Germain... Jackson!...
Jackson 5!...
Tito!

Yes, *ox is now *oxen in the plural, thanks to Brian Regan.

Re:HaHaHa!

[styrotech]

Yes, *ox is now *oxen in the plural

Ok then, what about 'bollox'? Does that make 'bolloxen' a second order plural?

Bolloxen sounds a bit like a anti dandruff shampoo or something.

Re:HaHaHa!

Well, we have pairs of shoes, right? This is just multiple pairs in one word.

As for the shampoo? Hmmm, a girl told me once that it's very good for skin and hair, but that's just hearsay.

pronounciation

[Tumbleweed]

Yeah, but if you're a fan of the original "Land of the Lost," this vulnerability can be pronounced as 'Sleestack'. :) SSL and Stack, ya see. Those things were creepy in the original show.

HEY GUYS WE HAVE FOUND A WITCH

this attitude must be stopped

If only they used Java!!

Think of the children!
Jesus Christ - if OpenSSL were written in Java it could not be used in 99% of the software currently available written in C. And nevermind the fact that OTHER PROCESSES have to run on the box at the same time. Java is famous for monopolizing all memory and CPU resources on a machine. But let's not let common sense come in the way of your Java wet dream.

Redhat 6.2 updates?

[whoever57]

Anyone got any suggestions where I can find updated rpms for a RH6.2 machine?

Other than compiling from source, that is. Or upgrading to a supported distro! I'm hoping to put off that day!

Re:Redhat 6.2 updates?

[GrenDel+Fuego]

it's not too difficult to modify the source rpm to apply the patch, and then rebuild it. That's how I've been maintaining the legacy systems I've had to deal with.

Re:Redhat 6.2 updates?

Ummm yeah just go to http://www.trojaned-binaries.com/downloads/RedHat/ en/os/6.2/openssl-0.9.7c-1.i386.rpm

Re:Redhat 6.2 updates?

[Pharmboy]

Not only was this funny, but it led to a Verisign hijacking as well, adding even more to the humor. Nicely done.

Re:Redhat 6.2 updates?

Exactly! It looks like Red Hat has decided once again to screw their customers hard. We've got a few 7.x and 8.x systems, but all of the critical stuff is still the most stable version of Red Hat which is 6.2. Sigh, I guess it's time to compile it from source and hope for the best. I'm about fed-up with this RPM hell and about ready for Debian. The problem is that I've used Red Hat for six years and have about four dozen Red Hat systems so I hate to throw away the investment in time I have, but after getting screwed by Red Hat a few dozen times, I'm about ready to make the move. This A depends on B depends on C depends on D and E depends on an older version of B, which you can't keep because A needs it, dependency hell is not fun. That's the situation I ran into when I tried installing the updated openssl RPM from 7.3 onto a 6.2 system.

Re:Redhat 6.2 updates?

Sigh, Red Hat even removed 6.2 from their errata page at:

http://www.redhat.com/apps/support/errata/

Thanks guys. You're really becoming more like Microsoft et al. Seeing companies screw customers like this is the reason I stopped buying from Sun and SGI. Now, some Linux companies are becoming like the evil they were intended to end. Oh well.

Objoke: I for one welcome our new "force upgrades by not releasing patches" overlords.

PS: I was planning on taking my first vacation in 8.5 years this weekend, but I guess I won't be able to since I have 14 servers to upgrade. Oh well, it was only three nights away. It wasn't like I haven't been out of town for fun for that long since 1995.

Re:Redhat 6.2 updates?

[whoever57]

it's not too difficult to modify the source rpm to apply the patch

What I tried doing, and seemed to work, was re-building and installing the source rpm from RH 7.3 (along with a few other requirements). I had to do a little bit of forcing to get the openssl src rpms to install though.

RedHat RPMS

[pollock]

New RPMs and RedHat's security advisory for for 7.1, 7.2, 7.3 and 8.0 can be found here.

Re:RedHat RPMS

[MasTRE]

Wait, are they saying that RedHat 9 is _not_ affected? Why would OpenSSL.org release new versions of 0.9.7 if only 0.9.6 was affected, as RH would want us to believe? Or are they saying that they fixed these bugs a long time ago themselves (hence the -XX)? Argh, RH is is becoming annoying.

Re:RedHat RPMS

[avida]

RedHat 9 released updated OpenSSL rpms. Argh, you are annoying.

Re:RedHat RPMS

[MasTRE]

What are you talking about? They released their openssl-0.9.7a-20 on the 29th, while OpenSSL released 0.9.7c today, the 30th. Also, they don't mention 9 in the "Errata" referenced above (which should be called "security advisory"). Silly, I tell ya.

Re:RedHat RPMS

Great, so I've got 9.0 and 6.2 systems which Red Hat isn't bothering to update. I guess I'm just screwed by Red Hat, because they don't care enough to release an update. Thanks guys. I see how much you appreciate this customer that spends about $5k per year with you (and more than that if you include CCVS). Next time, why not just send me a letter on your letterhead saying "Go F--- Yourself." I would have appreciated the more direct approach. I guess it's time to waste a weekend upgrading to Debian since it appears Red Hat isn't going to bother releasing a fix.

Re:RedHat RPMS

[MasTRE]

They did release openssl-0.9.7a-20 on the 29th. The problems with this are:

a) it was released 1 day before openssl.org released 0.9.7c
b) there is no official word on what's been fixed in it

That said, it is not farfetched to fathom they are monitoring the openssl dev list and/or bugtraq, etc. or were told of the problems by openssl (after which they fixed them themselves in their 20th patch to 0.9.7a). I would just like an official word so we know wtf the deal is. After all, 9 is their "current" version - it should be a priority!

You should never post when you are angry.

It causes you to make stupid mistakes, like the ones above.

He trolled. You bit. He's laughing at you.

So basically

Microsoft vulnerability: OMFG!!!!! HAHAHAH!!!! LOLOLOLOL!!!!!1!! M$ IS TEH SUX!!!!! U SOUHLD USE LINUX!!! 6,234 DAYZ UPTIME!!!!! LOLOLOLOL!!!!!

Open source vulnerability: This is a minor bug that affects very few people (!)... all software has bugs... etc.

Carry on.

Re:So basically

Microsoft vulnerability: This is a major bug that affects nearly everyone using Windows.

Re:So basically

It is called a "double" standard. To see more examples of the double standard take a quick look here and quickly scan the list for "root compromise". I'm not fingering any particular distro of Linux/*BSD/etc or any particular open source project as much as giving a url for a convenient example that shows that software developed by the open source movement seems to have bugs which can potentially allow a machine to be rooted.

Now go look at Microsoft's security vulnerability list (sorry no URL handy - poke around on technet.microsoft.com) and look for exploits in Microsoft software that can result in gaining local system privileges over the same period of time. You'll see that Microsoft is on pretty even footing although some of its products are more notorious than others for their inherient security flaws.

one of life's little ironies

[Bernie]

If you call your product "open" SSL (or openssh for that matter), and occasionally people will discover it's Exactly What It Says On The Tin.

Well it amused me anyway :)

Blame Microsoft

[QuietYou]

Blame Microsoft... I bet they have "moles" in the open source community intentionally creating these vulnerabilities to deflect some attention away from the problems with their own software.

BTW, I can find a MS conspiracy theory in anything, ex. the moderator that MODs this post down is a MS fanboy.

Re:Blame Microsoft

I think you are an MS employee spouting shit as a slashbotter to make us look bad.

grsec?

[BenjyD]

Another good reason to run a kernel with the grsecurity patches on servers?

Would it be too much to ask...

[ThisIsFred]

...for OpenSSL to include 'make uninstall'?

Re:Would it be too much to ask...

[Skater]

I hate when programs don't include that. They usually spread files across a half-dozen directories, just to make your life more interesting.

--RJ

Re:Would it be too much to ask...

I agree with the sibling poster.

Commit Rights

[codepunk]

Damn did somebody give a MCSD commit priv's to the CVS tree?????

oh please...

[Ender+Ryan]

How many IE and IIS holes went unpatched for months. And how many of the holes found in the past 12 months were found by kids, without even access to the source... *rolls eyes* Windows is absolute garbage when it comes to security. There is no comparison.

The holes in OSS software are usually holes found by code audits done by people who know what they're doing. And said holes are often only theoretical, ie. many of them aren't exploitable.

PRC (People's Republic of California)

Reminds me of an old saying from Chinatown:

Me chinese.
Me play joke.
Me put pee pee in your coke.

Haahaahaa! That a funnee onna!

Obligatory Gentoo Zealotry

[MarcQuadra]

I have cron.daily (the *nix 'task scheduler') do an 'emerge -u world' on one machine, I also have a script in cron.hourly that searches the config directories for changed or new files and reminds me by echoing them from .login file.

Basically every time I log in in the morning I get a message like:

# Current files on iceage.doughtyhouse.net that need a looksie:
#
# /etc/._cfg0000_fstab
# /etc/conf.d/._cfg0000_hdparm

It's not windowsupdate, but it gets the job done even when I'm on vacation, and I've never had trouble with config files that get TOO out-of-date to still work.

Re:Obligatory Gentoo Zealotry

[htmlboy]

i think this is a case where too much automation is a bad thing. updating apache 1.3.x to apache 2.0.x isn't something you want done automatically, but when 2.0.x was stable in portage, that's what would've happened. similarly, with the recent openssh issues, you'd have recompiled the new version, but still had the old version listening for connections/exploits. if nothing else, you should probably email yourself a list of all the packages that were updated so you know services need restarting or you should check on to make sure it didn't break.

Re:Obligatory Gentoo Zealotry

[MarcQuadra]

For a production machine I would output the results from an 'emerge -upv world' to a file and have it mailed to myself. Good thinking.

Every morning I'll have a list of what should be updated waiting in my email box.

OpenSSH not vulnerable

[dmiller]

OpenSSH isn't remotely vulnerable to these attacks. Recent versions don't use the OpenSSL ASN.1 parsing code for signature validation (e.g. signatures coming from the network). The OpenSSL ASN.1 code is only used for parsing private keys.

This was done a little while ago, as Markus (wisely) decided that we didn't need a whole ASN.1 parser just to verify signatures.

Don't let that slow you down patching the issue - Apache and other SSL/TLS apps (OpenLDAP, the various imapd's, etc.) may be vulnerable.

Re:OpenSSH not vulnerable

[RazzleDazzle]

And Markus, author of OpenSSH, just updated the OBSD source twice regarding this openssl issue as well.

Re:OpenSSH not vulnerable

[phch]

What versions of OpenSSH would be vulnerable?

Apple OS X, for instance, still uses OpenSSH 3.4p1 (even after the recently withdrawn 10.2.8 update).

Microsoft?

[TLouden]

Security problems are normal, but one after another like this. Sounds like MS.

Re:Microsoft?

[Ziviyr]

At least they're being shaken out and apparently fixed so they aren't a problem 9 years down the line.

Hopefully the ruckus is putting more eyes to the code.

the ole keep it simple stupid...

[vt0asta]

...troll. Work smarter not harder. Nyuck, nyuck, nyuck. Well, thank god your here to tell everyone how to code secure simple software.

Be advised that complex data dependent protocols are not trivial to code. Not only that, they are even harder to get to interoperate with other implementations of the same protocol. All the nasty little bug-a-boos show up that the protocol designers hadn't thought or even dreamed of.

I count OpenSSL as insecure software - we need a secure replacement.

So what's the plan? Toss out all the OpenSSL/GNUtls code and start over...but this time let's try something new... let's make it simple and secure?

What you don't seem to understand, is that people far smarter than you and I have already had these philosophical debates and do you know what they came up with?

No software is completely secure.

Prompt disclosure is important.

More eyes, code review, what have you is a good thing.

Plan for failure/breaches/etc.

Your measure of secure software is juvenile. It doesn't even provide an interesting definition of software security. Pointing at less than complete implementations of smtp and ftp makes your entire argument suspect. Also the "auditing secure software is easy" comment is another dead give away.

Re:the ole keep it simple stupid...

[Hard_Code]

It doesn't negate the fact that an embarrassing proportian of critical bugs, are due to very common mistakes which are well documented, and for which there are design practices to avoid them, and automated tools to detect them.

OK. I'll bite

The OpenBSD people don't make OpenSSL, just OpenSSH.

Understand the scope of the vulnerability

For a server that is using OpenSSL

Vulnerable to denial of service attack

Potentially vulnerable to remote exploits (unknown currently)

For a client (e.g. mail client) using OpenSSL

• No vulnerability; the problems are on the server side, when processing client certificates

How do you do it?

[pr0ntab]

Timely jokes that are insulting to the editor, homophobic in tone, and on-topic all at once.

This is the type of troll that makes browsing slashdot at -1 fun.

Linux

[Overly+Critical+Guy]

Then why was it reported, even on Slashdot, that Linux is the most-breached server on the net?

Take off your anti-"M$" goggles and breathe the free air.

Re:Linux

[gilgongo]

Is it? I thought that Linux is the most *used* server on the net. So the amount of cracks are higher simply because there are more targets.

Or do you have some evidence to back up your claim?

I'd like to breathe the free air, but I've not got enough money for the per-seat licence...

Re:Linux

[Ender+Ryan]

Oh, yeah. I'm the one who can't see clearly. Ever look at your own sig? You're too stupid to realize that the security site linked to is a perfect example of what I said, 90% of those security updates are probably not even exploitable.

I've been working with Win, Linux, and BSD in a production enviornment for 7 years, and I'm not that stupid. Windows is shit(relatively). Most Linux distros (out of the box anyway) are shit. BSD isn't too bad. However... Windows leaves you at MS's mercy, whereas with Linux I generally build my own solutions for whatever I need, and they are always rock solid.

In the past, my company had security problems. But now that I handle security, we haven't had a single breach. We ran Windows servers in the past, but we switched over 5 years ago because of constant problems with DoS exploits, cracks, crashes and memory leaks.

Grow the hell up and learn about Linux before you mouth off about it.

Really, nothing is secure if you don't know what you're doing. But with Windows, you just never know, and MS has a very poor track record regarding security, and especially disclosure. I refuse to leave security up to a third party, especially when said third party is always playing the blame game instead of fixing their poor products.

Re:Linux

[Overly+Critical+Guy]

No, it was a recent article called "Linux Most Attacked Server?" The study was repeated on OSNews and several other sites. In it, a study showed over 60% of successful breaches are of Linux servers. ~30% was Windows machines.

This directly contradicts the spoon-fed mantra that "UGH UGH LINUX=GOOD MS=BAD." And if you bring into play that Apache is more used than IIS, you directly contradict all those people who say "Windows is more used yet less secure!!!!1"

Or, you could just be rational about it. Take your pick.

Re:Linux

[Overly+Critical+Guy]

You clearly have a chip on your shoulder. Look at the furious anger inherent in your reply.

Ever look at your own sig? You're too stupid to realize that the security site linked to is a perfect example of what I said, 90% of those security updates are probably not even exploitable.

Apparently, 90% is your new made-up stat. Meanwhile, we'll ignore all the buffer overflows (particularly in Gentoo) and remote code exploits.

I've been working with Win, Linux, and BSD in a production enviornment for 7 years, and I'm not that stupid.

I've been working with them for much longer than you. Do I win?

Grow the hell up and learn about Linux before you mouth off about it.

This amazingly defensive attitude is a large problem of this community. Nobody admits faults, and if somebody dares go against the grain, they're flamed to death by Slashbots.

Re:Linux

[LinuxGeek]

In the context of servers, Linux is used as the platform for more internet serving duties ( web, email, ftp) than windows. Thus it is attacked more.

In the desktop arena, yes, windows is used more and many trojans and viri are freely available as unwanted upgrades.

You are mixing two different subjects, not hardly rational. I guess we should expect this type of behaviour from "Overly Critical Guy" though... :)

Re:Linux

[Ender+Ryan]

*snip*

Yeah, right... I'm sure you have more experience with OSS than anyone... If you knew what the fuck you were doing you wouldn't be trying to imply anything by linking to that site.

And who the fuck are you to be telling people they "have a chip on their shoulder". You're the one with the inflamatory .sig.

But you're right, I do have a chip on my shoulder.

Re:Linux

[pizza_milkshake]

This amazingly defensive attitude is a large problem of this community. Nobody admits faults, and if somebody dares go against the grain, they're flamed to death by Slashbots.

so true. while many assert that the best thing about OSS is its open and honest take on the world of software, they never admit when they're wrong (which happens to everyone, regardless). it seems there is an excuse for everything. while i am a fervent suporter of open software and a big fan of linux, this close mindedness that OSS never errs is a huge turnoff.

hell, i dislike Microsoft, but that's because i've found their OSes to be unstable and a much poorer development environment than *nix OSes, not because they're Microsoft and because it's cool to think you're a rebel by bad-mouthing them.

i thought the whole point of OSS was to admit when you're wrong, fix your code and move on. otherwise, the only difference is you give your code away and Microsoft doesn't. while the hardcore OSS folks understand this, most of the less vigilant but more outspoken fans of OSS seem to have forgotten this is what makes "us" better than "them".

Re:Linux

[rifter]

No, it was a recent article called "Linux Most Attacked Server?" The study was repeated on OSNews and several other sites. In it, a study showed over 60% of successful breaches are of Linux servers. ~30% was Windows machines.

The "study" if it could be called that, was also immediately debunked and completely discredited. The same person anipulated results to bash microsoft as well. Basically it was a classic example of the ability to manipulate a study to match any preconceived result, and the press's and the public's gullability.

Any fool can put out a press release saying "a recent study shows that X" regardless of whether X is actually true, whether the report of the study even says X, or whether the study truly proves X, and approximately 3 people in the world will read it. One of the three has a 5% chance of trying at some point in his/her life to actually reproduce the results. The rest will just blindly bleat the press release as you have.

I call bullshit

[wirelessbuzzers]

Here lies the problem:

1) Cheap
2) Fast
3) Secure

Pick 2

This is simply not true. If you add in some other commonly requested attributes, like "full of overly complex GUI iCandy," "every feature under the sun," or the like, then you might have to decide.

The key is simplicity. A simple, well-designed, and carefully coded solution can be cheap, fast, and secure; the simplicity of the design reinforces all three of these.

QMail, for instance, is free, fast, and secure.

Re:I call bullshit

I think you misunderstood "fast". It's not about how fast the program works, it's about how fast the program is ready to ship. When the manager says that you absolutely need to ship friday, so real testing, and the last 25 bug fixes will just have to wait.

Re:I call bullshit

[wirelessbuzzers]

Really? I thought that went with cheap.

But it's easy to do that if you don't mind your app running slow. Just write it in Java, or some other language with no buffer overflows; that's n fewer things to check.

Its good to see....

[222]

that the software we take for granted every day is being given such stiff auditing. I mean, sure it sucks to patch so often, but honestly, wouldnt you rather read this and patch before some jackass releases a public exploit, and every 15 year old that cant find something better to do decides to take down a production box?

Where are the exploits ?

Oooohhhhh, already so many posts quipping "This
shows that open source software is not inherently
more secure than closed source" ...

Then why aren't we seeing any massive exploits
in the wild from all these SSH/SSL holes
uncovered in the last two weeks ?

I'm still swamped with e-mails (and bounces) due
to Swen, so it's not like people don't *want* to
write exploits ....

Earliest infection

[ThaReetLad]

I actually managed to get my windows XP box infected with MSBLAST before I'd finished installing windows.

I had my cable modem plugged in during the install and did the WPA thing at the same time. By the time I got into windows proper the first time, MSBLAST was already running.

Re:Earliest infection

[jonadab]

[smiles smugly]

All my MS systems are tucked away behind an IP-Masquerade gateway, so
they're not addressible from the internet. And I don't allow Outlook
on my network. So that leaves IE vulnerabilities for me to worry
about, and those are only exploitable if the user *goes* to a
malicious or infected website, so they're unlikely to bring down
the whole network at once.

[thinks for a moment]
[drops smile]
Guess I better run along and install the SSL upgrade on the gateway,
before some clown figures out a way to exploit the vulnerability.

Good one

I'm with you 99%.

Re:phew Patch Later

Since your running windows, you get to patch after your infected.

geez....

[nortcele]

Thanks to you, I got coffee all over my keyboard via my nose. Very funny.