Slashdot Mirror
The Fedora-Red Hat Crisis
jammag writes "When Linux journalist Bruce Byfield tried to dig for details about the security breach in Fedora's servers, a Red Hat publicist told him the official statement — written in non-informative corporate-speak — was all he would get. In the wake of Red Hat's tight-lipped handling of the breach, even Fedora's board was unhappy, as Byfield details. He concludes: 'If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient, then what chance do we have that other companies — especially publicly-traded ones — will act any better?'"
The problem with a lot of corporate Open Source is that they ignore the ethical foundation of Open Source. And eventually we find out that Open Source isn't quite as good without the ethics.
Bruce
Bruce Perens.
frankly anyone who can't see that has never been in a real business situation before
If you mod me down, I will become more powerful than you can imagine....
A "Linux journalist" talking to a "publicist" was told to read the press release?
I, too, without RTFA, would think most any company would be wary about talking about a recent server breach.
But, it doesn't matter - it's all open source, you can look at the lines of code and verify for yourself that they're safe, right? Not like what you can('t) do with Windows.
DATABASE WOW WOW
Shit! I have stock in RedHat
Table-ized A.I.
They have to buy people's trust again now with their actions, and it's going to take years, if they even do it.
Bruce Perens.
shareholders.
maybe when your [sic] a bare foot [sic] long haired [sic] hippy like stallman... [blah, blah, blah]
So you're saying that RedHat is now the Linux for suits? Quality is not the highest priority? I for one am not quite ready to believe it...
"Not an actor, but he plays one on TV."
What exactly qualifies this as a crisis?
Does this justify the word "crisis?" I doubt it does. In my opinion "conundrum" would be a better word.
At first read, the heading made me think that Red Hat and Fedora communities were bickering big time, threatening timely releases of software we have [all] come to rely on. Of course this is not the case.
So why the sensational heading?
... when a major open source company/advocate isn't open. News at 11.
They knew that not just Debian but all Debian derivatives like Ubuntu would be effected
Affected. The word is affected, not effected. Sorry Bruce, but I can't help it -- I'm an Anonymous Coward.
From: GM'S SATURN PROBLEM
Push come to shove, Fedora's needs will never come before Red Hats interests.
It must have been something you assimilated. . . .
'If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient, then what chance do we have that other companies â" especially publicly-traded ones â" will act any better?'
You can argue that they are ignoring the spirit that many FOSS advocates believe in; but how is not making the details of this intrusion public "ignoring FOSS"? Is there a line somewhere in the GPL that states "If you're running GPL software, and someone hacks your system, you must make all details of the hack known"?
If solving the hack required Red Hat to modify code, they'll have to make the source available - but AFAIK that's all they're required to do.
#DeleteChrome
I used to be 100% redhat and fedora... Now I've moved almost all my systems to ubuntu, but I still run centos on a few servers.
Every reputable tech company I deal with (ISP, Software, Hosting, Colo) has very clear, very open policies about outages, breaches, and security in general. If they don't I don't do business with them.
I know the ins and outs of my ISP, Hosting, and Colo companies processes because I get emailed whenever I have an outage that says "we experienced an outage from x-y on day z, the outage was caused by our dumb admin who tripped on the power cable, we rewired our entire data center to move all of the power cables to the ceiling to prevent a similar outage in the future".
Obviously that is a made up report, but it is extremely standard practice to let all your customers know a) when the problem happened, b) what caused the problem, c) concrete steps taken or procedures implemented to prevent similar problems in the future
That RedHat has fallen so miserably short of this basic tenet of IT procedures is extremely scary.
This seems to be, from reading the Fedora and Red Hat statements, an ongoing investigation. The same way the police don't comment about investigations in progress, Red Hat is keeping mum. Keep in mind, the breach may be very complex and not something that they can confidently say "we understand" without a very detailed analysis.
They announced the issue immediately and took steps. For now, give them the benefit of the doubt that further details will be forthcoming once a proper investigation has been completed.
Learning HOW to think is more important than learning WHAT to think.
Disregard that. OP has it right. I suck cock and need grammar lessons.
I'm not at all surprised that Redhat felt free to do whatever they felt like, fedora be damned, under the circumstances. What I don't understand, though, is why would doing what they did seem like a good idea?
Sure, getting compromised sucks, and having to admit it sucks; but in a world of fast moving internet gossip, paranoid *nixheads, and potential leaks, oozing some smarmy nonsense, losing face, and still having to admit it sucks even more.
I can understand why they would be tempted, if they thought that full concealment was possible; but why would anybody go with half concealment? It seems like you get the worst of both worlds. Everybody finds out anyway, and you look like a slimy suit. Why would you do that?
I stopped using RedHat (deadrat), about the time they went "fedora" - i did not care for some of the changes.
I do know that the govt. likes them a lot, and if you are a govt. contractor, sometimes you can only say certain things...
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
There are a number of possible scenarios that would recommend against being 100% candid on how far you were breached. If I was violated, I think I'd like to take a moment to do a "self-check" on all of my important bits before I started telling everyone all of the nitty-gritty details. As the article pointed out, people were told that there was a breach, and that they should not update for a few days. How is this "anti-FOSS"?
Perhaps they were on the trail of who did this? Perhaps they were comparing notes with the Ubuntu breach cited in the article, with the goal of finding the M.O? Perhaps, like any police detective, they were keeping certain clues to themselves while they investigated further? If the crimes were found to have similar approaches, keeping quiet might improve the odds of capture?
I use Fedora, and had been using Red Hat before Fedora came along. I don't think this kind of hysterical "anti-FOSS" reaction is really fits the facts as I just read them. Perhaps they have not handled this in the best possible way, but that's far from "anti-FOSS." Just because you didn't get your precious packages today, doesn't mean they've gone all corporate spin-zone on the FOSS community. Again, I'm not saying that they've handled it as well as they could have, I'm just making the point that there might be reasons for not detailing publicly the many many disgusting ways that each and every one of their private bits have been violated and penetrated numerous times, over and over again....
Give-em a break guys, I'd be more concerned if they didn't tell anyone about the break-in at all. That would really be "corporate" behavior. Simply deny the breach and lawyer-up. As it is, they're trying to fix it, and if you're so antsy to get your packages immediately, the source and diff's are there for you to check yourself. If they start getting in the habit of this, folks will start contributing to, and using other distro's.. isn't that how FOSS is supposed to work?
IT managers now know that RH is going to go unresponsive when there's a problem.
The issue isn't even fully known, so you're jumping to conclusions.
For some reason Fedora has to re-key all their repos and, while I think that's done, it's still being mirrored. One would assume a signing key has been lost.
Redhat isn't doing that. They apparently have a signing server, and a user's credentials were apparently lost, and some packages got signed, but not put in the repos. If you run a RedHat machine and get an unsolicited contact to install some new OpenSSH packages - don't.
I think Fedora has the bigger problem at the moment. Let them work through the problem, they know how to do this. When the users are safe (still an ongoing topic of discussion on how to best ensure this) my guess is they'll be releasing more information. I further suspect we'll learn that prior disclosure would have put users at more risk. We'll see.
How can they trust Red Hat again?
Historically the Fedora guys have been trustworthy to the extreme. That's why not everybody is jumping on them right now, despite the distro-partisans who smell blood in the water. Again, we'll re-evaluate our position on that once the dust settles.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I would have phrased it differently: The issue isn't fully known, thus there's a problem.
There's been quite a lot of time.
Bruce Perens.
OK, some servers got hacked, the attackers didn't inject rogue packages into the repository servers so no customers/users were affected. Red Hat/Fedora responded by auditing everything and releasing a statement, along with tools to detect packages with the attackers' signature. Big deal.
Seriously, what else is there to be known about it?
Yeah, say whatever you want, but it's not as if Debian never had its servers compromised in a similar fashion, and never had to perform some PR damage control.
Unlike Debian, Red Hat is a publicly traded company with a whole bunch of customers with signed SLAs. Handling such matters without press trolls all rolling over it spreading FUD and causing unnecessary panic is _not_ an easy task, as can be beautifully shown by TFA.
I respectfully disagree with Bruce Perens. The Debian OpenSSL fiasco was so much more serious, damaging and dangerous to users all over the world, it's not even fair to compare. We're talking about millions of known networks and sessions compromised in Debian over a year and a half period, versus none in Red Hat over a week.
I appreciate how Debian acted _after_ the fact, but was there any other way to handle such a terrible mishap?
This is not about flawed Open Source policies, this is about seriously flawed journalism, where conspiracy theories are used to make a story where there is none.
- Otaku no naka no otaku, otaking da!!!
Emerson to them all!
Bruce Perens.
TFA says:
However, as of September 8, the crisis continues, with Fedora users still unable to get security updates or bug-fixes.
Not true. Go here: https://fedoraproject.org/wiki/Enabling_new_signing_key, follow the instructions and voila... updates available.
Anybody want a peanut?
"Affect" DOES mean "to have an effect upon". That's not the disputed definition.
Perhaps when you switch them in your defense of your chronic switching of them, that's evidence that you're wronger than the other wrong people. :)
[Meant lightheartedly, I don't honestly care what you type.]
The United States of America: We do what we must because we can.
You can't really say they are keeping things quiet while things are still in progress. This isn't being swept under the rug, this seems to be pursued in all areas currently. If after everything, there is still no more information, then that is a story.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Indeed. Though you have attacked the wrong horn of the problem.
Affect = to have an effect on; to influence [something pre-existing]
Effect = to bring about, to implement [until finalized, hence more than an influence]; to cause to come into being [something not pre-existing]
It can't be easier for a non-native English speaker than for a native one, or can it?
I see very often this quoted without any substantiation.
I thought that the responsibility of a company was to stick to whatever they say they will do in their chapters of incorporation, then shareholders sharing that vision would finance the venture.
If the companies' own rules mandate that openness and accountability are part of how the company functions, and shareholders used their judgement and accepted that, profit may take a second seat in the view that in the long term, the business strategy of transparency is deemed to be necessary in turn to make the enterprise profitable.
The problem with many investors is their short-sighted, quarterly short termism and companies that do not ensure ways to handle that in a way that makes sense in a longer term.
IANAL but write like a drunk one.
But they already know what happened.
You would expect they disclose what went wrong, that would save time and money to everybody.
Now, how can anybody running a Red Hat system know it is safe?
Openness is an advantage over closed systems, and it is why many of us buy from companies that are more open, in all the senses of the world.
Losing sight of what makes them different, and thus desirable, is a recipe for financial trouble (their lawyers will be paid in any way, so they should actually use them to ensure maximum disclosure).
IANAL but write like a drunk one.
At some point, you should have a compiler that is consider clean. You use that to compile, from reviewed source code, the latest and greatest compiler and generate the rest from there.
IANAL but write like a drunk one.
While Bruce and Debian are probably right, I do feel a certain "holier than thou" approach going on here.
If you owned a company and a junior engineer had done something _really_ stupid, you may not want to fully disclose the incompetence of one person as it would make your whole company look that bad.
In that case, a bit of corporate blather may look better than full disclosure...
Bus error in your favour. Collect 200kB
For some reason Fedora has to re-key all their repos and, while I think that's done, it's still being mirrored. One would assume a signing key has been lost.
Have you already read the Fedora report? Fedora did release a report about the incident. Within it they say that while an attacker was able to reach a Fedora signing system they do not believe that the key's passphrase was compromised. However it states that as precaution they have decided to create a new key.
The Red Hat side of things is different and far... trickier. I point you towards this LWN article about the intrusion as I think it's hard to say such simple statements about it.
I think that is sufficiently clear, that there were legal concerns, that Red Hat has certain responsibilities and so it *has* to get Fedora to cooperate, and lawyers are naturally going to ask people to behave responsibly and in harmony with certain known best practices. That's not anti FOSS. It's anti STUPID.
Debian... well, who is tempted to sue them? Red Hat, with deep pockets, is a target. It's apples and oranges. Byfield betrays his bias, which is Novell, good; everyone else, bad. And he shows he missed the actual answer to the why question. Bias works like that. You can't see the forest because you already have mapped out the trees you like to get where you plan to end up. Without the bias, he might have noticed those phrases and if he doesn't understand the law, he could have inquired. When you want to bad mouth someone, it's cheap and easy to do it, but it leaves a bad taste in the mouth of your readers.
Disregard that, OP has it wrong, sucks etc etc
If Red Hat, one of the epitomes of a successful FOSS-based business, can ignore FOSS when to do so is corporately convenient
Sorry, but I must have missed the clause in the GPL that requires full and immediate public disclosure of any security breach on your servers, or a duty to maintain 100% availability.
OTOH I do remember loads of stuff in the GPL about how there was no warranty.
There also seems to be a presumption that this "breach" represents some sort of systemic vulnerability in the Fedora/Red Hat product - TFA and several comments here reference the Debian SSL problem. What about the good old standbys of "inside job", "social engineering", "weak password" or "bugger, I knew I should have password-protected my SSH key"?
What if they're planning to fire someones ass, or even press criminal charges over the incident? That would place serious restrictions on what they could publicly announce.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
I've noticed that all updates for Fedora 9 have stopped since this happened. Have they released any information about when they will start again?
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
So this is what it looks like when Ubuntu fanboys start astroturfing....
I initially read the article title as The Fedora Hat Crisis. I was wondering if there was a hat shortage brought about by FOSS people wanting to Cosplay. I now realise my error but have this mental imagine of people walking into a Linux conference all bedecked in red Fedoras.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
Sure it can. A non-native speaker doesn't have an entire lifetime of bad habit to overcome.
I personally haven't ever had much of a problem sorting affect from effect, but the word significant, for example, has always been an issue for me.
My inclination is always to spell it signifigant, because that's how it's generally pronounced in my accent. I was nearly twenty before I really came to grips with the error, and even though I know quite well how to spell it these days, if I'm typing quickly or thinking more about the content of my writing than its immediate form, signifigant tends to slip out even now.
I hope they continue to ding you, because you still have it wrong. Here's a rule that works 99% of the time:
So if you find yourself writing "effected" again, all you have to do is recognize that you want a verb and then use "affected" instead.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
If a Linux journalist asks fallacious questions, then what hope do we have for the rest of the media?
https://www.redhat.com/archives/fedora-devel-list/2008-September/msg00842.html
In due time you can probably expect a more complete picture of what happened. I think the "Fedora/RedHat keeps us in the dark" view is overly alarmist.
If you look at the track record of most linux 'organizations', the long term solution is clear: FreeBSD.
And no its not a troll, just take a look at how most of the companies formed to distribute linux have 'evolved' over the years: From 'we love OSS, love us too', to 'we are now commercial, pay up or be sued' to 'we are folding, help us'. ( Tho i must say that Debian is the lone exception to the rule, they have been consistant with their goals from day one. )
At least in the FreeBSD world its been consistant and you know what to expect, and can plan ahead accordingly
---- Booth was a patriot ----
Bruce, I'm a Red Hat customer, and they told me what was going on. From what I read here it seems pretty clear most people did not get the information I got (rather early on).
You are right that there are problems for Fedora inherent in the way this incident played out. But there are no issues for (paying) users of Red Hat Network.
Someone got access to a system inside Red Hat's firewalls. That person was able to submit some packages to the signing queue, which is hardware restricted in order to prevent anyone from stealing the private keys. This was detected by Red Hat. The intruder is believed to have gotten away with copies of the signed packages, but those packages were never placed in any distribution channel controlled by Red Hat.
This means that someone, somewhere, has the ability to compromise systems that are being run in violation of Red Hat's customer agreements and US trademark laws. Persons who have entered into contracts with Red Hat have no problems; in fact Red Hat went out of their way to provide their paying customers with extra protection by distributing a detection tool and by publishing a higher version in their distribution channels.
CentOS removes Red Hat's trademarks from the Red Hat packages that CentOS is based on. CentOS is legal as far as Red Hat is concerned. Loading bootleg Red Hat Enterprise Linux packages that have not been sanitized CentOS-fashion is arguably illegal for anyone, and a violation of the Red Hat EULA for Red Hat Enterprise Linux customers. So, in a sense Red Hat could say "serves you right, cheater" if you got bit by this. They have not done so.
There have been other incidents at Red Hat; for example a disgruntled ex-employee sold a list of customer e-mail addresses to spammers. Red Hat does not tell people who are not customers about these incidents, it's restricted to paying customers only. They rather aggressively and quite effectively went after the spammers, BTW, which I'm sure you realize is very difficult.
Fedora needs to shake off all Red Hat controls, yes, OK, you have a good solid point. There is definitely a trust issue for Fedora. But paying Red Hat customers know that Red Hat's activities essentially put Red Hat Network customers first and the Fedora community a distant second, so I don't think your analysis of the impact of Red Hat's decision on IT managers is anywhere near correct.
--Charlie
PS: Is anyone considering that the criminals who stole the signed packages might have access to a botnet sufficiently powerful to derive the super-seekret Red Hat private key? That's what I'd be worrying about if I were a techie at Red Hat, and I'd be putting in a new key tout de suite just in case.
--C
Not sure if it's actually true, but here's what the author is saying.
Say you have GCC5.2 installed, and you're compiling GCC5.3 from source.
It will compile gcc53a from the 5.3 sources with the GCC 5.2. It will then use gcc53a to compile gcc53b, and gcc53b to compile a gcc53c. 53b and 53c should be equal (but not 53a with either).
Companies do stuff because it's corporately convenient. It's their job, it's their business, that's what companies do. Collect your toys, grow up, and come back when you have understood the world a little bit.
I usually like Red Hat, but every once in awhile they do a really abusive something. This is another.
I was a Red Hat customer for years. Then they dropped the professional edition without ANY warning. Fedora didn't show up for over a year (or so it seemed). Well, now I use Debian, and occasionally investigate one of the other distributions. (Ubuntu, Mandrake*, one of the small ones...NOT Novell's offering. I don't trust them.)
I still want to trust Red Hat. I feel that their corporate intentions are honorable...most of the time. OTOH, I'm not about the rely on them again. They aren't trustworthy, merely well intentioned. So I want to trust them, but I know it's a bad idea.
OTOH, CentOS *seems* to have come through this without scars. Their comments indicate that they got cooperation from Red Hat in containing the problem. Perhaps companies can trust Red Hat more than individuals can...perhaps. Or maybe they were just lucky this time.
*I know they're officially Mandriva, but that's for garbage legal reasons. To me they're still Mandrake. (This isn't totally good. They've pulled some boners too.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Debian's a non-profit. Comparing the two isn't useful, for a couple of simple reasons. If a Debian build server is owned, what's the financial damage, and to who? How about Redhat?
It's a lot easier for RH to show direct and indirect financial damage due to a breach, which brings in the FBI. Once the FBI is involved, your whole reply is a "No comment." It's an ongoing federal investigation. If somebody found the trojaned openssh on a DoD server, you can bet that the NSA is probably involved as well.
Once the feds are involved, their hands are tied. If I'm right, it took a lot of work and negotiation by the lawyers to release as much info as they did.
-30-
one. It was pretty evident there was something being done because none of the update servers were available. By knowing this it was just a matter of minutes to realize that something fundamental was wrong. Me knee jerk reaction was to conclude that they had been compromised to some extent and that spawned an special hands-on audit on all of my systems running with any derivative of Red Hat. Less than a day after we get a post telling us that they are working on it... meaning it is deep and they haven't found the rabbit in the hole yet. For me this is enough information to go in "extra alert mode" on all my machines that would be in the realm of the same problems.
remote logins log checking being a mere fraction of the full audit.
What is the diff against Microsoft and similar? Big difference... I had the choice to compile my version of sshd (and other remote offerings) and prep it on the servers that I had that could potentially be effected by a bad transient build. I could do the diff between the updated packages if there was any, on source level. Maybe this is going too far BUT at least it gave me the option to do my stuff pre-emptively while waiting for the final dictum from Red Hat and their investigation. I call this Pro-active guarding.
Most likely... once all major customers had done something similar they were able to disclose a bit more of the problem.
Anyone who mentions Ken Thompson's Reflections on Trusting Trustshould also mention David A. Wheeler's "Countering Trusting Trust". Those who don't should be punished by having to argue both sides of the debate.
I occasionally post the counter argument in a reply but no one sees it... Next time you see someone else with this behaviour tr, here's ammo for countering it.
(I believe the gcc rebuilds aren't so much to remove this type of intentional bugging but rather ensure the final binary is free from things like first compilation optimisation issues... Comparing the compiler binaries would probably indicate differences due to things like dates being present BUT hopefully what they would output on a given source would be the same)
Emerson to them all!
Emerson? The poet, Ralph Waldo? What about him?
People have been dinging me on Effect vs. Affect for 3 decades. They are all right and all wrong, because legitimate dictionaries give one of the definitions of "affect" (verb) as "to have (verb) an effect (noun) upon".
Unfortunately, when one attempts to just verb the noun "effect," the different usage also affects its meaning. A verb "effect" does exist, but it means "to cause, or to bring into existence," as in "Bruce Perens was instrumental in effecting the 'Open Source Definition,' and continues to effect changes to it, as well as affecting changes effected by others."
:D
I'm always careful to get these things right, because one never knows when one will meet a stickler who not only knows such trivia, but will tell point it out when you're wrong. Also, it's a far more stable subject to master than computer security. Less logical, in English, but the stupid rules are the same as they were 10 years ago.
I think of compulsive grammarian disorder like body odor; if nobody in your circle of acquaintances is annoyingly attentive to grammar, it's probably you. And I don't know anybody more careful about grammar than me.
"I can't imagine how things could get any worse!" (some guy) "That could just be failure of imaginatioÂn on your p
HiThere: "Then they dropped the professional edition without ANY warning." Yikes, you weren't paying much attention at that time, as I was only using RH at home to tinker with and was WELL AWARE of the warning and timelines when that happened.
...reading for anyone who references Trusting Trust alone! Here are links to the original Ken Thompson's "Reflections on Trusting Trust" (HTML/non-PDF version) and David A. Wheeler's "Countering Trusting Trust" which offers potential solutions to the issues raised in the original.
Basically so long as I have another set of compilers AND at least one is trustworthy then there is process I can follow to build a compiler I can trust (but where it would help to have the compiler sources). There are other reasons why such an issue might find it hard to propagate in a changing software stack but that's a side note.
This seems to be a very popular Slashdot meme - people keep mentioning Trusting Trust without also answering the points offered in more recent literature.
Perhaps so. I knew that they were planning *some* changes, but they were always planning some changes. I didn't find out what the changes were until they had already been implemented.
I think we've pushed this "anyone can grow up to be president" thing too far.
i don't know about Red Hat (which a different story anyway - are'nt those, who complain now, the same ones, who called the Red Hat admins, after they makde the exploit public paranoid? in this business you can never be paranoid enough, if you ask me...), but pointing fingers at Debian is'nt fair. haven'nt you even ever read that programs are "distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE"? linux is'nt really much more safer than anything else. you got to know how to secure it and do it yourself. i use Debian for everything, even for routing and firewalling, and was'nt annoyed when i heard of the ssl thingy (by the way:there are still people using lsh, you know). what shell's? is there any distro out there that profound and versatile at once? i don't think so. instead of mocking around, you should all be thankful for how much effort the Debian folks put into making a high quality OS for free and being honest at the same time about it's flaws over years. money can't buy you 100% security, because there's nothing which could be granted to be sure for "100%". Debian _IS_ useful and i give a damn fuck about warranties anyway...
affect is a verb
effect is a noun
Yea, I know - it's not perfect. But it does help me keep them straight...
I had a harddrive fail so I grabbed Fedora Core 9 and it had me frothing worse than Vista.
I now run Debian and it has taken some effort to unravel some of their idiocy concerning media players, orphaned software and other annoyances it does work.
I despise guhnome.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Just because something can be done doesn't mean it actually happens. If I go to holidays and leave the door of my house open, it does not mean that something actually happens.
What's your address, and when are you going on holiday next? I lock my door so any thief who decides my house is the one he wants to rob, at least has some obstacle. If I forgot to lock my door on my last holiday and nothing was stolen, it doesn't mean I would assume I would be so lucky every time, and intentionally leave the door open thereafter.
There is no indication here at all that anyone externally found out about the problem before. It is basically that you found out that what you did over the last two years was vulnerable to potential attacks. How will it affect the future? Not at all, as the issue gets fixed.
So, fixing the vulnerability is the right thing to do, as soon as you know it's vulnerable. Why wait until after it's been exploited, once you know you have a vulnerability that is greater than it could be? Minimize every identifiable risk, up to but not past the point that the cost equals the benefit. What's so difficult, or costly, about ditching a few keys and replacing with better ones?
Ah, and right now no one unauthorised actually has the key yet. It is only technically possible to crack it much easier...
To assume that a bad thing that has not happened yet therefore cannot happen in the future is very, very stupid -- whenever anything of value is involved. And of course we are discussing something of value, or else I wouldn't be bothering to argue about it. Would you?
Nice try. The problem with Techies is that they don't get the larger picture. They focus on the blinking red herrings they are so used to and where they believe in.
...
The whole signing shit is a troll for the privacy church. What they forget are the proportions and what is really important.
I agree with some of what you've said above. For example your statement to the effect that RedHat generally is a positive contributor to the Open Source community is agreeable.
RedHat as a company applies the usual tactics but as a community member gives a lot. Sure corporations are vulnerable to money. Novell is a good example...
But I don't see good reasons for your other, general statements about signing, privacy, proportions, what is important, and whether patching known vulnerabilities before a known exploit occurs is a good idea. That seems to be what you're calling a "red herring" and that to me is absurd. Patching known vulnerabilities is clever like a fox.
"I can't imagine how things could get any worse!" (some guy) "That could just be failure of imaginatioÂn on your p
...to pay your $699 licensing fee you cock smoking teabaggers!
When can you consider a compiler "clean"?
Countering "Trusting Trust"
If you have any concerns with that, they should be answered in: David A. Wheeler's Page on Countering Trusting Trust through Diverse Double-Compiling (Trojan Horse attacks on Compilers)
If you find any holes in the theory that were not discussed, then consider writing up your findings for publication.
Happy moony
Why does everything in this story have to be 'informative' or 'interesting'?!
I come here for my humor, you insensitive clods.
As mentioned in the counter argument article I'm not sure why double diverse could not be applied (using a range of "hardware") to help you ferret out the problem (assuming portable code). What you are saying is that every piece of hardware (old/new coupled with different architectures and VMs) I could choose to do testing with has been trojaned. It's not impossible but...
I'm not saying it would be easy to find, I'm not even saying you wouldn't have to build/verify hardware yourself but I believe it could be made to exist if you had the resources and it didn't exist already.
No, Mr. Byfield is known for bitch-slapping Slashdot trolls who try to take their "Look At Me, Everybody! I Hate Microsoft! LOOK AT ME!!!" act on the road.