Open Source Software – a Chink in the Armour

The collective wisdom of the Internet states pretty categorically that Microsoft is evil, Google is never evil, Macs are cool and Linux is best of all.

Of course not all of that is true, and you can’t always believe what you read on the Internet. Google isn’t evil but colludes with dictatorships to oppress freedom of their citizens, Macs look cool but have an increasing tendency to break, and Linux has a few small issues.

We’ll get over the fact that I couldn’t install it on my new PC, and the fact that for non-technical users it’s a bit of a nightmare to use and configure.

A couple of days ago I was amused to receive an email from one of the hosting companies I use along the following lines (paraphrased):

Big exploit in Debian!

Bad!

Change all your passwords and run for your lives.

Linux distributions all exist in a sort of family tree. One of the big strengths of open source software (OSS) is that you can edit the source and create your own version of it to suit your needs. This becomes a problem. Looking at this chart we can see that this problem probably effects:

  • Debian
  • Ubuntu
  • KNOPPIX
  • About 20 other derived distributions

And the problem itself?

The problem is with the implementation of OpenSSL, some security software which is widely used. The Debian package editors commented out a line which turned out to be quite important, dramatically reducing the security offered. There’s some good links available from Schneier on Security.

Ben Laurie explains more about the problems:

I’ve ranted about this at length before, I’m sure. But now Debian have proved me right (again) beyond my wildest expectations. Two years ago, they “fixed” a “problem” in OpenSSL. The result of this is that for the last two years anyone doing pretty much any crypto on Debian (and hence Ubuntu) has been using easily guessable keys. This includes SSH keys, SSL keys and OpenVPN keys.

What can we learn from this? Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally – they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to “add value” by getting in between the user of the software and its author.

This is a problem with all code in general, but is a real problem with OSS. Someone writes code one way for a reason, but that reason isn’t always obvious to those maintaining the software. All it takes is someone to do something daft and break it.

This entry was posted in Computing. Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

One Comment

  1. Richard Smith
    Posted May 20, 2008 at 10:56 am | Permalink

    “Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally – they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was.”

    Well, the error was introduced into Debian on 2nd May 2006 by Kurk Roeckx in this commit:

    http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&r1=140&r2=141

    The previous day, he posted an email to the openssl-dev list asking whether this patch would be sensible:

    http://marc.info/?l=openssl-dev&m=114651085826293&w=2

    A few hours later, Ulf Möller responded that he was in favour of the patch.

    http://marc.info/?l=openssl-dev&m=114652287210110&w=2

    According to the OpenSSL webpage, Ulf Möller is a member of the OpenSSL development team:

    http://openssl.org/about/

    … and has been for quite a some time

    http://web.archive.org/web/20000815074639/www.openssl.org/about/

    I wonder whether the OpenSSL team are still “falling around laughing”.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>