[Klug-general] SSL bug

Thu May 22 13:06:29 BST 2008

On Thu, 22 May 2008 12:54:51 +0100, J D Freeman <klug at quixotic.org.uk>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, May 22, 2008 at 07:35:02AM -0400, Karl Lattimer wrote:
>>
>> Lol, firstly, distributions suffer from security bugs. This is currently
>> being described in the security community "The biggest security flaw in
>> history", this bug is a cryptographic bug, that's major, its not as
> simple
>> as a package update, it extends and perpetuates from debian. This isn't
> a
>> flaw, this is a MAJOR ISSUE!
> 
> I think you are overplaying it. Yes its an annoyance, yes I have had to
> sit down and regen keys on a large number of machines. But, it could
> have come from anywhere. How often has this sort of thing effected all
> distro's when its come from say openssh introducing the bug. Yes this
> has happened, yes its annoying. Don't think its the worst bug on the
> planet like you are making it out to be.

So hold on a second;

A security flaw which makes the worlds largest repositories of software
source code vulnerable to attack, and therefore injection of smaller
malicious code, isn't a big issue?
A security flaw which puts at risk every single credit card transaction,
made online, ongoing from servers hosted on debian, isn't a big issue?
A security flaw which has jeopardised the cryptographic security of every
service that relies on it, isn't a major issue?

Sourceforge, gnome, and every major vendor have had to stop development
(and releases) as a result of this problem.

This is the biggest flaw in history, it has perpetuated onto millions of
systems, and isn't so easy to clean it up.

>> I'd like to know exactly how debian were quick to fix it, the ripples of
>> this issue are still going now, debian don't have the money to pay for
> the
>> trouble they've caused! This issue isn't fixed yet, debian can't fix the
>> trouble they've caused, releasing a patch doesn't fix it, it prevents
>> further problems.
> 
> Why do they need to pay for the "trouble"? How much did you pay for your
> debian software? Have you not read the default MOTD?

My point is, people from fortune 500s will want heads to roll for this. 

The fact of the matter is debian will never be used by any businesses that
depend on security again, it will be removed from all major companies and
as the dilbert comic says "Debian, you can never be sure" this is now the
strap line people will use to describe it. The brand is damaged beyond
repair.

> 
>> Don't try to down play it, or try to be the "bigger person" after all of
>> the zealotry over debian you've extolled to me and others in the past.
> 
> Why? I see no need to be pulled into some pointless slagging match. You
> were onto a loser the moment you decided to be rude and offensive. I see
> no need to stoop to that level.

Of course not, now that you're wrong you don't want to argue... Funny that
isn't it

>> Its time to put your tail between your legs, and say... EPIC FAIL.
> 
> No, its now time to rally round behind debian, to offer them the support
> they need to be able to continue the good work they have done, and put
> in place measures to make sure that this sort of thing doesn't happen
> again.

Sorry, but that's not what I'm hearing, people won't touch it with a barge
pole, "Not getting my hands on that train wreck" has been mentioned a few
times. 

> This is one of the reasons I am a sponsor of debian.

Investment in FAIL.

>> btw, this isn't about winning or loosing, my ssh keys were vulnerable
>> because of umbongo therefore I lost, I just wanted to rub your face in
> all
>> of your past comments re debian.
> 
> Thats fine, you are more than welcome to have your oppinion, and for you
> to express it how you wish. I do however repeat my previous point, and
> that made by others that you should perhaps do so politely and without
> needing to resort to rudeness and offensiveness.

LOL, can't take the heat?

K,