[Klug-general] SSL bug

Karl Lattimer karl at qdh.org.uk
Thu May 22 13:34:02 BST 2008 



On Thu, 22 May 2008 13:20:42 +0100, J D Freeman <klug at quixotic.org.uk>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, May 22, 2008 at 08:06:23AM -0400, Karl Lattimer wrote:
>> So hold on a second;
>>
>> A security flaw which makes the worlds largest repositories of software
>> source code vulnerable to attack, and therefore injection of smaller
>> malicious code, isn't a big issue?
>> A security flaw which puts at risk every single credit card transaction,
>> made online, ongoing from servers hosted on debian, isn't a big issue?
>> A security flaw which has jeopardised the cryptographic security of
> every
>> service that relies on it, isn't a major issue?
>>
>> Sourceforge, gnome, and every major vendor have had to stop development
>> (and releases) as a result of this problem.
>>
>> This is the biggest flaw in history, it has perpetuated onto millions of
>> systems, and isn't so easy to clean it up.
> 
> Can you cite a reliable source on this statement, or is this yet another
> claim from the guy who claimed that apple invented email?

Never in my life have I claimed apple invented email... I may have said
something like that sarcastically... But seriously, email has been around a
lot longer than apple.

I think you can call that libelous. 

> The best I can find is Schneier saying "This is a big deal". He doesn't
> seem to claim it the biggest flaw in history.

I don't need to quote something online when I'm surrounded by real
professionals all day long. Remember I do work for one of the worlds
biggest companies.

> You are making it out that this is the first, last, and only time a bug
> like this will every occur. I think we are fair to say this is not the
> case. There are a greater number of, IMHO, more dangerous bugs in
> machines running other distro's and OS's than this bug in debian.

Name one? Other than the one I've named below.

The only comparable flaw I know of is the SSH monkey in the middle attack,
which only affects protocol version 1 and still requires that you have a
way to inject into the route.

>> My point is, people from fortune 500s will want heads to roll for this.
> 
> Fantastic, they can roll some heads. What good will it get them? You
> can't undo the past simply by having a blamestorming session.
> 
>> The fact of the matter is debian will never be used by any businesses
> that
>> depend on security again, it will be removed from all major companies
> and
>> as the dilbert comic says "Debian, you can never be sure" this is now
> the
>> strap line people will use to describe it. The brand is damaged beyond
>> repair.
> 
> And? If the stuff said companies is that important they should be doing
> it on a z series. Its horses for courses.
> 

LOL, stripped the rest of the email because you've lost in even attempting
to continue to defend.

This _IS_ the biggest flaw in history, deal with it.

K,

More information about the Kent mailing list