Proud as a father would be

Submitted by gwolf on Mon, 05/19/2008 - 20:54

The recent OpenSSL incident can not be hidden. It was a very important blow to the Debian project's public face and reputation. A major hole slipped under the door in the form of a bugfix - and with all the good intention. This was not a deliberate attack, nor was it the result of a bad or sloppy maintainer - It was a honest, although painful, human mistake.
Several people started laughing at our processes and supposed strengths right away. I do, however, feel this shows how Debian is stronger security-wise than any other system. And it also shows how this saying, with enough eyeballs, all bugs are shallow, not only didn't lose validity, but was reaffirmed. Free Software development was also proved to be better than security through obscurity again.
Why?
Because were it not because of OpenSSL (and in this case in particular, Debian's packaging) being Free and subject to a code audit, this problem would have never been found. I have been asking to some friends who are part of different black-hat groups, and looking for this kind of information on the Web, it seems that -were it not for Luciano's work, we would still be running cryptographically weakened versions of OpenSSL for a long time. After all, 32768 possible keys is still quite a lot for a black-hat group to find as uneven noise, as a lead to showing the undeniable weakness.
It took two years to find the bug, yes. But it was found doing quality assurance work on publicly available source code. It was promptly fixed, mitigating (as far as possible) as much damage as could be caused. Tools for finding and fixing the defective keys were crafted and freed together with the announcement. Yes, there will be some compromises due to this, I'm sure, but an embarassing hole has been dealt with in the best way possible.
Anyway... I am very happy - I was going over Luciano's NM report, and found something I only suspected but was not sure about. I can now state clearly: I have never been so happy to advocate somebody to become a DD.
Luciano wrote a very good blog post (in Spanish) with his viewpoints on the Debian OpenSSL incident. If you happen to understand Spanish and are reading this blog, please drop over Luciano's.
Luciano: Once again, my hat goes off for you :-)

( categories: )
Tom's picture

Debian more secure then any other system?!

"... feel this shows how Debian is stronger security-wise than any other system."

So, by introducing a very serious and dangerous bug into the system, then letting it sit around for TWO YEARS before it is finally uncovered in what seems like a random audit by one guy -- this somehow proves, in your opinion, that Debian is more secure then any other system?

What about those systems that didn't feel the need to break their openssl packages (or any other software for that sake)? If I get this right, you feel that Debian is more secure, because the problem was fixed two years later?

You, my friend, must be the biggest debian fanboi ever. Shame on you.

gwolf's picture

Yes, I stick to what I said

More secure than any system? Well, any system can have a human making a mistake - They all do, FWIW. This one human mistake was, yes, very grave, and thus very much publicized. But don't you think that every other program is loaded with all kinds of bugs? And that many bugs are just security issues waiting to be exploited?
What makes Debian stand out so well in my eyes then? The way it reacted to this problem. By fixing it instead of finding a way around it PR-wise. By fixing it and explaining its impact as soon as possible, even risking its reputation. By not silently patching and hoping nobody ever finds out - By being honest and straightforward on it. It needs a lot of courage to do it.
And yes, this makes me very happy. It makes me rest assured. It makes me proud to be part of such a team.

Anonymous's picture

I'm not going to bash Debian

I'm not going to bash Debian for this error; I'm afraid that the structure of the openssl code made it likely that someone would make this mistake as soon as they tried a valgrind audit.

But I think that, while it isn't a reason to condemn Debian, it isn't a reason to praise the project either. This could have been much worse. Debian-generated keys are all over development machines that form the upstream of all Linux distributions, BSD as well. We had tons of them at sourceware.org aka gcc.gnu.org. There are still tons of them at sourceforge.net. It appears that we got very lucky, because so far there's no evidence that a black hat found out about this years ago and has injected malware deep into the free software ecosystem.

There were many eyes, but no one saw. That's discouraging.

Anonymous's picture

This bug was actually

This bug was actually noticed by at least some people who observed duplicate keys. 32768(I think it is really 32767) is not a very large number in some contexts.

http://github.com/blog/63-ssh-keys-generated-on-debian-ubuntu-compromised

I am not taking anything away from the importance of Luciano's work, but this bug should have been fixed after it was observed in the wild.

Jeremiah Foster's picture

I strongly agree

I think your perspective is the correct one to come away from all this with, that and the fact that we, as contributors and developers of debian, need to expand and maintain excellent communication with upstream.