So that I’m not accused of being unfairly biased against Microsoft (I am biased against Microsoft, but I don’t believe I’m being unfair about it. ) I have to comment on the latest fiasco from the Debian Linux team.

This one hit me head on and caused me a few hours of unwanted work, as well as a general feeling of unease, as the two workstations and three servers I own personally are using Ubuntu’s OpenSSL and OpenSSH packages (Ubuntu is a derivative of Debian.)

The problem is a simple one.  The package maintainer of OpenSSL of the Debian project decided that because Valgrind and IBM’s Rational Purify were having issues with error messages when linked against OpenSSL, that he’d ‘fix’ OpenSSL and OpenSSH (and everything else using libssl) by removing the code needed to generate truly random numbers for key generation.  This limited keys to being seeded by a short INT: 1 to 32,768.  Well, you don’t have to be a security expert to know that if you are limited to 32,768 “random” numbers, it won’t take long to brute force attack such keys.

Hence, the problem.  All versions of OpenSSL and OpenSSH used by Debian since Sept. 17th, 2006 up to the recent Debian updates, use this retarded random number scheme and generated easily broken security keys, for otherwise secure standards.

What this meant for me was a general feeling of insecurity and now a distrust of the Debian distribution, not to mention a few of hours of my life I would have rather spent doing anything but replacing keys.  This isn’t just an innocent mistake, this is moronic maneuver beyond belief.  Gergely Risko, sums it up nicely.

The whole mess was caused by one person, Kurt Roeckx.  He took a shortcut rather than a valid fix for a simple problem. To make it worse, he somewhat tried to cover up his mistake by releasing the real fix (putting the code back in) in the “unstable” release code, and not saying a word about it for a full week.

I’d almost be willing to forgive him for the initial mistake, if it weren’t for the fact that even a non-expert in security code (aka, me) could tell at a glance that this was a very bad thing to do.  That he tried to silently re-introduce the code back in without letting people know of the dangers, is even less forgivable.

If the Debian team has any integrity, they’ll move Kurt over to something that he can better handle, something which is not essential to security.  No sense in throwing out the maintainer with the bath water, as it were.

In the meantime, I don’t think I’m going to have a lot of trust in ‘fakechroot’ doing the right thing, either.  (Kurt maintains that package as well.)