Vendors Are Bad For Security

"I've ranted about this at length before, I'm sure--even in print, in O'Reilly's Open Sources 2. But now Debian have proved me right (again) beyond my wildest expectations. Two years ago, they 'fixed' a 'problem' in OpenSSL reported by valgrind by removing any possibility of adding any entropy to OpenSSL's pool of randomness.

"The result of this is that for the last two years (from Debian's 'Etch' release until now), anyone doing pretty much any crypto on Debian (and hence Ubuntu) has been using easily guessable keys. This includes SSH keys, SSL keys and OpenVPN keys..."

Complete Story

Related Stories:

• Is Open Source Dead?(May 07, 2008)
• Debian Sarge Ends Tour of Linux Duty(Apr 14, 2008)
• No Justification Need(Mar 28, 2008)
• And You Thought It Couldn't Get Worse...(Dec 31, 2007)