---

Vendors Are Bad For Security

“I’ve ranted about this at length before, I’m sure–even in
print, in O’Reilly’s Open Sources 2. But now Debian have proved me
right (again) beyond my wildest expectations. Two years ago, they
‘fixed’ a ‘problem’ in OpenSSL reported by valgrind by removing any
possibility of adding any entropy to OpenSSL’s pool of
randomness.

“The result of this is that for the last two years (from
Debian’s ‘Etch’ release until now), anyone doing pretty much any
crypto on Debian (and hence Ubuntu) has been using easily guessable
keys. This includes SSH keys, SSL keys and OpenVPN keys…”

Complete Story

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis