Editing 424: Security Holes
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
{{comic | {{comic | ||
| number = 424 | | number = 424 | ||
− | | date = | + | | date = 2008-05-16 |
| title = Security Holes | | title = Security Holes | ||
| image = security_holes.png | | image = security_holes.png | ||
Line 8: | Line 8: | ||
==Explanation== | ==Explanation== | ||
− | The | + | The “Debian-OpenSSL fiasco” was a major security problem discovered in the {{w|Debian}} {{w|Linux distribution}} and its version of the {{w|Cryptography|cryptographic}} library called {{w|OpenSSL}}. With just a tiny change in the software, which was intended to have no effect on security, its {{w|Random number generation|random number generator}} was completely crippled, as was the security of all cryptographic keys generated by the system. The problem was created when a Debian developer removed one line of code which was crucial, even though it could seem like it did nothing useful. (More detail about the fiasco: [http://trailofbits.files.wordpress.com/2008/07/hope-08-openssl.pdf ''Crippling Crypto: The Debian OpenSSL Debacle''], [http://wiki.debian.org/SSLkeys Debian’s information page about the problem]) |
− | The title text refers also to this issue: After the security problem was found, all cryptographic keys generated or used on the broken operating system needed to be replaced. Many systems introduced special checks for such weak keys, adding the keys to {{w|Blacklisting|blacklists}}, thereby preventing their use and forcing users to create new keys. [[Randall]] | + | The title text refers also to this issue: After the security problem was found, all cryptographic keys generated or used on the broken operating system needed to be replaced. Many systems introduced special checks for such weak keys, adding the keys to {{w|Blacklisting|blacklists}}, thereby preventing their use and forcing users to create new keys. [[Randall]] was apparently affected by that when uploading this comic to the server. |
− | The | + | The comics on the left presents Cueball as a programmer who, on a whim, removes pieces of code ({{w|Comment (computer programming)|commenting out}} the code by prepending the line with two slashes), presumably thinking they are not necessary. The first removed line, <code>MD_update(&m, buf, j);</code> is the exact piece of code which [http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c was removed] in the Debian fiasco. The next panels show him commenting out fictitious lines of code apparently preventing bad things from happening. |
− | The other part of the comic lists | + | The other part of the comic lists “security problems” which were allegedly discovered in other Linux variants afterwards: |
− | Cryptographic software in {{w|Fedora Core}} was allegedly not secure against {{w|Secret decoder ring|toy decoder rings}}. | + | Cryptographic software in {{w|Fedora Core}} was allegedly not secure against {{w|Secret decoder ring|toy decoder rings}}. {{w|Xandros}} (used in {{w|Asus Eee PC}} netbooks) gave superuser privileges to anybody “if asked in a stern voice”. {{w|Gentoo}} would succumb to flattery. |
− | {{w| | + | {{w|One Laptop per Child|OLPC}} OS could have been attacked using {{w|Jeff Goldblum}}’s notebook, which refers to a scene in the {{w|Independence Day (film)|''Independence Day'' movie}}, where Jeff Goldblum’s character was able to hack into an alien spaceship using his Apple {{w|PowerBook}} computer (which is a topic of [http://www.cracked.com/article_18720_7-famous-movie-flaws-that-were-explained-in-deleted-scenes.html great contempt] by geeks who point to the absurdity of such a construction). |
− | {{w| | + | {{w|Slackware}} gave superuser privileges to anybody who “says Elvish word for ‘friend’”, which refers to a scene in ''{{w|The Lord of the Rings}}'', where the entrace door to {{w|Moria}} could have been opened using a password ''mellon'', the Elvish word for “friend”, as indicated on the door itself. |
− | + | And {{w|Ubuntu}}, which is another Linux distribution, was allegedly found to be actually {{w|Windows Vista}} ({{w|Microsoft Windows}} being a direct competitor to Linux) with a different graphics. | |
− | |||
− | |||
− | |||
− | And {{w|Ubuntu}}, which is another Linux distribution, was allegedly found to be actually {{w|Windows Vista}} | ||
==Transcript== | ==Transcript== | ||
− | :[ | + | :[Man sitting at computer] I’ll just comment out these lines... |
− | |||
− | :<code>// MD_update(&m, buf, j);</code> | + | :<code>// MD_update(&m, buf, j);</code> |
:<code>// do_not_crash();</code> | :<code>// do_not_crash();</code> | ||
Line 39: | Line 34: | ||
:In the rush to clean up the debian-openssl fiasco, a number of other major security holes have been uncovered: | :In the rush to clean up the debian-openssl fiasco, a number of other major security holes have been uncovered: | ||
− | + | :{|class="wikitable" | |
− | + | !Affected system !! Security problem | |
− | + | |- | |
− | + | |Fedora Core || Vulnerable to certain decoder rings | |
− | + | |- | |
− | + | |Xandros (EEE PC) || Gives root access if asked in a stern voice | |
− | + | |- | |
− | + | |Gentoo || Vulnerable to flattery | |
− | + | |- | |
− | + | |OLPC OS || Vulnerable to Jeff Goldblum’s Powerbook | |
− | + | |- | |
− | + | |Slackware || Gives root access if user says Elvish word for “friend” | |
− | + | |- | |
− | + | |Ubuntu || Turns out distro is actually just Windows Vista with a few custom Themes | |
− | + | |} | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
{{comic discussion}} | {{comic discussion}} | ||
[[Category:Comics featuring Cueball]] | [[Category:Comics featuring Cueball]] | ||
[[Category:Computers]] | [[Category:Computers]] | ||
− | |||
[[Category:Programming]] | [[Category:Programming]] | ||
− | |||
− |