0424: "Security Holes"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

User avatar
aerojad
Wall O' AWESOME
Posts: 200
Joined: Wed Sep 26, 2007 8:54 am UTC
Location: Detroit, MI
Contact:

0424: "Security Holes"

Postby aerojad » Fri May 16, 2008 4:07 am UTC

Image
http://xkcd.com/424/

Alt:
True story: I had to try several times to upload this comic because my ssh key was blacklisted.




As a Ubuntu user I have to tip my cap and say damn. But I loves my distro, I loves it :(





edit:
Holy hell, did I just win the game?

edit2:
*looks at forum listing* I did! I did! I feel validated now.
Image

GodShapedBullet
Posts: 686
Joined: Mon Nov 26, 2007 7:59 pm UTC
Location: Delaware
Contact:

Re: Security Holes

Postby GodShapedBullet » Fri May 16, 2008 4:09 am UTC

What's the debian-openssl fiasco, exactly? I got the LOTR reference, but the overall point of the comic was kind of lost on me.

User avatar
aerojad
Wall O' AWESOME
Posts: 200
Joined: Wed Sep 26, 2007 8:54 am UTC
Location: Detroit, MI
Contact:

Re: "Security Holes" discussion

Postby aerojad » Fri May 16, 2008 4:10 am UTC

Image

masher
Posts: 821
Joined: Tue Oct 23, 2007 11:07 pm UTC
Location: Melbourne, Australia

Re: Security Holes

Postby masher » Fri May 16, 2008 4:11 am UTC

GodShapedBullet wrote:What's the debian-openssl fiasco, exactly?


That's what I though.

Some explanation...
http://www.google.com.au/search?q=debia ... AU176AU231

atrain
Posts: 37
Joined: Mon Oct 22, 2007 4:05 pm UTC
Location: Canada
Contact:

Re: Security Holes

Postby atrain » Fri May 16, 2008 4:11 am UTC

I can't believe that change went through unnoticed for so long.

I use Gentoo and I've noticed a few packages that are changed slightly. Sure, you want it to play nice, but if the people who made the OS would just work on making their own code more compatible, rather than screwing with other peoples unfamiliar code, this wouldn't have happened.

GodShapedBullet
Posts: 686
Joined: Mon Nov 26, 2007 7:59 pm UTC
Location: Delaware
Contact:

Re: "Security Holes" discussion

Postby GodShapedBullet » Fri May 16, 2008 4:13 am UTC

Thanks for the answers, dudes.

I tried a Google search but the first few links didn't help so I just kind of gave up and figured I'd ask.

P.S. I used "dudes" gender neutrally just now, in case that's an issue for you.

User avatar
'; DROP DATABASE;--
Posts: 3284
Joined: Thu Nov 22, 2007 9:38 am UTC
Location: Midwest Alberta, where it's STILL snowy
Contact:

Re: "Security Holes" discussion

Postby '; DROP DATABASE;-- » Fri May 16, 2008 4:18 am UTC

I was wondering about that critical SSL update the other day. Thinking about how neat it is that they can push an update out to every machine so reliably.

(Also, blame Compiz for making everything look like Vista. I don't know why people are so obsessed with having ugly windows. :?)
poxic wrote:You suck. And simultaneously rock. I think you've invented a new state of being.

Hopper
Posts: 8
Joined: Thu Nov 01, 2007 1:13 am UTC

Re: "Security Holes" discussion

Postby Hopper » Fri May 16, 2008 4:18 am UTC

My question is: who's the guy on the computer? And what kind of computer is that?

Is he God and is he using God's computer? That's pretty chill.

User avatar
DaMullet
Posts: 470
Joined: Wed Aug 22, 2007 9:21 pm UTC
Location: Coming soon to a theatre near YOU!
Contact:

Re: "Security Holes" discussion

Postby DaMullet » Fri May 16, 2008 4:23 am UTC

I liked the ID4 reference. That was a great movie.
Will wrote:Andrew Jackson was all kinds of badass.

SecondTalon wrote:Out in the wasteland
Driving cars of rusted steel
oh, look. Burma Shave.

The Mighty Thesaurus wrote:HACKS ARE STING OUR SYLLES AND SING THEM TO TERRISTS!

User avatar
Linux0s
Posts: 247
Joined: Sat Dec 29, 2007 7:34 pm UTC

Re: "Security Holes" discussion

Postby Linux0s » Fri May 16, 2008 4:27 am UTC

But they all still configure a wifi netowrk connection like a mofo: http://xkcd.com/416/
If the male mind truly were a machine it would consist of a shaft and a bushing.

User avatar
benjhuey
Posts: 3328
Joined: Sat Sep 08, 2007 2:35 am UTC
Location: A collection of rocks

Re: "Security Holes" discussion

Postby benjhuey » Fri May 16, 2008 4:28 am UTC

Gah, one of the few comics I don't fully understand.

maybe someday...
多么现在棕色母牛?

Sgeo
Posts: 14
Joined: Thu May 10, 2007 12:00 am UTC

Re: "Security Holes" discussion

Postby Sgeo » Fri May 16, 2008 4:30 am UTC

I asked in a chatroom about this:
<[anonymous]> Sgeo: put simply, there were two very similar lines of code
<[anonymous]> one made valgrind mad, and was more or less useless anyway
<[anonymous]> the other was absolutely vital
<[anonymous]> both were commented out at the same time \o/
<[anonymous]> and so the crypto keys were generated based soley on the PID
<[anonymous]> anyway here's what's affected:
<[anonymous]> Any DSA key (openssl, openvpn, ssh) used on a debian or ubuntu machine since september 2006
<[anonymous]> Any RSA key generated on the same
<[anonymous]> if you're paranoid, passwords sent on a connection where either machine was affected
<[anonymous]> All those keys/passwords should be regenerated/changed

User avatar
aerojad
Wall O' AWESOME
Posts: 200
Joined: Wed Sep 26, 2007 8:54 am UTC
Location: Detroit, MI
Contact:

Re: "Security Holes" discussion

Postby aerojad » Fri May 16, 2008 4:31 am UTC

Sgeo wrote:I asked in a chatroom about this:
<[anonymous]> Sgeo: put simply, there were two very similar lines of code
<[anonymous]> one made valgrind mad, and was more or less useless anyway
<[anonymous]> the other was absolutely vital
<[anonymous]> both were commented out at the same time \o/
<[anonymous]> and so the crypto keys were generated based soley on the PID
<[anonymous]> anyway here's what's affected:
<[anonymous]> Any DSA key (openssl, openvpn, ssh) used on a debian or ubuntu machine since september 2006
<[anonymous]> Any RSA key generated on the same
<[anonymous]> if you're paranoid, passwords sent on a connection where either machine was affected
<[anonymous]> All those keys/passwords should be regenerated/changed

...wow
Image

User avatar
rwald
Posts: 153
Joined: Mon Jan 29, 2007 7:14 am UTC
Contact:

Re: "Security Holes" discussion

Postby rwald » Fri May 16, 2008 4:32 am UTC

Wouldn't a more appropriate Gentoo exploit be "Will exchange root access for Type R sticker"?

(I run Gentoo, so I'm allowed to say that.)

User avatar
quintopia
Posts: 2906
Joined: Fri Nov 17, 2006 2:53 am UTC
Location: atlanta, ga

Re: "Security Holes" discussion

Postby quintopia » Fri May 16, 2008 4:39 am UTC

"OLPC OS" = Fedora + Sugar (and soon enough, Windows). Was it fedora or sugar that had the jeff goldblum bug?

User avatar
blackrose
Posts: 172
Joined: Thu Jan 24, 2008 9:42 pm UTC
Location: Emorium et Henricense Collegium

Re: "Security Holes" discussion

Postby blackrose » Fri May 16, 2008 4:45 am UTC

One of the funniest in a while.
I don't watch 24 hour news channels because they are retarded.

User avatar
aleflamedyud
wants your cookies
Posts: 3307
Joined: Tue Oct 09, 2007 7:50 pm UTC
Location: The Central Bureaucracy

Re: "Security Holes" discussion

Postby aleflamedyud » Fri May 16, 2008 4:46 am UTC

My Ubi doesn't look like Vista! It looks like Mac OS X! I installed AWN.
"With kindness comes naïveté. Courage becomes foolhardiness. And dedication has no reward. If you can't accept any of that, you are not fit to be a graduate student."

User avatar
phlip
Restorer of Worlds
Posts: 7556
Joined: Sat Sep 23, 2006 3:56 am UTC
Location: Australia
Contact:

Re: "Security Holes" discussion

Postby phlip » Fri May 16, 2008 5:02 am UTC

quintopia wrote:"OLPC OS" = Fedora + Sugar (and soon enough, Windows). Was it fedora or sugar that had the jeff goldblum bug?

Given what I've seen of attempts to integrate anything with anything else (and noting that I know absolutely nothing about this case), I'd say probably the "+".

Code: Select all

enum ಠ_ಠ {°□°╰=1, °Д°╰, ಠ益ಠ╰};
void ┻━┻︵​╰(ಠ_ಠ ⚠) {exit((int)⚠);}
[he/him/his]

User avatar
Shakleton
Posts: 495
Joined: Mon Mar 03, 2008 2:31 pm UTC
Location: Bielefeld, Germany
Contact:

Re: "Security Holes" discussion

Postby Shakleton » Fri May 16, 2008 5:04 am UTC

aerojad wrote:Alt: True story: I had to try several times to upload this comic because my ssh key was blacklisted.


If this is really a true story, I wonder what the original alt-text would have been.
mikekearn wrote:You even have an appropriate shirt. Excellent.

User avatar
TheHand
Posts: 178
Joined: Mon May 05, 2008 8:03 am UTC

Re: "Security Holes" discussion

Postby TheHand » Fri May 16, 2008 5:21 am UTC

<!-- Remember to leave a comment -->

/* Oh wait... actually don't. */

Sgeo
Posts: 14
Joined: Thu May 10, 2007 12:00 am UTC

Re: "Security Holes" discussion

Postby Sgeo » Fri May 16, 2008 5:36 am UTC


User avatar
superglucose
hermaj's new favourite
Posts: 2353
Joined: Wed Sep 12, 2007 1:59 am UTC
Location: Domain of Azura
Contact:

Re: "Security Holes" discussion

Postby superglucose » Fri May 16, 2008 6:12 am UTC

aleflamedyud wrote:My Ubi doesn't look like Vista! It looks like Mac OS X! I installed AWN.


What's funny about that is that Ubuntu is about the only way I've found to get RID of Mac OS X.
Image

User avatar
dai_vernon
Posts: 2
Joined: Fri May 16, 2008 6:28 am UTC

Re: "Security Holes" discussion

Postby dai_vernon » Fri May 16, 2008 6:32 am UTC

My ubuntu just looks like straight ubuntu, but only because I have it on a dual boot with OS X on an iMac ppc and I can't get a driver for my card that supports the shiny bits.

http://img.photobucket.com/albums/h235/dai_vernon/?action=view&current=Screenshot-1.png

bcoblentz
Posts: 59
Joined: Mon Jun 18, 2007 6:28 am UTC
Location: Davis, CA

Re: "Security Holes" discussion

Postby bcoblentz » Fri May 16, 2008 7:18 am UTC

Mellon.

Crane
Posts: 74
Joined: Thu Mar 22, 2007 1:03 pm UTC

Re: "Security Holes" discussion

Postby Crane » Fri May 16, 2008 8:07 am UTC

Bah. Some of those are even worse than "HollyWoodOS".
That had a critical flaw that gave anyone adminstrator access just by typing "override" at any password screen.
And it would destroy the computer if you typed "download virus".
:roll:
Image

thesuker
Posts: 2
Joined: Wed May 07, 2008 4:22 pm UTC

Re: "Security Holes" discussion

Postby thesuker » Fri May 16, 2008 8:09 am UTC

I noticed when my Ubuntu downloaded 6 or 7 updates starting with ssl XD It's quite a bit of a security hole, but, it doesn't seem it has affected us Linux users in any apocalyptic way. About Ubuntu been a Windows theme, I've thought on those lines myself :P Loved Slackware root access with elvish word :twisted:

User avatar
hotaru
Posts: 1042
Joined: Fri Apr 13, 2007 6:54 pm UTC

Re: "Security Holes" discussion

Postby hotaru » Fri May 16, 2008 8:32 am UTC

thesuker wrote:it doesn't seem it has affected us Linux users in any apocalyptic way.

if you've been using a vulnerable version of openssl and it hasn't then you have much more serious problems.

Code: Select all

factorial product enumFromTo 1
isPrime n 
factorial (1) `mod== 1

OskarS
Posts: 13
Joined: Fri Dec 28, 2007 11:40 am UTC

Re: "Security Holes" discussion

Postby OskarS » Fri May 16, 2008 8:38 am UTC

I haven't regenerated my keys yet, so I'm seriously paranoid that someone is haxxoring any one of my Ubuntu boxes as we speak :cry:. I'm getting to it tonight.

Seriously though, this is a fuck-up of massive proportions. Seeding random data based ONLY on the PID???? Heads should roll over this, this is like something Microsoft would do. Only, slightly worse, because OpenSSL is supposed to be the paragon of security-virtue. I mean, EVERY single generated key on debian based systems since September 2006 needs to be replaced (and sent to CAs for re-authentication). It's a catastrophe.

erayd
Posts: 1
Joined: Fri May 16, 2008 10:03 am UTC

Re: "Security Holes" discussion

Postby erayd » Fri May 16, 2008 10:06 am UTC

I mean, EVERY single generated key on debian based systems since September 2006 needs to be replaced (and sent to CAs for re-authentication). It's a catastrophe.
Even worse if if you're in my situation and actually run a moderately-sized CA with the root key generated on a flawed debian system - I'm partway through replacing every single fucking key that was ever signed by the old CA, because now that the CA key has been replaced none of the clients work....

User avatar
Cynical Jawa
Posts: 63
Joined: Mon Aug 20, 2007 6:05 pm UTC
Location: Aberdeen, UK

Re: "Security Holes" discussion

Postby Cynical Jawa » Fri May 16, 2008 10:15 am UTC

Har har, burn Ubuntu! I run SuSE, so I can be mainstream but maintain hipster cool :P

I'm seriously considering writing a script to add the slackware loophole, though :D

User avatar
Dobblesworth
Dobblesworth, here's the title you requested over three years ago. -Banana
Posts: 1429
Joined: Wed May 30, 2007 12:06 pm UTC
Contact:

Re: "Security Holes" discussion

Postby Dobblesworth » Fri May 16, 2008 10:31 am UTC

I hope neither Jeff Goldblum nor miltant psychos in Nigeria (replace as applicable for other OLPC state) get wind of this and ruin the education of several hundred thousand Africans.

User avatar
suso
Posts: 195
Joined: Wed Jan 17, 2007 6:23 pm UTC
Location: Sky Grund
Contact:

Re: "Security Holes" discussion

Postby suso » Fri May 16, 2008 10:44 am UTC

Perhaps I'm stating the obvious, but I was surprised to see Ubuntu listed since its just Debian on LSD. Ubuntu had the same security vulnerability. I hope all the people running Ubuntu realize that. Nice comic.
Imagine theres no signatures....

OskarS
Posts: 13
Joined: Fri Dec 28, 2007 11:40 am UTC

Re: "Security Holes" discussion

Postby OskarS » Fri May 16, 2008 11:01 am UTC

erayd wrote:
I mean, EVERY single generated key on debian based systems since September 2006 needs to be replaced (and sent to CAs for re-authentication). It's a catastrophe.
Even worse if if you're in my situation and actually run a moderately-sized CA with the root key generated on a flawed debian system - I'm partway through replacing every single fucking key that was ever signed by the old CA, because now that the CA key has been replaced none of the clients work....


Holy crap. I'm bitching about my three machines, and you're in the ninth circle of hell!* Dude, sympathies man.


(*the ninth circle is for traitors, of course! Damn you, debian!)

Myrddin
Posts: 6
Joined: Fri May 16, 2008 10:24 am UTC

Re: "Security Holes" discussion

Postby Myrddin » Fri May 16, 2008 11:04 am UTC

This is one of the things I like about Slackware (no, not the elven backdoor !). Patrick spends a lot of time and effort building a standards-compliant distro with an absolute minimum of tinkering with upstream packages. A lot of stuff is a version behind the 'look at me' distros because he takes the time to make sure everything is rock solid. It might not be the prettiest to look at but it does exactly what it says on the tin.
I have run Slackware exclusively since 2004, but was seduced by the hype over Ubuntu Hardy Heron, so I installed it on one laptop a week after it came out. I admit it looks good, but it is definitely aimed at the Windows market (not necessarily a bad thing, just not my thing). It has very few of the things I associate with Linux installed as default (although their package management makes installing very straightforward). Most surprising was the lack of gcc and the library header files, although no emacs or LaTeX was a shock as well - I suppose if you want a single CD core distro, you have to leave stuff out.
I will persevere with it, though, as it represents the best chance of getting friends and family to switch to Linux so I need to be familiar with it. Hopefully this ssh thing is a one-off, thankfully my keys were all generated in Slackware and imported.

User avatar
Cynical Jawa
Posts: 63
Joined: Mon Aug 20, 2007 6:05 pm UTC
Location: Aberdeen, UK

Re: "Security Holes" discussion

Postby Cynical Jawa » Fri May 16, 2008 11:09 am UTC

Myrddin wrote:elven backdoor !


That's hot.

User avatar
PatrickRsGhost
Posts: 2278
Joined: Fri May 04, 2007 5:43 pm UTC
Location: ZZ9PluralZAlpha
Contact:

Re: "Security Holes" discussion

Postby PatrickRsGhost » Fri May 16, 2008 11:29 am UTC

aerojad wrote:edit:
Holy hell, did I just win the game?

edit2:
*looks at forum listing* I did! I did! I feel validated now.


Nope. Sorry. You lose. You thought about it, you questioned it, so you lost it.
PRG

An important message for you:

010000100110010100100000011100110
111010101110010011001010010000001
110100011011110010000001100101011
000010111010000100000011110010110
111101110101011100100010000001100
010011000010110001101101111011011
1000101110

User avatar
DragonHawk
Posts: 457
Joined: Sat Sep 15, 2007 1:20 am UTC
Location: NH, US, Earth
Contact:

Re: Security Holes

Postby DragonHawk » Fri May 16, 2008 11:36 am UTC

"Mellon."

I also liked the reference to that well-known OS exploit, documented in CERT advisory CA-96.13.
atrain wrote:I can't believe that change went through unnoticed for so long.

As Bruce Schneider says, good crypto and bad crypto often appear almost identical. :(
'; DROP DATABASE;-- wrote:I was wondering about that critical SSL update the other day. Thinking about how neat it is that they can push an update out to every machine so reliably.

Unfortunately, pushing out a code update isn't enough for this one. You have to actually generate new keys for any keys created since 2006. So this requires manual intervention.
Sgeo wrote:<[anonymous]> one made valgrind mad, and was more or less useless anyway

A bit of amplification on this: The line in question was from the entropy (randomness) gathering routines. What OpenSSL did was take the contents of an uninitialized memory buffer and add it to the entropy pool. On systems that don't initialize memory to zero before giving it to a process, this can actually give you some useful entropy. On those that don't, it doesn't hurt. Normally, using the contents of an uninitialized buffer is a very bad thing to do, since you have no idea what the contents might be. (In this case, that's actually desired.) But Valgrind -- a debugging tool -- saw this and complained. So a Debian volunteer decided they should comment out the code to stop Valgrind from complaining. That's bad enough, as in this case, the Valgrind warning is bogus -- the code is fine. But while they were commenting out the "use uninitialized buffer" code, the volunteer also commented out the place where the buffer was used *after it had been initialized*. So now OpenSSL was never using its main entropy source. As I believe people are saying these days, "Epic fail".

EDIT: fix my brain fart in the year
Last edited by DragonHawk on Fri May 16, 2008 1:20 pm UTC, edited 1 time in total.
Ben'); DROP TABLE Users;--

GENERATION 42: The first time you see this, copy it into yοur sig on any forum and stick a fork in yοur еyе. Social experiment.

User avatar
Shoot Them Later
Posts: 9
Joined: Thu Aug 09, 2007 7:45 am UTC

Re: "Security Holes" discussion

Postby Shoot Them Later » Fri May 16, 2008 12:55 pm UTC

Expect years of bashing from windows users about "security" ^^

Forget what I just said. I see the inter-distro bashing is up.
If the lessons of history teach us anything, it is that nobody learns the lessons that history teaches us.

User avatar
KTC
Posts: 9
Joined: Fri May 16, 2008 1:04 pm UTC

Re: Security Holes

Postby KTC » Fri May 16, 2008 1:11 pm UTC

DragonHawk wrote:
'; DROP DATABASE;-- wrote:I was wondering about that critical SSL update the other day. Thinking about how neat it is that they can push an update out to every machine so reliably.

Unfortunately, pushing out a code update isn't enough for this one. You have to actually generate new keys for any keys created since 1996. So this requires manual intervention.

2006

Myrddin wrote:I will persevere with it, though, as it represents the best chance of getting friends and family to switch to Linux so I need to be familiar with it. Hopefully this ssh thing is a one-off, thankfully my keys were all generated in Slackware and imported.

If you had imported and use your (DSA) private key on a vulnerable version, then you're just as affected. In fact, it's worse as unlike a weak key that were generated on a vulnerable version, there's no way to test whether that key is affected other than the enduser own knowledge of where they have used their key.

Sound
Posts: 1
Joined: Fri May 16, 2008 1:11 pm UTC

Re: "Security Holes" discussion

Postby Sound » Fri May 16, 2008 1:14 pm UTC

I just don't understand the left side strip, and in particular the prevent_911() function call (btw, 9-1-1 or 9/11?)


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: No registered users and 25 guests