Linux in the news
All in one big page
See also: last week's Security page.
The biggest news of this week in security has been the about-face of the French government policy on encryption. Part 1 and Part 2 of the government documents in French describe a "project" (essentially, a proposed new law) which promises, eventually, complete freedom of the use of cryptography within France. In the meantime, until the law is enacted, the maximum allowable keysize for cryptography has been increased from 40 bits to 128 bits, certainly trumping the U.S. Government's recent increase in allowable keysize to 56 bits. Exportation of cryptography is still controlled by virtue of existing agreements with other countries.
The Babelfish document translating this into English is available as postings underneath the original Slashdot article.
This Techweb article reports that India is warning people against the use of U.S. security products because the limits placed on exports by the U.S. government prevent really effective products from being sold internationally.
The same theme was seen in the reaction of people in Silicon Valley to the U.S. government's effort to promote their encryption policy, as reported in this New York Times article. (registration required) "the industry representatives turned a cold eye to the Administration's recent proposals and complained that increased foreign competition was in danger of surpassing American companies. " In the same article, we hear that Representative Zoe Lofgren, a California Democrat, will reintroduce a plan to liberalize export controls. Best of luck, Zoe!
This Associated Press article (from the ISN mailing list) describes the decision of the Norway Supreme Court which ruled that trying to break into a computer is not a crime in and of itself. The article mentions that people can now legally scan computers for security holes and pass that information on to other people to be used for illegal purposes. Of course, it also allows that same information to be gathered and reported back to the site to allow them to fix the problem or to be widely discussed so that security holes can be fixed, something which the article neglects to mention.
No report for this week would be complete without a reference to the new encryption algorithm developed by Sarah Flannery. Both the BBC News and ZDnet have written articles on the subject [found in Slashdot]. The amount of media attention was disproportionate because Sarah is only 16. However, the merits of her achievement stand separate from her age, sex or country of origin. A new encryption algorithm is always welcome, a new, high-quality cryptographer even more so. Most interesting to us are the tiny suggestions buried in the articles that the algorithm might be made freely available. If there is any truth to that possibility, it would be the best reason to laud Sarah, for the value of a freely available cryptographic algorithm, once appropriately tested and confirmed, would be incalculable.
Security reportsThe most controversial and important security report for this week was Michal Zalewski's report of two new bugs in sendmail, affecting all versions, including the latest 8.9.2 release. Some confusion resulted when it was claimed that these problems had been fixed in 8.9.2. Michal stated that they were still present if sendmail was configured to allow relaying and then demonstrated his statement with an exploit. No information on these bugs is yet available on the sendmail.com or sendmail.org sites, nor have any reports of updated packages from any of the distributors surfaced.
David Schwartz reported a vulnerability in the Linux kernel which he had been told was fixed in 2.0.36, but he has been able to reproduce. No confirmation or denial of his report has yet been seen.
Brian McCauley reports that the Perl 5.0004_4 version of suidperl ignores nosuid mount options. This means that an suid perl script on a CD or floppy can potentially be used to gain root access. Brian goes on to predict that other suid-aware script interpreters may have this same vulnerability under Linux due to the absence of an fstatvfs() system call. Followups mentioned that this is not a new problem and, in fact, is documented in the mount man page on many systems. NetBSD and FreeBSD fixes for the problem have been incorporated into their respective packages. No fixes for this problem under Linux have been reported as of yet.
A report of shoddy encryption techniques in Iomega Jaz drives was posted to Bugtraq. The report was sent to Iomega but no confirmation or denial of the problem has yet been heard. If you are assuming that using the encryption feature on the backup will protect your data if someone steals your cartridge, read this report. It shows that the information needed to decrypt your data is stored in an easily decipherable format and how that information can be used to decrypt the contents of the entire cartridge.
Red Hat has released updated RPMS for fvwm2, required if you upgrade to their recommended XFree86 3.3.3
Debian has reported a major security problem with the ftpwatch package in Debian GNU/Linux 1.3 and recommended that people remove the package entirely until a new package with fixes has been announced.
For those using Cisco hardware, this report documents how easily Cisco boxes can be scanned and identified, something that can make it easier for them to be targeted for specific attacks.
UpdatesA recently reported buffer overflow in Dosemu has been fixed in Dosemu 0.99.6, according to this note from Eric Mouw.
We mentioned in last week's security section that Neoware X-terminals were vulnerable to nmap scans. This week, Adam Shostack commented that the vulnerability is not consistent and explained why they haven't pursued it further.
The Fore nmap vulnerability was apparently reported to the right place and as a result, Powerhub Software 5.0.1 (11193) fixes the problem. If your Fore hardware does not have an accelerator, though, you'll need this pointer to the proper fix.
ResourcesThe January 15th edition of CRYPTO-GRAM is now available. This edition focuses on an overview of the past year.
A review of "Maximum Security", from Macmillan Publishing has been written by Robert Slade. He indicates that it is improved over the original version but overall does not seem to be greatly impressed. "For the novice it isn't altogether reliable, but for the professional it is at least worth looking at." [From the ISN mailing list]
The alpha release of the tool sscan has been announced.
John Kozubik has requested feedback on his whitepaper on Intrusion Detection.
EventsThe Call-for-Papers for the Computers, Freedom + Privacy 1999 conference has been released. The conference will be held April 6th through the 8th in Washington, DC.
January 21, 1999