Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsThe DVD crack. To get support from major motion picture studios and other producers of video output, the creators of the DVD standard built into the DVD format encryption protections. Now it turns out that those encryption protections were pretty weak. NTKnow noted and followed the results when the source code for DeCSS, a package that can be used for copying DVD content to a harddrive, was made publicly available. This opened the encryption algorithm to public scrutiny, which resulted in it being quickly broken. The keys of over 170 DVD licensees were quickly extracted. NTKnow commented:
"The CSS decryption system sucks. It works by storing a whole bunch of keys on each DVD. Industry overseers, the DVD Forum, hand out one matching decryption key to each manufacturer: if any of these company's equipment got cracked, future DVD disc's were to be pressed without this key, making the crack (and that company's hardware) unusable with new movies. Quite whether the Forum would ever dare to carry out this threat against its own licensees is unclear."
The impact of this is yet to be seen. Will the Motion Picture Association withdraw its support for the technology? Will it just resort in more legal action to try and discourage piracy? No official comments out of the DVD community are available yet.
Meanwhile, of course, the issue of keeping encryption algorithms secret has been raised again. Some will argue that the algorithm would not have been broken if it were not exposed. The rest of us will argue that a public-review process would have prevented the use of a weak algorithm and therefore prevented this fiasco for the DVD industry.
IPsec, a rising star? Netscape/CMPNet appear to think so.
This past week, they issued two feature articles focusing on
first argues that IPsec's time as finally arrived.
Security Reportsuum and canuum. A recent posting to BugTraq reported several different vulnerabilities. Two of the vulnerabilities reported were Linux-related, dealing with two packages, umm and canuum, which are included with some Linux distributions for Japanese support. The vulnerabilities were specfically reported under TurboLinux, but may impact other distributions as well. No workaround is provided currently, so you may want to consider disabling or removing these packages until updates are provided. Both packages can be exploited to gain root privileges.
Updatesam-utils. Remotely exploitable buffer overflows.
lpd: File permission problems with lpr and lpd can allow a user to print a file which they are not allowed to read.
ypserv: ypserv prior to 1.3.9 had a variety of security problems. An upgrade to 1.3.9 is recommended.
ResourcesStack Shield 0.6. A new beta release of Stack Shield is now out. Stack Shield is a tool that can be used to recompile code to protect against potentially exploitable buffer overflows. This release includes a new protection against "function pointer" attacks.
Section Editor: Liz Coolbaugh
November 4, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project