Letters to the editor
Many vulnerable OpenSSL libraries in the wild?
| From: | Jerome Lacoste <lacostej-AT-frisurf.no> | |
| To: | magnus-AT-netcraft.com | |
| Subject: | Many vulnerable OpenSSL libraries in the wild? | |
| Date: | Thu, 06 Nov 2003 14:18:49 +0100 | |
| Cc: | letters-AT-lwn.net |
Magnus,
I wished to react to the Netcraft's article posted under your name
regarding the high number of obsolete and thus vulnerable versions of
OpenSSL found on the Internet.
I tend to question the way the gathering of the data was done. It seems,
according to your article that you just used the Web server's signature.
Unfortunately this is not sufficient, and this for at least one reason:
the backporting of security fixes.
Many Linux distributions backport fixes, meaning that the version number
will not be increased while the vulnerability will be removed.
Taking two examples of two machines I have at hand, one running Debian
Woody one running Mandrake 9.1. These two machines are accessible on the
Internet.
jerome-AT-debian Woody> dpkg -l openssl
ii openssl 0.9.6c-2.woody.4 [...]
jerome-AT-mandrake 9.2> rpm -q openssl
openssl-0.9.7a-1.2.91mdk
Does that mean that mandrake 9.1 and Debian Woody are vulnerable? No (at
least to currently known vulnerabilities). But these 2 machines would
(and perhaps have been) counted in the results of the NetCraft survey.
The only way to find out whether a vulnerability is present or not is to
try to exploit it. That's what the people from NISC seems to be doing.
What I am afraid of is that this survey seems to create a false sense or
risk for solutions running on OpenSSL. Many of these solutions are open
source, and this article could be used as FUD against these systems.
So until a better way to identify whether these systems are indeed
vulnerable, I would be happy if Netcraft could publish an addendum to
that article, in order to decrease this perhaps false sense of risk that
this article generated.
See also the article on LWN for more discussions[2].
Cheers,
Jerome
[1] http://news.netcraft.com/[...]
[2] http://lwn.net/Articles/56713/
--
Jerome Lacoste - CoffeeBreaks - IT Consulting
jerome-AT-coffeebreaks.org - http://www.CoffeeBreaks.org
Linux Gazette
| From: | "Jay R. Ashworth" <jra-AT-baylink.com> | |
| To: | publisher-AT-linuxgazette.com | |
| Subject: | Re: Linux Gazette | |
| Date: | Thu, 6 Nov 2003 12:13:06 -0500 | |
| Cc: | letters-AT-lwn.net, tag-AT-linuxgazette.net, linux-questions-only-AT-ssc.com |
On Thu, Nov 06, 2003 at 11:22:16AM -0600, Phil Hughes wrote:
> I have been told by Heather Stern, acting as a spokesperson for TAG
> members, that all TAG members have elected to leave their volunteer
> position with Linux Gazette and move on to working on a new
> e-publication. As you are all volunteers, that is certainly your choice
> and I both respect your decision and want to thank you for your past
> contributions.
>
> I don't want to load you down with details if you are not interested in
> participating but I do want to reassure you that Linux Gazette is not
> going off in some strange new direction.
Alas, Phil, the concensus is that you *are, in fact* going off in some
strage new direction, and I concur with those who think so. And,
indeed, the Gazette *is* the people. I've seen, specifically, Sassy,
Computer Telephony, and Boardwatch curl up and die when the original
editors were replaced by corporate managements.
> In any case, based on Heather's statements, my default assumption will
> be that you have decided to move elsewhere. If that is not the case,
> please e-mail me at publisher-AT-linuxgazette.com and let me know your
> intentions. In any case, thanks again for your past work with Linux
> Gazette.
I continue to work with Linux Gazette, Phil; it's just not yours
anymore. Rumbles I hear about trademark infringement and threats like
suggest that you haven't quite figured that out yet. I think that's a
shame, really... but the community interprets silly corporate
manouevring as damage, and routes around it.
I hope this doesn't reflect negatively on the Journal; I've been happy
lately to see that your art direction and editing have been improving.
Cheers,
-- jra
--
Jay R. Ashworth jra-AT-baylink.com
Member of the Technical Staff Baylink RFC 2100
The Suncoast Freenet The Things I Think
Tampa Bay, Florida http://baylink.pitas.com +1 727 647 1274
OS X: Because making Unix user-friendly was easier than debugging Windows
-- Simon Slavin, on a.f.c
Linux Gazette
| From: | Rick Moen <rick-AT-linuxmafia.com> | |
| To: | tag-AT-linuxgazette.net, linux-questions-only-AT-ssc.com | |
| Subject: | Re: [TAG] Re: Linux Gazette | |
| Date: | Thu, 6 Nov 2003 10:43:36 -0800 | |
| Cc: | letters-AT-lwn.net |
[Reply-To set to TAG. Not Cc'ing Phil, since he's already seen this.]
Quoting Jay R. Ashworth (jra-AT-baylink.com):
> Alas, Phil, the concensus is that you *are, in fact* going off in some
> strange new direction, and I concur with those who think so.
It's important to realise that, at the time the staff (unanimously)
decided to leave, Phil and his webmaster had pretty much announced it as
a fait accompli that all the core concepts of a magazine (periodic
issues, editors) were to be done away with when the CMS rolled in.
He suddenly about-faced and _rediscovered_ interest in those concepts
only after we published the November (linuxgazette.net) issue.
Just because the TAG people and public haven't seen it before, what
follows is the staff's polite and appreciative notice to Phil on Oct. 28
that we were moving the magazine -- as previously discussed with him
numerous times as likely if he followed his plan. The text was kept
confidential at the time, because of the last item mentioned, but here
it is now nine days later, and SSC is still wrongfully asserting
copyright over Yan-Fa Li and LeaAnne Kolp's work. (See:
http://www.linuxgazette.com/node/view/58
http://www.linuxgazette.com/node/view/61 )
From rick Tue Oct 28 12:01:56 2003
Date: Tue, 28 Oct 2003 12:01:56 -0800
To: Phil Hughes <fyl-AT-a42.com>
Cc: Jeff Tinsler <jet-AT-comwestcr.com>
Subject: Transition matters
User-Agent: Mutt/1.5.4i
Dear Mr. Hughes:
I'm writing on behalf of the Linux Gazette staff and its current
leadership, Mike Orr and Heather Stern, to fill you in on what is going
on with Linux Gazette's magazine production and hosting, and to arrange
for an orderly transition.
SSC, Inc. has always been incredibly supportive of LG's activities,
helping out with mirror space four months after John M. Fisk founded our
publication at his ISP in Nashville, and then furnishing our _primary_
hosting for seven years -- from August 1996 until a few days ago.
Moreover, you've actually underwritten some of your staff's time in
helping us (Marjorie Richardson, Amy Kukuk, Mike Orr, Jeff Tinzler, and
others) throughout that time. We are very grateful.
Recently, Linux Gazette's staff decided that we needed to move our
hosting to a different site, because, although we are sympathetic to
your aim of operating a dynamic, CMS-driven site open to public posting,
that is not compatible with Linux Gazette's longstanding mission to
publish a periodic set of edited newsletters with editor-picked, fixed
contents. Our new host site will be at http://www.linuxgazette.net/ ,
with the November issue coming out in a few days. We felt you should
know this immediately, in advance of any public announcement.
Following are a number of transition items we'd like to call to your
attention:
(1) Linux Gazette has been hosted at SSC so long that, inevitably, there
are some snarls we'll need to untangle: One is the existing LG
e-mail addresses, which we'd like to somehow transition over. We
would be glad to furnish an alias table for your sysadmins.
(2) Likewise, if you wish for any SSC sites to carry mirror copies of LG
issues, you'll have to establish a new mirroring run to pull them
down from our main site or its other mirrors. You are of course
welcome to use LG content in any way that complies with the Open
Publication License (issues #9 - present) or the BSD licence (issues
#1-8). There is actually an existing problem in that area, needing
SSC's immediate attention, about which more below.
(3) We would of course appreciate SSC assisting in letting the public
know of Linux Gazette's move. The other Linux press outlets will be
notified, a short time after this e-mail, and SSC's aid in getting
the word out will help assure a smooth changeover.
(4) In the course of populating our mirror network with back issues,
we've noticed that at least two of the issues carried on SSC's own
site (and from there picked up by most of its mirrors) now have
modifications to the magazine text that were not authorised by the
staff. I refer to issue #95 (Oct. 2003), for which SSC's copy is
missing a large fraction of the Mailbag article, and issue #92 (July
2003), which is missing Janine M. Lodato's article "Linux to Save
the Health of the World". These deletions were done without the
knowledge or approval of the staff, and impair the integrity of our
magazine's content. Accordingly, we must ask that you and all
downstream mirrors reverse those two -- and any other --
unauthorised changes to magazine text that SSC has enacted without
consulting the LG staff.
The issue #95 deletion I'm referring to is the same one we inquired
with you about in e-mail a couple of weeks ago, without receiving
any reply from you or from Jeff Tinzler. Clearer channels of
communication might have averted this situation.
(5) We wish you the best of luck with the recently deployed CMS-based
site. It is, however, absolutely not Linux Gazette, which (as
mentioned) we will keep publishing indefinitely on a non-CMS site.
Accordingly, we would appreciate your firm coining some other name
to use for the CMS site, and also assigning the linuxgazette.com
domain to us at your earliest convenience, to reduce confusion
between the sites.
The last item I need to mention is obviously sensitive, and so we are
deliberately bringing it to your attention privately, to avoid public
attention to it. (We assume that the problem referred to was created
entirely inadvertantly.)
(6) As we've seen material being added to your CMS-based site in chunks
taken from prior LG issues, it seems that author attributions are
being (inadvertantly) stripped from the articles, the author's
copyright notice removed, and SSC's copyright notice added in the
latter's place. Staffer Michael "Mick" Conry happened to notice
this happening with his News Bytes articles, now visible inside the
CMS at http://www.linuxgazette.com/node/view/92 . Mick's posted
copyright notice, viewable at
http://www.tldp.org/LDP/LG/current/lg_bytes.html, was wrongfully
removed from the CMS rendition. Such treatment of authors'
articles, in addition to being disrespectful of the authors' rights
to credit and ownership, constitutes violation of the covering Open
Publication License, and thus of copyright law.
We would love to be able to tell you that Mick's are the only articles
to which this happened -- or to give you a complete list of the
problematic postings -- but we don't (yet) have that information.
Accordingly, we strongly suggest that you do whatever is required to
find and correct all instances of credits / copyright notices
stripped from LG articles throughout your CMS.
We regret having to bring that matter to your attention, but are
obliged to take this matter seriously, as protectors of our authors'
interests. We would hope you can send us written assurance within
two days from this message's datestamp that no such instances exist
any more on your CMS. Please advise us by that same date if you
need additional time.
Because of the unfortunate pattern of non-communication with the
staff concerning SSC's unauthorised deletions from issue #95, and
the complete lack of consultation with the staff on SSC's deletions
from issue #92 and possibly others, we have to insist on a specific
written response on that matter. If we do not receive it, we will
have to pursue more public options, which we very much prefer to
avoid.
Thank you greatly for your patience and forebearance on these difficult
issues, which I expect and hope will be soon behind us. Pending our
straightening out our long-term communications channels, I would suggest
replying to both Mike Orr <mso-AT-oz.net>, and Heather Stern
<star-AT-starshine.org>, as they are leading the staff during this interim
period.
Yours Respectfully,
Rick Moen
on behalf of the Linux Gazette staff as a whole
Page editor: Jonathan Corbet