Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft: As of October, 1024-Bit Certs Are the New Minimum

timothy posted about 2 years ago | from the always-so-very-precise dept.

Security 207

way2trivial writes with this snippet from Information Week about a warning from Microsoft reminding Windows administrators that an update scheduled for October 9th will require a higher standard for digital certificates. "That warning comes as Microsoft prepares to release an automatic security update for Windows on Oct. 9, 2012, that will make longer key lengths mandatory for all digital certificates that touch Windows systems. ... Internet Explorer won't be able to access any website secured using an RSA digital certificate with a key length of less than 1,024 bits. ActiveX controls might be blocked, users might not be able to install applications, and Outlook 2010 won't be able to encrypt or digitally sign emails, or communicate with an Exchange server for SSL/TLS communications."

cancel ×

207 comments

Sorry! There are no comments related to the filter you selected.

Happy Sunday from the Golden Girls! (-1, Offtopic)

Anonymous Coward | about 2 years ago | (#41283639)

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

First! (-1)

Anonymous Coward | about 2 years ago | (#41283663)

First!

Re:First! (0, Offtopic)

Anonymous Coward | about 2 years ago | (#41283869)

Ha! Beat by some little old ladies!

Close update backdoor instead (-1, Troll)

Anonymous Coward | about 2 years ago | (#41283669)

If MS are really interested in everybody's security why don't they close the Windows Update backdoor instead?

Close Goate.cx instead (5, Funny)

Anonymous Coward | about 2 years ago | (#41283725)

Wouldn't be much of an OS if it didn't have a reach-around.

Re:Close Goate.cx instead (3, Funny)

Anonymous Coward | about 2 years ago | (#41283857)

With Microsoft products, it always more of a bend-over than a reach-around.

Why 1024? (5, Interesting)

fsck1nhippies (2642761) | about 2 years ago | (#41283679)

System have the ability to go further, why not make 2048 the minimum? Does anyone know why 1024 was selected? I would guess it has to do with some backwards compatibility with something. Some of the issuers are making it next to impossible to go below 2048.

Re:Why 1024? (5, Interesting)

Penguinisto (415985) | about 2 years ago | (#41283799)

Thinking much the same thing here as well. Even a CA like GoDaddy won't take anything smaller than a 2k cert key.

Most SSL certs we cook up have a 2048 minimum anyway, and some certs we use have a standard of at least 4096 (I work in the banking/financial industry, so we're used to using the bigger keys).

I'm thinking that they stuck with 1024 because most IIS 7.x (Win2k8 Server) allows for a minimum 1024 key size when making CSRs, and (maybe? can't remember) the really old crap (IIS5 or 4?) won't interpret anything bigger, which means enterprises with those old installs will scream bloody murder if they have to re-key but can't meet minimum length.

Re:Why 1024? (0, Flamebait)

Anonymous Coward | about 2 years ago | (#41283821)

I'm thinking that they stuck with 1024 because

They stuck with 1024 because they want to pretend to be secure without actually having to be secure. A ton of money is made by the PC "security" industry surrounding Windows. Can't do anything that might jeopardize the legion of people who refuse to recommend anything else lest it put them out of a job.

Re:Why 1024? (2)

fsck1nhippies (2642761) | about 2 years ago | (#41284125)

I am sorry to tell you that Certs are predominately used to secure communication between two points. They can be used for authentication of executables as well as users, and microsoft is pushing this requirement(gradually). To suggest that the selection of certificate bit length is to "pretend" that the are secure is crazy. Can you give an example of how this has been used in the past?

Re:Why 1024? (-1)

Anonymous Coward | about 2 years ago | (#41284293)

With this latest failure from Microsoft you will get your examples soon enough I fear.

Re:Why 1024? (0, Funny)

Anonymous Coward | about 2 years ago | (#41284585)

I am sorry to tell you that Certs are predominately used to secure communication between two points.

And Certs have Retsin for fresh clean breath!

Sorry, I had to....

Re:Why 1024? (5, Interesting)

SCPRedMage (838040) | about 2 years ago | (#41283855)

Probably because they didn't want to break a greater number of certs.

Re:Why 1024? (1)

fsck1nhippies (2642761) | about 2 years ago | (#41284035)

Sorry, I don't see the difference between breaking 1 and 10. It is the same BS email message the will send to the issuers.

Re:Why 1024? (4, Informative)

viperidaenz (2515578) | about 2 years ago | (#41284515)

I don't know about you, but I went to school. I see a factor of 10 between 1 and 10.
Have a look at http://en.wikipedia.org/wiki/Birthday_problem [wikipedia.org] A group of just 23 people is required to get a 50% probability two people will have the same birthday, despite there being 366 different days in the year. 57 for 99% probability. That equates to 6.3% change, hits 50% probability and 15.5% hits 99%.

If moving to 2048bits makes 15% of the certs in use invalid, the vast majority of your users will be effected.

Re:Why 1024? (1)

fsck1nhippies (2642761) | about 2 years ago | (#41284539)

I was implying that the required number of responses for one affected group as one and the number of responses to ten or even more as still being one! The response would be " we warned you over a year ago that we would be updating the minimum cert length to more than 1024, You can fix the error your clients see by updating your issued certs to meet these minimum requirements"

I saw the difference between 1 and 10 as 0.

Re:Why 1024? (1)

viperidaenz (2515578) | about 2 years ago | (#41284661)

That would be good if you had a definitive list of all effected users and their up to date contact details and their permission to contact them for business purposes (some countries have laws against that).
Rattling the same response to every user you calls you up is still going to cost in terms of call centre resources.

Re:Why 1024? (2, Insightful)

Jane Q. Public (1010737) | about 2 years ago | (#41284033)

"Does anyone know why 1024 was selected?"

But one has to wonder why Microsoft is doing the selection.

I'm not Microsoft-bashing here, but if I had an old cert on a site somewhere, there is no way in hell I would update it just to be compatible with Internet Explorer. Let Explorer users do without. I don't care in the slightest.

Re:Why 1024? (1)

fsck1nhippies (2642761) | about 2 years ago | (#41284059)

Your comment would have good merit, if we were asking why the global standard was not raised to something higher. This was from microsoft, and regarding their operating systems. If I may add to your original post, "Why are we not pushing the standard high enough to force MS to comply?"

You push a political edge with your comments that I am not quite comfortable answering. I will let someone else start that conversation.

Re:Why 1024? (1)

Jane Q. Public (1010737) | about 2 years ago | (#41284275)

"You push a political edge with your comments that I am not quite comfortable answering. I will let someone else start that conversation."

You read far more into my comment than I actually wrote.

There's nothing "political" about it. If I had an old site with an old certificate, I simply would not be motivated to upgrade it just for the benefit of the user of one browser. I could say the same about Chrome or Safari or Firefox.

Now, if several browsers imposed that restriction, I might be inclined to upgrade.

Re:Why 1024? (1)

fsck1nhippies (2642761) | about 2 years ago | (#41284409)

The political comment was based on the the opening presented to go on a political rant. The similarities with our(US for me) current climate are quite obvious and very tempting.

Your site with the old cert will expire in less than three years from the second I post this comment. This is not something that is happening tomorrow. Your post implies that you would not "upgrade" for the benefit of one user. Why not?

Are you saying that you refuse to adopt a standard that progresses the security of our current computing environment? Because Safari does not support it??? I don't get it... Sorry.

Re:Why 1024? (1)

Jane Q. Public (1010737) | about 2 years ago | (#41284665)

"The political comment was based on the the opening presented to go on a political rant. The similarities with our(US for me) current climate are quite obvious and very tempting."

Again, you are reading more into it than actually exists. Sure I wrote "Microsoft", but that is just because Microsoft happens to be the one doing it. It could just as easily have been some other browser.

"Your site with the old cert will expire in less than three years from the second I post this comment. This is not something that is happening tomorrow. Your post implies that you would not "upgrade" for the benefit of one user. Why not?"

That's two different issues. So (A) who cares? That's a completely separate issue, and it IS, as you say, 3 years. (B) Because if it's an old site that I have not bothered upgrading to this point, I probably don't care that much about it to support a particular browser anyway.

"Are you saying that you refuse to adopt a standard that progresses the security of our current computing environment?"

Of course not. Where did I actually state anything even remotely like that?

Re:Why 1024? (1)

viperidaenz (2515578) | about 2 years ago | (#41284529)

If you want to cut 40% of the internet users off from your content, that's your prerogative.

Re:Why 1024? (4, Informative)

jrumney (197329) | about 2 years ago | (#41284063)

1024 was selected because this will not affect any US corporations, who always used 1024 bit certificates. Lower bit lengths were only ever offered because US export law would not allow high strength encryption products to be exported from the US, so MS and others shipped a lot of crippled copies of Windows NT, 95, 98 and maybe even Windows 2000 to customers outside the US.

Re:Why 1024? (1)

fsck1nhippies (2642761) | about 2 years ago | (#41284165)

By your comment I will assume an exclusion of foreign companies...With that said, I can't understand how the increase in bit lenght requirements would specifically affect a company over a drawn out period. We cut user certs for 90 days, and code publishing certs for 180. I know that may not be the norm, but how many companies cut any of them for more than 3 years?

Re:Why 1024? (4, Interesting)

yuhong (1378501) | about 2 years ago | (#41284415)

On Win2000, US lifted export restrictions only one month after Win2000 RTMed in Dec 1999, so MS had to ship the high encryption pack on a floppy disk inside the Win2000 package in addition to making it available for download. SP2 finally built it in.

Re:Why 1024? (0)

Anonymous Coward | about 2 years ago | (#41284073)

then the would have to be updated too

Re:Why 1024? (2)

bloodhawk (813939) | about 2 years ago | (#41284087)

because in many environments 1024 are still quite commonly used, especially in scenarios where cost of encryption for 2048 is a factor. Breaking the rare place that uses less than 1024 is probably ok, breaking the MANY that still use 1024 would have huge repercussions. while 1024 is not long enough to be considered completely secure, it is still good enough for many scenarios.

Re:Why 1024? (1)

fsck1nhippies (2642761) | about 2 years ago | (#41284137)

I definitely understand the "huge repercussions" part as it would affect many. Can you please describe the financial aspect of the move, as I am not seeing a big impact on the surface.

Re:Why 1024? (4, Informative)

fast turtle (1118037) | about 2 years ago | (#41284305)

smart/feature phones

There's your biggest drawback to the 1k keysize. How many of them can handle more then that? Simply put, it's the U.S. Telco's that aren't able to handle anything larger as everyone else offers phones that can handle 2k+ certs.

Re:Why 1024? (1)

fsck1nhippies (2642761) | about 2 years ago | (#41284353)

Now that is a pretty good reason! Thanks!

Re:Why 1024? (1)

Xacid (560407) | about 2 years ago | (#41284181)

Read up on the history of PGP. The answer to that will become clear.

Re:Why 1024? (5, Insightful)

smash (1351) | about 2 years ago | (#41284269)

Because NSA / CIA haven't cracked 2048 bit yet, silly.

Re:Why 1024? (1)

fsck1nhippies (2642761) | about 2 years ago | (#41284429)

hahahaha, best answer yet. If I had mod points, I would transfer ownership of slashdot to you!

open source (-1, Offtopic)

Hazel Bergeron (2015538) | about 2 years ago | (#41283689)

I don't really understand how anyone can care whether a closed source operating system is secure.

No matter how few people actually read through the Linux kernel code, it's sufficiently open that blatant backdoors are not going to be inserted. Why would I assume the same of Windows or (yet worse, because they have some quasi-religious thing going on) OS X?

Re:open source (1)

Anonymous Coward | about 2 years ago | (#41283697)

Threat model. If Microsoft hacks you, then you sue. The government can get anything you have anyway, so need to hack you. This is how business people think. They don't think about how any backdoor can and will be found by (or just plain out sold to) the bad guys too.

Re:open source (0)

Anonymous Coward | about 2 years ago | (#41283759)

If Microsoft hacks you, then you sue.

a) if MS hacks you, you'd never know it b) they have lawyers that will have you run crying to your mommy.

The government can get anything you have anyway, so need to hack you.

You have way too much faith in the government's ability to gather information. Also, they have to convince a jury with whatever they have and "we're the government so we just know" will generally not cut it.

You are naive to think Windows isn't backdoored. Imagine you're MS and some 3 letter agency comes knocking with the justice department on speed dial. Do you really MS is going to say no? Do you think they did last time when they got miraculously let off?

Re:open source (0)

Anonymous Coward | about 2 years ago | (#41283845)

(same AC)
Oh on the contrary, I'm sure Windows is backdoored. Probably multiple times by multiple agencies working for multiple governments, plus a few disgruntled employees looking to sell to the highest bidder. I'm just giving my best guess as to why PHBs don't care.

Thing is I suspect the same is true of Linux. Open source software is inherently more secure than the "trust us" closed source, but it's surprisingly easy to hide a few subtle vulns in plain sight. None has to be a complete back door, just enough to weaken this or that to let you slip in.

Re:open source (0)

Anonymous Coward | about 2 years ago | (#41283923)

Thing is I suspect the same is true of Linux. Open source software is inherently more secure than the "trust us" closed source, but it's surprisingly easy to hide a few subtle vulns in plain sight.

I figure the main difference is that with Linux, you actually can go through it line by line even if you're a nobody whereas with Windows you can forget it. So, basically, if security is the most important thing to me I can go much further towards actually being secure than I ever can with Windows and closed source applications.

Re:open source (1)

LordLimecat (1103839) | about 2 years ago | (#41284145)

a) if MS hacks you, you'd never know it

You assume that IT folks have no way of tracking what enters and leaves their networks. Maybe that is true in smaller networks, but any larger business with any kind of budget is going to have an edge firewall, and Im gonna go out on a limb and say its not Microsoft's firewall.

b) they have lawyers that will have you run crying to your mommy.

The idea that Microsoft could somehow win that kind of case through the simple merit of its lawyers is ridiculous. Big companies have been brought to unfavorable judgements before, and if the evidence is clear enough theyd probably just settle with you on very favorable terms.

Re:open source (5, Insightful)

bloodhawk (813939) | about 2 years ago | (#41283699)

just because it is closed source doesn't mean people can't read the source. thousands of universities and government agencies and even other organisations have access to the source code for windows for development purposes, security evaluation purposes and research purposes.

Re:open source (-1, Flamebait)

Hazel Bergeron (2015538) | about 2 years ago | (#41283753)

thousands

You sure?

How many students actually evaluate the source in any detail?

How many of those universities oversee the MS build servers?

I run Windows on some machines, but I assume that anyone with unfettered network access to the machine will be able to obtain whatever's on it. Don't you?

Re:open source (1)

Anonymous Coward | about 2 years ago | (#41283779)

Do you oversee Red Hat's build servers? Did you oversee Debian's SSH build when they fucked it up?

Re:open source (2, Funny)

Anonymous Coward | about 2 years ago | (#41283811)

Did you oversee Debian's SSH build when they fucked it up?

I did. I'm sorry, but that week the NSA check came late, so I wasn't able to make the compromises less obvious.

They paid up later.

Re:open source (3, Interesting)

Anonymous Coward | about 2 years ago | (#41283859)

Do you oversee Red Hat's build servers? Did you oversee Debian's SSH build when they fucked it up?

Thanks for so clearly spelling out one of the great advantages of the Linux ecosystem. Namely, that a vulnerability in RedHat isn't necessarily a vulnerability in Debian so the damage doesn't propagate to the overall community of users. That's one of the great things about there being so much diversity and unique approaches to Linux. Again, thank you and I commend you on your evangelism of Linux. People need to know!

Re:open source (1)

mystikkman (1487801) | about 2 years ago | (#41283939)

Not true when kernel.org itself gets hacked.

http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/ [theregister.co.uk]

Re:open source (5, Interesting)

Anonymous Coward | about 2 years ago | (#41283977)

Not true when kernel.org itself gets hacked.

On the contrary. Which distros actually compiled and released a version of the kernel that was compiled from code downloaded during the window this attack was in effect? If you're running Debian then your kernel is anywhere from just now old to 2 years on the stable version. And if you're doing the right thing and using Ubuntu LTS releases instead of the beta interim stuff then it's the same deal. With Windows, there's only 2 releases to the mainstream. The server and the desktop versions. So whatever kernel MS builds, that's the one everybody uses. With Linux even with kernel.org getting hacked, you have a fighting chance but with Windows, you're done.

Re:open source (1)

LordLimecat (1103839) | about 2 years ago | (#41284179)

Youre basically trying to defend fragmentation as a good thing, because while some programs might not work across the myriad of versions, neither will the vulnerabilities.

I find this logic lacking.

Re:open source (1)

viperidaenz (2515578) | about 2 years ago | (#41284577)

I suppose you protect against SQL injection attacks by giving your tables weird names? If no one can guess it, no one can hack it! Security by obscurity all the way.

Re:open source (4, Informative)

GigaplexNZ (1233886) | about 2 years ago | (#41284031)

The website was hacked. The Linux source was not compromised.

Re:open source (3, Funny)

gagol (583737) | about 2 years ago | (#41284289)

Not true, I heard many people were able to download the source code since then ;-)

Re:open source (0)

Crypto Gnome (651401) | about 2 years ago | (#41283791)

Erm, I'm pretty sure he used the words "have access to" not "have actually audited".

Specifically meaning that in theory they could audit the code.

As opposed to Open Source where people don't just AUDIT code, they actually FIX bugs and security failures and submit the changes back to the origin.

Re:open source (1)

viperidaenz (2515578) | about 2 years ago | (#41284587)

Or submit vulnerabilities back to the origin. They even hold contests [ioccc.org] to hide the real intention of code.

Re:open source (1)

AK Marc (707885) | about 2 years ago | (#41284509)

How many students actually evaluate the source in any detail?

The same number as true open source.

Re:open source (1)

Anonymous Coward | about 2 years ago | (#41283773)

just because it is closed source doesn't mean people can't read the source. thousands of universities and government agencies and even other organisations have access to the source code for windows for development purposes, security evaluation purposes and research purposes.

Do you actually think MS would be stupid enough to leave backdoors in the code they hand out? It's not like those universities or governments have access to MS' internal version control. All MS has to do is give a cleaned up version of the source and actually ship anything they like.

Re:open source (0)

Anonymous Coward | about 2 years ago | (#41283829)

With countless malware authors out there digging through the NT kernel with SICE and the like you'd assume that such a preexisting backdoor would've already been found and actively exploited in the wild, raw ASM dumps are just as good as source code would ever be if you know how to read them (yes, by that definition everything is open source).

Re:open source (1)

Anonymous Coward | about 2 years ago | (#41283955)

With countless malware authors out there digging through the NT kernel with SICE and the like you'd assume that such a preexisting backdoor would've already been found and actively exploited in the wild

You'd think but then that also presumes that the source code that MS releases to their partners is the same code that ends up in the shipping products. If there are backdoors it is a virtual certainty that MS isn't going to bundle that code up and then start handing it out.

raw ASM dumps are just as good as source code would ever be if you know how to read them (yes, by that definition everything is open source)

To some very talented and bored people, yes ASM dumps are the same as source code. But those people are few and far between and to lesser hackers, there is a huge chasm between that dump and actual source with comments, etc.

With Linux, I know that the source code I just downloaded and looked through can easily be compiled and installed on my machine. With Windows and their source sharing program, you will never get enough of the product to actually compile a working OS so in order to run Windows, you have to blindly trust the already compiled version. Huge difference.

Re:open source (1)

Rockoon (1252108) | about 2 years ago | (#41284115)

But those people are few and far between and to lesser hackers, there is a huge chasm between that dump and actual source with comments, etc.

If you have respect for variable/function names and comments during code review, then you are a failure at code review. There is a difference between the reading of source code to derive what its expected/claiming to do, and the reading source code to derive what it actually does.

You are right not to trust closed source, but you fail in not extending that mistrust to open source. Faith is not a valid justification for trust.

Re:open source (0)

Anonymous Coward | about 2 years ago | (#41284475)

with the literally thousands of security researchers reverse engineering, fuzzing and generally prodding and poking around you would rapidly find them trumpeting to the world any such differences or backdoors. They already do this for every patch that comes out, detailing what is fixed and using it for attack tools.

Re:open source (2)

Zero__Kelvin (151819) | about 2 years ago | (#41284079)

"just because it is closed source doesn't mean people can't read the source. thousands of universities and government agencies and even other organisations have access to the source code for windows for development purposes, security evaluation purposes and research purposes."

They present a version of the source code. How do you know it is the version that ships with every OEM and in every COTS box?

Re:open source (2)

chentiangemalc (1710624) | about 2 years ago | (#41284083)

Closed source doesn't prevent from disassembling windows functions or testing through a kernel debugger. Open source = easier to see find backdoors, easier to find security vulnerabilities. It's also easier to take legitimate code from the OS modify it maliciously and distribute the binary. In other words being open can work for you and against you. The good guys have an edge, but it's wiped out by edge bad guys get. Closed source it's harder to find backdoors and it's also harder to find security vulnerabilities.

Re:open source (1)

ultrasawblade (2105922) | about 2 years ago | (#41284401)

The bored socially-outcase girlfriendless 13-year olds that find all the security vulnerabilities have the time, inclination, and imagination to find all the vulnerabilities whether the code is open or not.

A well maintained open source project tends to fix them quicker than every patch Tuesday, though.

Re:open source (0)

Anonymous Coward | about 2 years ago | (#41284267)

does anyone on Slashdot even realise how stupid they look wearing their tin-foil hats?

Open source suffers from quasi-religious stuff too (4, Informative)

perpenso (1613749) | about 2 years ago | (#41283823)

No matter how few people actually read through the Linux kernel code, it's sufficiently open that blatant backdoors are not going to be inserted.

Open source suffers from quasi-religious stuff too, as you just demonstrated with your claim. Ken Thompson, of Bell Labs and Unix and C fame - the "K" in K&R, demonstrates the insufficiency of being able to read the source code.
http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]

Re:Open source suffers from quasi-religious stuff (0)

Anonymous Coward | about 2 years ago | (#41283877)

The reason Thompson's backdoor is famous is because it was far from blatant.

Re:Open source suffers from quasi-religious stuff (0)

Anonymous Coward | about 2 years ago | (#41283993)

But isn't that the point? Just imagine what you can hide in something as large as the Linux kernel or most modern programs.

The real K&R (3, Informative)

notdotcom.com (1021409) | about 2 years ago | (#41284331)

The "K" of K&R is wrong.

"K" is Brian Kernighan. You know, the Brian Kernighan of "The C Programming Language" fame. He wrote a book or two. He's quite famous. Maybe you've heard of him.

Look it up.

Re:open source (0)

Anonymous Coward | about 2 years ago | (#41283933)

Speaking of quasi-religious nuts. FOSS is just as much a devotional as anything I've seen from Apple.

Re:open source (4, Informative)

man_of_mr_e (217855) | about 2 years ago | (#41283941)

Nice weasel word there. Blatant. What makes you think that if there are backdoors in Windows they're blatent?

Think back to the AARD code, they went way out of their way to obfuscate it. Microsoft would not be so stupid as to put a well commented backdoor in there.

Of course, I'm sure someone will bring up the NSAKEY incident, which various security researches (such as Bruce Schneier) have dismissed as merely allowing the NSA to install their own key to be install for their internal systems without having to have MS sign it.

You do know that backdoors have been inserted into Linux distro's in the past, and some of them took a great deal of time to be discovered. Then of course, one never really knows if a security vulnerability is intentional or not (on any platform).

There have also been some near calls as well in the kernel itself. For instance, who remembers this doozy?

http://www.securityfocus.com/news/7388 [securityfocus.com]

Yes, it was caught, but not because of "many eyes". It was because the attacker chose to try to modify the version control file directly. Had it gone in by some other means, it may not have been caught at all.

Re:open source (1)

Anonymous Coward | about 2 years ago | (#41284021)

You do know that backdoors have been inserted into Linux distro's in the past, and some of them took a great deal of time to be discovered. Then of course, one never really knows if a security vulnerability is intentional or not (on any platform).

The difference is if you are that serious about security then with Linux you at least have the option of inspecting the code. With Windows you don't.

There have also been some near calls as well in the kernel itself. For instance, who remembers this doozy?

http://www.securityfocus.com/news/7388 [securityfocus.com]

Yes, it was caught, but not because of "many eyes". It was because the attacker chose to try to modify the version control file directly. Had it gone in by some other means, it may not have been caught at all.

So some hacker tries and fails to slip a backdoor into the kernel and you think this shows Linux as insecure? It shows the opposite. He got caught! But, in your case, talk about trying to "weasel". Pot, meet kettle.

Re:open source (1)

man_of_mr_e (217855) | about 2 years ago | (#41284133)

Your argument is that because the burglar slipped on the icy sidewalk and broke his neck, it proves your security system works as expected.

Re:open source (0)

Anonymous Coward | about 2 years ago | (#41284681)

if your security system involves ice machines, then yes.

Re:open source (1)

ultrasawblade (2105922) | about 2 years ago | (#41284419)

Seriously, Pascal had it right with := being the assignment operator and = being the equality operator. Hard to confuse those two IMHO.

Re:open source (-1)

Anonymous Coward | about 2 years ago | (#41283973)

Could your cock sucking zealotry be any worse? Pathetic.

Blant troll post (0)

Anonymous Coward | about 2 years ago | (#41283987)

Really? Wow. Way to go and show your intellect.

closed minds (1)

fm6 (162816) | about 2 years ago | (#41284077)

Open source is great mechanism for finding security holes, but it's hardly the only mechanism. OK, Windows is probably not as secure as Linux, but it's not totally insecure either.

Hey, I live in an apartment that doesn't have the best security, but enough for the neighborhood in which I live. By your logic, I should either beef up security to the max (iron bars on the windows, install a CCTV, maybe get a pit bull) or just forget all about it and leave never lock the front door or window by the fire escape. Makes no sense

Re:open source (4, Insightful)

LordLimecat (1103839) | about 2 years ago | (#41284131)

I don't really understand how anyone can care whether a closed source operating system is secure.

This is so much garbage.

Opensource systems have their share of holes, and the idea that there is a gigantic pool of people qualified to catch backdoors in something as relatively simple as a web browser-- let alone an OS-- is absurd. Just because you can look at the source doesnt mean you can do a remotely competent job of auditing it; and the idea that a single person could somehow audit hundreds of thousands of lines of code for security "on a whim" is even more absurd.

There are a lot of benefits to open source, but sometimes its advocates really stretch the imaginations with some of the claims and accusations they level against proprietary software.

it's sufficiently open that blatant backdoors are not going to be inserted.

So I suppose the whole potential IPSEC backdoor in freeBSD [marc.info] thing was just my imagination, then?

Youre talking nonsense. Consider that OpenSSL is widely considered a horrendously complex pile of spaghetti code, which I believe has had its share of security issues, and yet we still use it. Is it because we're lazy? No, its because sometimes some of this security stuff is phenomenally complicated, and it would take a horrendous number of man-hours from incredibly talented people to refactor or replace it.

One of the benefits of paid software is that, if theyre competent, they can devote a lot of time to it because they are paid. Im gonna go out on a limb here and say that one of the biggest helpers to good code in a lot of OSS projects are the paid volunteers, not the mere fact that its "open" as if that dash of pixie dust makes a project magically better.

Re:open source (1)

gagol (583737) | about 2 years ago | (#41284343)

That is why you should use OpenBSD, as it has been and is continously audited for security, and it uses proactive crypto deployment everywhere it fits. That is why development is slower... Need bleeding edge or stable security? pick ONE.

Re:open source (0)

smash (1351) | about 2 years ago | (#41284291)

There are plenty of people who download kernel code from mirror sites without checking the hash matches. The kernel code for OS X is open too. It's called darwin.

Only 10 years behind the times (1)

Anonymous Coward | about 2 years ago | (#41283705)

Way to go Microsoft! As everyone moves to 2048 bit keys, let me be the first to welcome you to 2002.

Re:Only 10 years behind the times (2)

viperidaenz (2515578) | about 2 years ago | (#41284603)

But nobody else has completely blocked 1024bit keys.

It could be worse (1)

kiriath (2670145) | about 2 years ago | (#41283709)

We could've gotten notification a week or two after the update.

This is gonna be a pain in the butt though =\

On the bright side things will be more secure!

Re:It could be worse (0)

Anonymous Coward | about 2 years ago | (#41283793)

We could've gotten notification a week or two after the update.

This is gonna be a pain in the butt though =\

On the bright side things will be more secure!

Uh, the term "more secure" is critically relevant to the OS/browser we're speaking of...careful.

Re:It could be worse (1)

betterunixthanunix (980855) | about 2 years ago | (#41284669)

In what way is this going to be a pain in the butt? Are there really that many people out there using less than 1024 bit in this day and age?

You would think that after the successful factoring of a 768 bit RSA modulus, whoever was still using less than 1024 bit would have fixed that. Frankly, 1024 bit should be considered too short for any new applications going forward, but that is still built in to quite a lot of packages.

As usual MS still fucks it up (-1)

Anonymous Coward | about 2 years ago | (#41283797)

The rest of the industry is already moving to 2048 bit. Is it really so hard for MS to get their heads out of the sand and actually look at what's going on outside of Redmond for a change? It's ridiculous. Like the tail wagging the dog. Practically every single computing niche outside of the desktop is dominated by some form of Unix or Unix-like OS. From supercomputers, to cellphones and everything in between. When is MS going to stop being a drag on this industry? Damn, as much as Apple sucks, I think the world will be better off if everybody just stops using desktops and goes to iPads. A lot more secure too!

Re:As usual MS still fucks it up (1)

viperidaenz (2515578) | about 2 years ago | (#41284615)

Test rest of the industry still support keys smaller than 1024 bits. Microsoft won't.

Oh phuque them! (0)

kurt555gs (309278) | about 2 years ago | (#41283801)

Just switch to Linux. Do you really need them telling you what you have to do?

Re:Oh phuque them! (1)

Anonymous Coward | about 2 years ago | (#41283889)

Been a proud Linux user for 5 years now and have yet to get one infection of any kind. Before I switched over, the last straw was some kind of malware that would change all the links in search results to some advertiser page. I couldn't search for anything. I downloaded malware bytes on another computer and tried it to no avail. I visited forums and tried out at least 10 different sets of instructions and still my machine was broken. Then I remembered that cd I downloaded a few months before yet never tried out, Ubonto? No, Ubuntu! Yeah, that's what it's called. Installed it, it partitioned the drive in half between Windows and itself and I was off to the races. Worked so well that I ended up copying all of my documents over one by one until finally I realized that my Windows partition hadn't been used in over a month. Downloaded the GParted live CD and bye bye Windows. Best decision I ever made on my computer.

Re:Oh phuque them! (1)

smash (1351) | about 2 years ago | (#41284405)

I've run Windows on the desktop (along with Linux and OS X) and have yet to get an infection on any OS since 2001. What's your point?

Muppet administrator = risk, regardless of OS.

Re:Oh phuque them! (0, Informative)

Anonymous Coward | about 2 years ago | (#41283929)

Just switch to Linux. Do you really need them telling you what you have to do?

You say that like it is simple. It isn't. There are people who expect their machines to work. They expect wireless, sleep, hibernate, 4G dongles, etc. to work in order to do business. They expect dock / undock with multiple large monitors to work. They have applications - thousands of them that they would have to re-write. If you think about it for all of 5 seconds you'd see that Linux either doesn't work well in many of these scenarios (it does on some machines, not so well on others) and the costs to switch would be enormous. Just switch. Jeez. How about you just switch your body's metabolism to run on tree bark? That would work just as well.

Re:Oh phuque them! (0)

Anonymous Coward | about 2 years ago | (#41283997)

You say that like it is simple.

He never said it was simple just suggested it as an option.

There are people who expect their machines to work. They expect wireless, sleep, hibernate, 4G dongles, etc. to work in order to do business. They expect dock / undock with multiple large monitors to work.

Just like you wouldn't buy a computer with hardware that didn't work well with Windows, you shouldn't expect hardware not designed with Linux in mind to work well either. I have a Linux laptop I bought from http://system76.com/ [system76.com] and it does all of the things you mention perfectly. There is also the OSX option. I hear Macbooks do the stuff above pretty well.

Re:Oh phuque them! (1)

viperidaenz (2515578) | about 2 years ago | (#41284639)

I don't recall seeing a MacBook dock anywhere that isn't simply a usb hub and displayport connector.

Theoretical Access to MS Source Code (0)

Crypto Gnome (651401) | about 2 years ago | (#41283819)

That many institutions have access to MS Source Code is kinda like instituting a needle-inna-haystack search.

Yes you might find a needle, but unless you're a needle-collector or perhaps a seamstress what in this universe d'you think you're gonna do with it?

At least with Open Source you can
(1) fix the problem with the code
(2) submit the code back to The Author
(3) expect that The Author will either accept the fix as is or perhaps integrate the solution with more elegance

Sure not *always* but the expectation would be more-often-than-not your fix (in one form or another) reaches the wider community of users.

Re:Theoretical Access to MS Source Code (2)

Electricity Likes Me (1098643) | about 2 years ago | (#41283895)

That many institutions have access to MS Source Code is kinda like instituting a needle-inna-haystack search.

Yes you might find a needle, but unless you're a needle-collector or perhaps a seamstress what in this universe d'you think you're gonna do with it?

At least with Open Source you can
(1) fix the problem with the code
(2) submit the code back to The Author
(3) expect that The Author will either accept the fix as is or perhaps integrate the solution with more elegance

Sure not *always* but the expectation would be more-often-than-not your fix (in one form or another) reaches the wider community of users.

You also fork the code and encourage people to download the fixed version, or to use your patch against the official sources until the upstream realizes the significance.

Digging through a small patch to ensure it's not overtly malicious is actually pretty easy.

Re:Theoretical Access to MS Source Code (1)

viperidaenz (2515578) | about 2 years ago | (#41284653)

With closed source you can leverage the SLA's between yourself and the vendor to make them do the hard work of fixing and testing the defects.

IE is dying... and this isn't helping (1)

Anonymous Coward | about 2 years ago | (#41283885)

Sounds like a great way to get people off IE, or fill up customer service inboxes for weeks. Madness!

This is a direct response to a real attack (0)

Anonymous Coward | about 2 years ago | (#41284001)

There are multiple Microsoft keys with a size under 1024-bit out there in the wild, and certificate chains involving them they were used in state-sponsored attacks. It is therefore quite correct, and very necessary, of them to reject RSA keys with a crackable length. Keys up to 768 bits have been cracked publically.

What I'm mystified about is that 1024-bit RSA keys are still allowed as a baseline - honestly, those should all be phased out already and I haven't considered them safe enough for over half a decade now. While no-one has publically factored the RSA-1024 test vector, estimates in 2007 showed that it would indeed be possible, and tests proved positive - 5 years on, I expect it to be quite feasible to factor a 1024-bit RSA key now, particularly if you implemented parallel parts of the sieve in GPU shaders and used something like... oh, I don't know... the NSA's new Tesla-based supercomputer. And they're far from the only ones: Iran has either factored or swiped at least one 1024-bit key (honestly, either is plausible at this point).

This is why 2048-bit keys going onwards are all that's allowed by CAs (and were mandated from the beginning of the EV standard). In practice this has never been a problem - they'll work on any version of Windows which supports RSA at all. I remember using 4096-bit keys with Windows 95, and indeed I recall experimental builds of PGP happily using 16384-bit RSA keys (although they were, of course, slow as molasses).

Long-term you should probably think about moving to prime256v1 (secp256r1). That's got more juice than 3072-bit RSA, but it's vastly faster and much smaller. Alternatively, curve25519/ed25519, which are extraordinarily optimised binary curve algorithms with nice features such as being secure through the twist, and not needing a random source to create signatures.

Can we use zero-padding? (0)

Anonymous Coward | about 2 years ago | (#41284015)

No one can factor my 1024-bit cert: 0x0000.....000F.

Who uses Internet Explorer? (1)

theRunicBard (2662581) | about 2 years ago | (#41284205)

Wake up and smell the Firefox/Safari/Chrome grandma!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?