Language Selection

English French German Italian Portuguese Spanish

Red Hat's security issue

Filed under
Linux
Security

Last month, Red Hat issued a security bulletin. Not all that went on is clear, but it seems that the servers used to develop and distribute Fedora and Red Hat were accessed by a person with criminal intent. The perpetrator created trap-door versions of the SSH (remote login program) packages that would compromise the security of Red Hat's customers, and signed them with Fedora's cryptographic key. These packages were made available via Fedora archive and they may (I've not proof) have reached some number of Fedora customers. Obviously they were intended to be widely distributed and to compromise the security of all Red Hat and Fedora systems. Red Hat issued a script that users can run to detect the compromised packages.

But there are continuing problems with Red Hat's handling of the situation.

Best practice of computer security professionals is to fully disclose what went wrong and how you're preventing it from happening again. This tells customer security officers what they need to audit the security practices of their vendor, and to secure their own facilities. The worst practice, for which Microsoft is the prototype, is to stay mum and not admit any problems.

Red Hat's being mum. Fedora's being forced to be mum, because their own board has not been given full details and of course they are mostly controlled by Red Hat.

Full Post




Also:

Security breaches bring out the proprietary attitude in all of us. When security is breached we instinctively hide the details, and build a metaphorical police line around it, telling onlookers to move along.

The security attitude runs counter to the open source attitude. Open source demands that bugs be seen and lessons shared. The security attitude fears this release of information because the evil doers might get it.

With that in mind let’s move to the umbrage of Bruce Byfield during what Slashdot termed last month’s Fedora-Red Hat crisis.

Fedora and our security attitude


More in Tux Machines

Kernel Space: Linux, Graphics

Leftovers: Software and Games

  • Best Linux remote desktop clients: Top 5 RDC in 2017
    This article was provided to TechRadar by Linux Format, the number one magazine to boost your knowledge on Linux, open source developments, distro releases and much more. Subscribe to the print or digital version of Linux Format here. SSH has been the staple remote access tool for the sysadmins since its advent. The cryptographic network protocol is synonymous with remote network services over an unsecured network. Admins use SSH to mount remote directories, backup remote servers, spring-clean remote databases, and even forward X11 connections. The popularity of single-board computers, such as the Raspberry Pi, has introduced SSH into the parlance of the everyday desktop users as well.
  • A Powerful Dual-Pane File Manager `Double Commander` New Update for Ubuntu/Linux Mint
    Double Commander is a powerful open source & cross platform file manager, inspired from total commander file manager but includes new ideas and features. It brings dual pane side by side experience to enhance the use of GUI for the user. The main window of the application is separated by two panels side by side that allow you to view the content of two different location or same and browse through folders with ease. For each file, image or folder, details such as name, extension, size, date and attributes are displayed in the list.
  • SoftMaker Office 2016 – Your alternative to LibreOffice?
    Depending on how you look at it, the world of office suites for Linux is either very rich or very poor. As the rather obscure idiom says: the tailor (hence the cliche suit reference) always goes naked. But in essence, you’re either using LibreOffice – used to be OpenOffice – or maybe something else. Probably nothing. However, there are quite a few office products for Linux: Kingsoft Office, SoftMaker Office, Calligra, standalone Abiword, some others, each offering a slightly different aesthetic and functional approach. We talked about this in the office suite competition article back in 2013, and a lot has changed since. LibreOffice finally became suitable for use side by side with Microsoft Office, as far as decent document conversion and fidelity go, and every one of these products has seen a large number of major and minor number increments. In the original piece, SoftMaker Office was kind of a dud, and it’s time to give it a full review. Let us.
  • Reports: PS4 is selling twice as well as Xbox One, overall [Ed: Xbox continues to be a loser]
    Microsoft stopped providing concrete sales data for its Xbox line years ago, making it hard to get a read on just how well the Xbox One is doing in the market compared to Sony's PlayStation 4. Recent numbers released by analysts this week, though, suggest that Sony continues to dominate this generation of the console wars, with the PS4 now selling twice as many units worldwide as the Xbox One since both systems launched in late 2013. The first set of numbers comes from a new SuperData report on the Nintendo Switch, which offhandedly mentions an installed base of 26 million Xbox One units and 55 million PS4 units. That report is backed up by Niko Partners analyst Daniel Ahmad, who recently tweeted a chart putting estimated Xbox One sales somewhere near the middle of the 25 million to 30 million range.
  • PPSSPP (PSP) Emulator 1.3.0 Version Released, Install in Ubuntu/Linux Mint
    PPSSPP is a PSP emulator written in C++, and translates PSP CPU instructions directly into optimized x86, x64 and ARM machine code, using JIT recompilers (dynarecs). PPSSPP is an open source project, licensed under the GPL. PPSSPP can run your PSP games on your PC in full HD resolution, it is cross-platform application. It can even upscale textures that would otherwise be too blurry as they were made for the small screen of the original PSP.

Security Leftovers

4.9 is a longterm kernel

Might as well just mark it as such now, to head off the constant questions. Yes, 4.9 is the next longterm supported kernel version. Read more Also: Yes, Linux 4.9 Is A Long-Term Kernel Release