Language Selection

English French German Italian Portuguese Spanish

Red Hat's security issue

Filed under
Linux
Security

Last month, Red Hat issued a security bulletin. Not all that went on is clear, but it seems that the servers used to develop and distribute Fedora and Red Hat were accessed by a person with criminal intent. The perpetrator created trap-door versions of the SSH (remote login program) packages that would compromise the security of Red Hat's customers, and signed them with Fedora's cryptographic key. These packages were made available via Fedora archive and they may (I've not proof) have reached some number of Fedora customers. Obviously they were intended to be widely distributed and to compromise the security of all Red Hat and Fedora systems. Red Hat issued a script that users can run to detect the compromised packages.

But there are continuing problems with Red Hat's handling of the situation.

Best practice of computer security professionals is to fully disclose what went wrong and how you're preventing it from happening again. This tells customer security officers what they need to audit the security practices of their vendor, and to secure their own facilities. The worst practice, for which Microsoft is the prototype, is to stay mum and not admit any problems.

Red Hat's being mum. Fedora's being forced to be mum, because their own board has not been given full details and of course they are mostly controlled by Red Hat.

Full Post




Also:

Security breaches bring out the proprietary attitude in all of us. When security is breached we instinctively hide the details, and build a metaphorical police line around it, telling onlookers to move along.

The security attitude runs counter to the open source attitude. Open source demands that bugs be seen and lessons shared. The security attitude fears this release of information because the evil doers might get it.

With that in mind let’s move to the umbrage of Bruce Byfield during what Slashdot termed last month’s Fedora-Red Hat crisis.

Fedora and our security attitude


More in Tux Machines

Shuttleworth Foundation/Mozilla Foundation Overlap

  • Helen Turvey Joins the Mozilla Foundation Board of Directors
    Today, we’re welcoming Helen Turvey as a new member of the Mozilla Foundation Board of Directors. Helen is the CEO of the Shuttleworth Foundation. Her focus on philanthropy and openness throughout her career makes her a great addition to our Board. Throughout 2016, we have been focused on board development for both the Mozilla Foundation and the Mozilla Corporation boards of directors. Our recruiting efforts for board members has been geared towards building a diverse group of people who embody the values and mission that bring Mozilla to life. After extensive conversations, it is clear that Helen brings the experience, expertise and approach that we seek for the Mozilla Foundation Board.
  • Why I’m joining Mozilla’s Board, by Helen Turvey
    For the last decade I have run the Shuttleworth Foundation, a philanthropic organisation that looks to drive change through open models. The FOSS movement has created widely used software and million dollar businesses, using collaborative development approaches and open licences. This model is well established for software, it is not the case for education, philanthropy, hardware or social development.

Games for GNU/Linux

Ubuntu Leftovers

  • Mesa 12.0.4 Promises 15% Performance Boost for Radeon Users on Ubuntu 16.04 LTS
    The Mesa problem in Ubuntu Linux is about to be resolved very soon, after the game developers behind the UK-based Feral Interactive video game publishing company urged Canonical to update the software to a most recent version. The Mesa 3D Graphics Library is a unique open-source implementation of the OpenGL graphics API for Linux-based operating systems, and it includes drivers for Intel, Radeon, and Nvidia graphics cards. But it looks like Ubuntu 16.04 LTS (Xenial Xerus) was shipping with a pretty old version of Mesa.
  • Canonical to sue cloud provider over Ubuntu images
    Canonical, the company behind the Ubuntu GNU/Linux distribution, has said it plans to sue an European cloud provider for distributing unofficial images of its cloud distribution despite several warnings. The company offers certified cloud images of Ubuntu that are guaranteed to run on specific cloud platforms such as AWS, Azure or Google. Performance is optimised and integrated with underlying cloud requirements, with input from the host's cloud engineers.

Android Leftovers