[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and editorials

Good news for Cryptographic freedom: source code and first amendment linked. On April 4th, 2000, the United States Court of Appeals for the Sixth Circuit published their decision regarding Peter Junger's challenge to the Export Administration Regulations which prevented him from posting information on the Internet that contained cryptographic example code. Most critical in the ruling: "Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment."

Reading the full decision is actually recommended. It is not particularly long, as legal documents go, and is quite well-written. Some phrases seem like basic common sense to most of us: "Particularly, a musical score cannot be read by the majority of the public but can be used as a means of communication among musicians. Likewise, computer source code, though unintelligible to many, is the preferred method of communication among computer programers."

This is not the end of crytographic regulations, nor even the end of this case. However, such a ruling, particularly from a Federal court, is good news for free/open source software in general. It backs up and broadens the May 1999 decision of the U.S. Court of Appeals for the Ninth Circuit in the Daniel Bernstein case. "In light of these considerations, we conclude that encryption software, in its source code form and as employed by those in the field of cryptography, must be viewed as expressive for First Amendment purposes, and thus is entitled to the protections of the prior restraint doctrine."

So what does all this mean? This is the second federal court decision to agree that source code is a form of communication and expression protected by the First Amendment. Neither decision has the final weight of a Supreme Court decision, but they are good signs in this on-going struggle to determine how the United States' particular expression of democracy and the world of computer programmers and developers are going to co-exist. Speculation on the impact of this decision on other court cases has begun.

For example, this CNet article commented, "some theorized that today's decision could test the balance between free speech and copyright protections in litigation between the movie industry and Web operators accused of circulating a program that lets people crack the security on DVDs." We can only hope that it will.

Open source fans break strong encryption (ZDnet UK). Will Knight reports on the success of an effort to break a 108 bit public encryption key. "Scientists at the French National Institute for Research in Computer Science (INRIA) created software for the Linux and Windows operating systems capable of using idle PC processing power to contribute via the Internet to the massive number crunching effort needed to crack the encryption." (From SecurityFocus.com.)

A Christmas for the Kiddies (Linuxcare). Linuxcare has put up this column on how to secure your system from "script kiddie" attacks. "Part of any good twelve-step program is to acknowledge that one has a problem. From that day forward, I promised myself that I will never again presume anything about the security of my systems."

Security Reports

fcheck file integrity checker vulnerability. A vulnerability has been reported in the fcheck file integrity checker which can allow a malicious user to execute arbitrary programs by creating files with shell metacharacters in their names. This is a programming error and a patch for the problem is included.

Cobalt .htaccess exposure. Cobalt has issued an advisory about the exposure of .htaccess files on Cobalt RAQ2 and RAQ3 servers. They have provided updates for the problem. For more information on it, check Paul Schreiber's note to BugTraq. The problem can also be fixed via a slight change to the Apache configuration files (but modifying them yourself might void your warranty, Paul comments).

kcreatecd local root compromise. SuSE reported a vulnerability in kcreatecd that could lead to a local root compromise. They have issued updated packages for the problem. Alternately, the suid bit can be removed from the kcreatecd binary ("chmod u-s /opt/kde/bin/kreatecd"). Other distributions and operating systems using kcreatecd are presumably also impacted.


ircii buffer overflow.

On March 10th, a remotely exploitable buffer overflow was reported in ircii, an irc client, with all versions prior to 4.4M. Check BugTraq ID 1046 for more details.

This week's updates:

gpm-root improper permissions handling. Covered in last week's Security Summary, some distribution updates for the gpm package are now available.

This week's updates:


Zombie Zapper updated. Zombie Zapper, a free, open source tool that can be used to defend against distributed-denial-of-service (DDOS) attacks from Trinoo, TFN, and Stacheldraht, has been updated to defend against Shaft attacks as well.

Section Editor: Liz Coolbaugh

April 6, 2000

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus

Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds