Sections: Main page Linux in the news Security Kernel Distributions Development Commerce Announcements Back page All in one big page See also: last week's Security page. |
SecurityNewsBy now most readers will have seen some coverage of the decision in the Ninth Circuit Court of Appeals that the U.S. Government's crypto export regulations violate the first amendment. Source code is speech, and the government can not regulate it. This decision is currently only binding in a few western states, and will probably be put on hold until the Supreme Court has had its say. But it is an important step in the right direction. We may soon be able to get Linux distributions with proper cryptographic support "out of the box," rather than having to piece things together by hand.Interested folks may want to look at the text of the decision in full. There is some good stuff in there: "Government efforts to control encryption thus may well implicate not only the First Amendment rights of cryptographers intent on pushing the boundaries of their science, but also the constitutional rights of each of us as potential recipients of encryption's bounty. Viewed from this perspective, the government's efforts to retard progress in cryptography may implicate the Fourth Amendment..."It is interesting that they see potential fourth amendment (search and seizure) problems with the crypto regulations as well. This is a crucially important decision, taken by what appears to be a relatively high-clue court. See also: this News.com story on the decision. Security ReportsCaldera OpenLinux 2.2's installation leaves a privileged account behind with no password. This account, obviously, could be used to no end of obnoxious purposes. See this posting with the gory details. If you have systems running OL 2.2 that were installed with LISA (Lizard does not have the problem), you should run, not walk, to the system, look for this account, and disable it forthwith.A couple of problems with INN have been turned up. Known exploits do not yet exist, but may not be too far away. Users of INN may want to read the advisory and keep an eye out until a fix is available. UpdatesThe Oracle vulnerabilities mentioned in last week's newsletter have been confirmed; here is an advisory that was issued on the subject. Anybody who is running Oracle on a Unix server should have a look and react accordingly. A patch is included.About Shamir's TWINKLE engine, a fast factoring system which was reported on last week: many of you wrote in to contest the statement (since removed) that RSA's days were numbered. A bit of confusion let that slip in and remain there; clearly RSA will be good for quite some time yet. It's just a matter of using sufficiently long keys. Meanwhile, interested folks may want to check out Bruce Schneier's analysis of TWINKLE and what it really means. It's a good, clear summary of the situation, worth a look. Section Editor: Liz Coolbaugh |
May 13, 1999 |