[LWN Logo]
[LWN.net]

Sections:
 Main page
 Linux in the news
 Security
 Kernel
 Distributions
 Development
 Commerce
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News

By now most readers will have seen some coverage of the decision in the Ninth Circuit Court of Appeals that the U.S. Government's crypto export regulations violate the first amendment. Source code is speech, and the government can not regulate it. This decision is currently only binding in a few western states, and will probably be put on hold until the Supreme Court has had its say. But it is an important step in the right direction. We may soon be able to get Linux distributions with proper cryptographic support "out of the box," rather than having to piece things together by hand.

Interested folks may want to look at the text of the decision in full. There is some good stuff in there:

"Government efforts to control encryption thus may well implicate not only the First Amendment rights of cryptographers intent on pushing the boundaries of their science, but also the constitutional rights of each of us as potential recipients of encryption's bounty. Viewed from this perspective, the government's efforts to retard progress in cryptography may implicate the Fourth Amendment..."

"...it is important to point out that Bernstein's is a suit not merely concerning a small group of scientists laboring in an esoteric field, but also touches on the public interest broadly defined."

It is interesting that they see potential fourth amendment (search and seizure) problems with the crypto regulations as well. This is a crucially important decision, taken by what appears to be a relatively high-clue court.

See also: this News.com story on the decision.

Security Reports

Caldera OpenLinux 2.2's installation leaves a privileged account behind with no password. This account, obviously, could be used to no end of obnoxious purposes. See this posting with the gory details. If you have systems running OL 2.2 that were installed with LISA (Lizard does not have the problem), you should run, not walk, to the system, look for this account, and disable it forthwith.

A couple of problems with INN have been turned up. Known exploits do not yet exist, but may not be too far away. Users of INN may want to read the advisory and keep an eye out until a fix is available.

Updates

The Oracle vulnerabilities mentioned in last week's newsletter have been confirmed; here is an advisory that was issued on the subject. Anybody who is running Oracle on a Unix server should have a look and react accordingly. A patch is included.

About Shamir's TWINKLE engine, a fast factoring system which was reported on last week: many of you wrote in to contest the statement (since removed) that RSA's days were numbered. A bit of confusion let that slip in and remain there; clearly RSA will be good for quite some time yet. It's just a matter of using sufficiently long keys.

Meanwhile, interested folks may want to check out Bruce Schneier's analysis of TWINKLE and what it really means. It's a good, clear summary of the situation, worth a look.

Section Editor: Liz Coolbaugh


May 13, 1999

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds