Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsUpcoming cryptography regulation updates. A draft of yet another set of export regulations for cryptography drew quite a bit of attention this week. The December issue of Bruce Schneier's Crypto-Gram, always a good source for current concerns involving cryptography, reviewed the draft and provided some comments and criticism.
Draft
II was then published on December 17th. It includes these
paragraphs on software not to be subject to the export regulations:
(1) Encryption source code controlled under 5D002 which would be
considered publicly available under Section 734.3(b)(3)
and which is not subject to an express agreement for the payment
of a licensing fee or royalty for further commercial
production or sale of any product developed with the source code
is released from EI controls and may be exported or
re-exported without review under License Exception TSU, provided
you have submitted written notification to BXA of the
Internet address (e.g. URL) or a copy of the source code by the
time of export. Submit the notification to BXA and send a
copy to ENC Encryption Request Coordinator (see Section
740.17(g)(5) for mailing addresses).
(2) You may not knowingly export or re-export source code or
products developed with this source code to Cuba, Iran, Iraq,
Libya, North Korea, Sudan or Syria.
(3) Posting of the source code on the Internet (e.g., FTP or World
Wide Web site) where the source code may be
downloaded by anyone would not establish "knowledge" as described
in subparagraph (2) of this section. In addition, such
posting would not trigger "red flags" necessitating the
affirmative duty to inquire under the "Know Your Customer"
guidance
provided in Supplement No. 3 to Part 732.
John Gilmore, of the Center for Democracy and Technology, posted a note to a couple of mailing lists encouraging developers of free software cryptography projects to review the regulations and consider how it would impact their work. Comments should be sent to Jim Lewis at the Bureau of Export Administration. Overall, the paragraphs above appear to be a good step in the right direction and are somewhat reminiscent of similar paragraphs in the SAFE bill (PDF format) which is still floating around the House and Senate.
The Philosophy of Security: Windows and Linux (Unix) compared. Bruce Schneier's Crypto-Gram, mentioned below, includes a pointer to this ZDTV article by Simson L. Garfinkel, which compares and contrasts the security philosophies behind Windows and Linux. Actually, only the title says "Linux" while the story itself talks of the "Unix" philosophy. His approached is fairly balanced, pointing out advantages and disadvantages of both, but with a clear distaste for claims that Windows is "secure". "A Windows NT computer could have a security hole that allows anyone on the Internet to shut it down, but if nobody knows about the problem, then Microsoft would say the system is fundamentally secure. " (Thanks to Jeremy Allison.) Emphasizing the seriousness of the ssh/RSAREF problem, segfault.org has a note up about the impact to their site from a break-in traced back to the ssh exploit. If you are using ssh 1.2.X and haven't yet moved to the international version, please take the time to do so as soon as possible. Security ReportsLinuxconf exploit found, but not confirmed to work. Elias Levy reported that, after the Incidents mailing lists reported many probes on port 98, the port used by linuxconf for its HTTP interface, an exploit for linuxconf was found. However, the exploit code that was found does not work, at least not against current versions of linuxconf. Jacque Gelinas, linuxconf author and maintainer, has been made aware of the potential problem and sent us this detailed response. To summarize, yes, port 98 is being probed on many hosts, we do not yet have proof that an exploit is possible and no one has reported a vulnerability that might be related to linuxconf.Current versions of linuxconf disable the HTTP interface by default and are therefore safe unless you have explicitly enabled that interface. Making sure your version of linuxconf has the HTTP interface disabled might be a good idea for the time being. If you are using a version of linuxconf prior to version 1.11, you might also want to consider upgrading to a newer version. wu-ftpd configuration issues. This paper was posted this week describing problems with wu-ftpd servers configured to allow uploads as well as downloads. Procmail and sendmail. Michal Zalewski posted a note to BugTraq detailing one bug in procmail and 4 bugs in sendmail, none of which he had developed exploits for, but all of which he felt were "dangerous". No responses to this post have been seen as of yet. Y2K issues and distributed denial-of-service attacks head the list of current security issues in CERT's Special Edition Summary, released December 17th. *BSD Reports. Two vulnerabilities were reported in FreeBSD this week, including a root exploit in xsoldier and kmem exploit in wmmon. The xsoldier exploit could impact other operating systems while Linux has been judged to not be impacted by the wmmon exploit. Commercial Products. Cisco has issued an advisory regarding vulnerabilities in the Cache Engine that could allow someone to arbitrarily replace the contents of a web site within a cache, called "polluting the cache". The vulnerabilities reported only affect Cisco Cache Engine prior to version 2.0.3. An upgrade is recommended. UpdatesDebian posted a comment to verify that Debian ssh packages are not linked against the RSAREF libraries and are therefore not vulnerable to the recently reported problems.ResourcesPikt 1.8.1 has been released containing a fix for a "non-trivial" bug that caused sporadic lookup failures. An upgrade is recommended. Section Editor: Liz Coolbaugh |
December 23, 1999
|