Debian's OpenSSL Bug Lingers 16 Years Later
ฝัง
- เผยแพร่เมื่อ 18 ก.ย. 2024
- 16 years ago Debian shipped a massive vulnerability in OpenSSL and even though the bug has been addressed that hasn't stopped some companies not rotating there keys for 16 years.
==========Support The Channel==========
► Patreon: brodierobertso...
► Paypal: brodierobertso...
► Liberapay: brodierobertso...
► Amazon USA: brodierobertso...
==========Resources==========
CVE 2008-0166: lists.debian.o...
16 Years Of CVE: 16years.secvul...
Tranco List: tranco-list.eu/
=========Video Platforms==========
🎥 Odysee: brodierobertso...
🎥 Podcast: techovertea.xy...
🎮 Gaming: brodierobertso...
==========Social Media==========
🎤 Discord: brodierobertso...
🐦 Twitter: brodierobertso...
🌐 Mastodon: brodierobertso...
🖥️ GitHub: brodierobertso...
==========Credits==========
🎨 Channel Art:
Profile Picture:
/ supercozman_draws
#Linux #OpenSSL #OpenSource #Debian
🎵 Ending music
Track: Debris & Jonth - Game Time [NCS Release]
Music provided by NoCopyrightSounds.
Watch: • Debris & Jonth - Game ...
Free Download / Stream: ncs.io/GameTime
DISCLOSURE: Wherever possible I use referral links, which means if you click one of the links in this video or description and make a purchase I may receive a small commission or other compensation.
I'm not sure how anyone is confused here but this has 0 to do with Debian anymore. They fixed this bug 16 years ago, what's not fixed are lazy companies that don't rotate their keys
laughs in UEK
Because yesterday's vid is still top of mind because of the insanity of it. :-)
Because they see the video title, get angry, and start responding with a comment instead of watching listening to the video.
Because of the dumb clickbait title.
@@hrhcrab Clickbait has lost all meaning if this is a clickbait title
Of course I rotate my keys, how else would I unlock my front door?
This comment is so hilarious! 😂
🤣🤣🤣🔥
by inputting the pin code?
Keys? You mean you don't carry a sledgehammer everywhere?
REEEEEEEEE TH-cam AUTODELETES MY FUNNY COMMENTS
4:01 : "the group you tried to contact (security) may not exist"
Just _wow,_ what an auto-response _that_ is. Someone needs to rewrite that particular message to be less meme-able.
That ubuntu wallpaper looks so cool!
Hardy Heron was a damn good OS. IIRC I skipped Lucid and kept using Hardy until Precise Pangolin came out.
That wallpaper was the default wallpaper from Ubuntu 8.04 LTS
It does not surprise me, it's because DKIM has no expiration part. And many of these large organizations have no idea how to organize themselves only if they really need it.
The expiration for DKIM is whenever you remove it from your DNS. You make the expiration yourself.
@@thewhitefalcon8539: That is OP's point.
massive companies have massive oversights? colour me shocked.
"Oh no, our customers privacy and safety will be violated! We shall immediately fix that! "
Said no corporation ever
Massive companies have NSA assets working inside of them.
I'm not surprised that companies don't rotate the keys. A company i worked for had ssh keys in use for longer than i worked there. We had a list of keys and each time we set up another server or VM we just copy/pasted the whole. I assume the original systems are long since gone but i'm sure the keys are still in use. Convenience beats security, sad but true. They said it's too much of a hassle to generate new ones, as too many systems are connected to the vm-cluster. Generating new keys would mean updating the keys on all computers with access to the cluster.
2008 was when I began my Linux journey with Ubuntu 8.04 on a CD sent to me by Canonical (which I dearly needed due to having only dial up back then)
Yes, I remember that! You could just get a CD sent to you for free. That was so awesome
Yep, I knew the free CD programme Canonical had was great for those on slow connections, but I never asked for one as my Internet connection was fast enough and I had a CD-RW disc I could use.
Neat to see that someone that was on a dial-up connection did request one of those discs.
not getting one of those disc was one of my greatest regret
even if I don't necessarily _need_ it it's still cool physical memento to have
I freaking loved those cds, ordered like 20 and just gave em to people at our school, still have a few around somewhere
The bug can already buy and drink beer, god save us
Only in countries where the age is 16
@@James2210No, the bug has existed since 2006, which is 18 years ago.
It was only fixed in 2008, which is 16 years ago.
Just some additional notes here around DKIM:
The DKIM standard was defined in 2011 3 years after the bug was fixed, so even if they were really early adoptors it would still have been 3 years after the bug was fixed.
As for running 1024 bit DKIM keys, the problem is that they don't fit in a single txt-record, so 2048 ones requires the records to be split. While most hosts support that, it adds complexity and some don't, so there are practical reasons why 1024 is the standard here.
Up until recently, and probably still the case, dkim was not even always used. Only because Microsoft and Google are starting to enforce it will it gain real traction. Still come across plenty of mailservers that simply do not use it.
A security vulnerability with Cisco???? No way!!!!!11
Imagine that
Isn't Cisco just an NSA affiliate at this point?
The comment you would like to see here is written in other documents
Get yourself a cloud connected door lock, then you don’t need to rotate a key.
You just need to plug the router out, count to 10, and plug it in again.
Debian should take key generation out of openSSL, it has too many features which are vulnerable.
Debian just sounds like a... bad distribution overall. Everything I read about them is either stupid decisions or stupid decisions with holier than thou attitudes.
@@jefferyrlc @SenseiDeElite Debian is in fact, the most secure and stable distro. Most bugs and vulnerabilities are catched by debian, even the ones introduced by debian itself. That's why you hear "Debian" every time some stupid or dangerous thing is discovered, because is debian who discovered it.
@@jefferyrlc what distro doesn't make bad decisions? Fedora patent trolled itself, Arch rolled out xz 1.6, Manjaro doesn't update their certs, Linux Mint used to not upgrade the kernel at all and Ubuntu ships crypto malware
@@MrVecheater Arch rolled out xz, but the malicious part couldn't do anything on Arch
@@formbi just because of luck. In the end they shipped backdoored code. This is a direct consequence of rolling releases and can happen again
And things like this is why good security standards enforce key expiry. Bad keys can't linger if they expire after a year or 2. Yes key expiry is annoying if you do not have good key management procedures but it's for your own good.
You actually can't exploit this vulnerability to fake email addresses, as described elsewhere in other documents.
> as described elsewhere in other documents
damn. You have successfully baited me into looking through the article to find why would that be lol
big companies just use 'security' as a marketing word
(5:02) That reminds me of videos and articles I watched/read where some people were still able to access servers for certain legacy software that the developers had dropped support for many years prior, but is also the reason why I try to write notes on each server indicating what it serves.
Welcome to the current state of security online.
What I want to know is why rotating them would help. I mean, someone who saw them could just rotate them in the opposite direction and they'd be just the same.
Brodie bullying Debian now?
Just the companies that use it
I've used Debian, on and off, for over 20 years (personally and in production). Man they've beaten me up for it 😂
I don't believe anyone deserves bullying but they could definitely do with a "kick up the arse" 👍
I know there are still people running Windows XP on kiosks (or worse, 3.1 on train systems) out of their own volition, this is no surprise at all to me
When it comes to security nothing surprises me anymore.
I'm just waiting till I get an email from someone asking for money or they'll publish my medical records
This bug is almost as old as me...
Linux 6.9 is out, nice
Nice
Nice
*wet tongue click noise*
So BIMI essentially is X-Face, except that you pay for it and it claims to contain security?
KDE4 was so bad that I still won't touch KDE or its incomprehensible successor system to this day.
To those "smart" people, who try to exercise on Debian's reputation - how is it Debian's fault, if a company or entity is using vulnerable keys , which were generated in ... ~2007 ?
I don't know why anyone is taking that approach, this would happen to literally any distros that's been in deployment for a long time if it has bad managers behind it
@@BrodieRobertson based on what?
Here is an actual study on the security in Debian and Fedora compared. Maybe it will give you a different perspective:
Vulnerability management in Linux distributions
An empirical study on Debian and Fedora
Jiahuei Lin1 · Haoxiang Zhang1
· Bram Adams2 · Ahmed E. Hassan3
Accepted: 25 November 2022 / Published online: 16 February 2023
@@moetocafe I'm not arguing the security of different distros, I'm agreeing that bad techs will be bad techs no matter what distro they use
@@BrodieRobertson agreed
Some of those keys are old enough to drink
No I'm not surprised that this is still used in the wild. As much as we like to bash big business for not updating their software. A lot of them really can't cause they depend on some old version of something cause its the only software that reliably runs whatever application they use. It ends up being more expensive to upgrade then to maintain what they are doing.
Yet another situation where Debian tried to "improve" a different project, because they know better.
5:40 Which could backfire in a lawsuit.
Ubuntu 9.04 had one of the best themes I've ever seen, and ran smoothly on everything!
Leans into mic: "..no."
BIMI stands for BIdirectional Massive Intrusion, right? ;-).
3RD DAY ASKING FOR A REVIEW OF:
- YAZU (FILE MANAGER>RANGER,VIFM,NNN,LF)
- WEZTERM (TERMINAL)
Thats a cool wallpaper
Not at all surprised.
I need to find an use for my old laptop from 2007 that still works ...
Trust it to the Czechs to have an unpatched vulnerability from 16 years ago.
Also your pronunciation of seznam is just so wrong yet so funny at the same time.
I'm a boring English speaker
@@BrodieRobertson you still did better than most though.
Please fix the description. It's their. Or they're. But definitely not there.
Your attempts at pronouncing Seznam are very amusing. (Btw it means List)
I wasn't going to get any closer lol
Why are security vulnerabilites always reported to Debian. Security researches be more creative report them to Hannah Montana Linux!
this vulnerability was caused by Debian messing with OpenSSL
That doesn't surprise me in the slightest. The oldest bug not turned into feature in Linux is from 1999. Though the oldest would be how the system doesn't check for periods beyond the first character in filenames. And this is a bug which dates back to the 1970s.
Just out of curiosity, why would it?
@@enemixius This doesn't really seem like an accurate description of the bug/oversight. I think this is in reference to how ls only checked for the initial character in a filename being a period, as a way to hide . and .. in its output, instead of doing a full string comparison. The fact this created the entire concept of dotfiles was an unintentional consequence.
I am glad Debian is so security focused they are willing to ship a version of keapass with all plugins removed so it can not be used in a web browser....but miss fixing something like this.
They fixed this 16 years ago, the companies using debian didn't generate new keys
Debian is consistent and really good at catching vulnerabilities and bugs. Now, at solving them...
Debian isn't "catching" anything, in relation to this video. If a company is using known to be vulnerable keys, generated ~2007, this is not a Debian vulnerability. It is these companys' vulnerabilities.
There is no software, free of bugs or security vulnerabilities, but Debian's reputation is well deserved.
Just a recent example - the xz vulnerability didn't affect Debian stable (unlike some rolling releases). So...
My question is why are people still using keys from 2016, let alone 2008 and that's like a generating question. I know nothing about any of this so I just wonder why they couldn't have automatically like generated new keys after they fixed the vulnerability..
Also why is rotating your keys not required That just sounds stupid [I say as someone who knows next to nothing about what you're talking about].
Lazy techs are lazy
@@BrodieRobertson That's exactly what I was thinking, which is why I'm surprised there isn't a way to automatically set that up...
The thing is the way DKIM is deployed, public key is published in a DNS-record, private key is stored on the mailserver. Not all companies have the same person in charge of both of those, resulting in general pain.
Second big factor is that up until recently DKIM has been an afterthought, sure set one up but never see it as important. Hell up until a few years ago there were a lot of mailservers using neither spf nor dkim, having no verification whatsoever.
Might as well let then stay for an even 20 years.
kde still sucks
Get a nice translate by Google button:
Translates to "where still sucks" Okay...