Fedora and our security attitude

Fedora and our security attitude

Summary: A proprietary attitude toward security depends on I. An open source attitude depends on we. I think it's clear which works best in practice. But my feelings may still be the minority view.

SHARE:
9

a reporterÂ’s notebookToday, on the 7th anniversary of 9-11, I want to talk about security and its role as a dodge.

Security breaches bring out the proprietary attitude in all of us. When security is breached we instinctively hide the details, and build a metaphorical police line around it, telling onlookers to move along.

The security attitude runs counter to the open source attitude. Open source demands that bugs be seen and lessons shared. The security attitude fears this release of information because the evil doers might get it.

With that in mind let's move to the umbrage of Bruce Byfield during what Slashdot termed last month's Fedora-Red Hat crisis.

As project chair Paul Frields eventually explained to his list, someone got into servers where Fedora was housed and there was fear they may have gotten the passphrase securing the Fedora signing key.

Had this happened it could have been disastrous. Malware could have been added and servers updated with all security apparently in place.

But this did not happen, Frields wrote:

Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

Good news. No problem, no story. Move along.

Not exactly. As Frields later revealed on his personal blog, the Fedora team had to basically raze and rebuild the skeleton of their project over just a week, in conjunction with sponsor Red Hat's security team.

Things were quite fraught. It was a Fedora version of the Cuban missile crisis. It all worked out but it was a close run thing.

The clean-up has been extensive. As Byfield noted in his recent piece, as of September 8 security updates and bug fixes were still not going out as normal.

What got Byfield's undies in a twist was the Red Hat corporate attitude toward this, which was to say nothing meaningful. Was this the corporate mindset at work? Or was it the security mindset?

My conclusion is it was human instinct, but instinct can be fought and re-trained.

When the Debian project had a problem with OpenSSL back in May, there was no hair-pulling, just an open admission of what was wrong and what to do.

Was the Debian flaw as serious, as far-reaching as what happened with Fedora? Probably not. In retrospect, were users better served by Debian's openness or Red Hat's closed mouths? You be the judge.

There are indications that the Fedora board wants to adopt the Debian way, as seen in the minutes of their last board meeting.

But what about Red Hat? What about the security industry? More important, what about the vast mass of users?

For the last 7 years we've had secrecy and fear rule our security attitudes. Kill, torture, detain, and deny everything have been our watchwords. Are we safer?

A proprietary attitude toward security depends on I. An open source attitude depends on we.

I think it's clear which works best in practice. But my feelings may still be the minority view.

Topics: Security, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Attitude toward maintaining security.

    An indication about people's views on what is acceptable to maintain security may be found in their attitude toward torture.

    More than half the people in the US polled in 2007 believed it could sometimes/rarely be justified:

    ... national polls conducted by the Pew Research Center since 2004 reveal that some Americans would support torture under
    some conditions. Pew asked ?Do you think the use of torture against suspected terrorists in order to gain important information can often be justified, sometimes be justified, rarely be justified, or never be justified??
    In 2007, about 12% of Americans indicated that torture often could be justified, while only 29% indicated that torture could never be justified. However, for the majority of respondents, 56%, torture could be justified in some conditions (31% indicating sometimes and 25% indicating rarely) (The Pew Research Center 2007).


    http://journals.cambridge.org/download.php?file=%2FPAG%2FPAG4_01%2FS1743923X08000019a.pdf&code=681798d5faa5f22879829c68c457666d

    This percentage might increase immediately after a successful attack and decrease over time. Given that this poll was conducted 6/7 years after 9/11, the opinion may be a minimal number (hesitantly) in favor.

    How well this tranlates to attitudes toward maintaining computer security is uncertain. I suspect that because people who violate rules are rarely tortured and because there are immediate personal advantages in violating organizational security rules, many people would not be as stringent.

    But I also expect that outsiders who violate security could acceptably receive long prison sentences and large fines. I'd say that those outside violators should include those who publish exploits for any purpose.

    Complex attitudes, no?!
    Anton Philidor
    • Picky, picky, picky

      [i]How well this tranlates to attitudes toward maintaining computer security is uncertain. I suspect that because people who violate rules are rarely tortured and because there are immediate personal advantages in violating organizational security rules, many people would not be as stringent.[/i]

      Then there's the fact that justifying torture requires ignoring well-established facts in favor of something emotionally appealing.

      There is still a security connection but maybe the details vary, no?
      Yagotta B. Kidding
  • I vote for the Debian approach

    Security through obscurity is poor strategy. It's dishonest to the end user and slows down solution development by potentially keeping out those who could best help. Isn't this the kind of thing that get Microsoft regular and well deserved beatings?
    btidwell
    • The underlying point

      I think we need to have more sympathy for the other
      view on this, even while we disagree, because it seems
      to be a natural human instinct which has, in fact,
      followed the launch of all our wars, even past their
      completion dates.
      DanaBlankenhorn
      • Oh, I understand the other side

        I am in the Army and I get weekly vulnerability bulletins. They all start with standard boiler plate saying that the information is sensitive in nature and not for public disclosure. It's human nature to not want to get caught with your fly open. I just happen to think that being open about software vulnerabilities leads to faster and better remediation.
        btidwell
        • I agree...

          One reason I like this beat is that open source can
          teach us about so many things other than software.

          Some readers don't like that. They want me to restrict
          myself to stories of ERP and CRM systems running
          Linux.

          But I get more readers when I look at the beat more
          broadly. So I do.
          DanaBlankenhorn
  • RE: Fedora and our security attitude

    The significant difference between the Debian security problem and the Fedora one, is the Debian problem was not a result of a mistake. The Fedora security issue was caused by illegal activities. As with any crime, the crime must be investigated, and the public is usually the last to know the details. So long as we have trials by jury, that will have to be part of how the US justice system works.
    docbillnet
    • So if there is a crime the Debian way is out?

      An interesting point. We can't deal with security
      openly because a crime has been committed. Once the
      problem is shown to be the result of some action by
      some human, all bets are off...including those bets
      which might lead to solution or public disclosure of
      information necessary to their well-being.

      I think you summarized the security attitude quite
      well.
      DanaBlankenhorn
  • Fedora and the Security Problem

    The fedora security problem was likely someone cracked "administrative user" passwords by brute force at home and then could potentially distribute the passwords to others to be used in conjunction with the SSH bug found by debian since each fedora download has the same "administrative user" passwords. These passwords are not uniquely set during install. Some "administrative users" have root privileges. Note I'm not talking about regular users or root but rather those users many of us do not even notice "come with" the distribution. In other words for two years someone could login to your system almost at will if the ssh bug (commented line) found by debian applies to fedora which it likely does. The question is whether or not this is unique to fedora or does it apply to other distributions as well?
    All or nothing privilege for administrative users is repaired in fedora 10.
    I waited for the patches to come out before saying this publicly.
    hoctopus