Welcome to My World

Demonstrating the pure lunacy of the woefully inefficient Transportation Security Administration, there’s a new pilot program coming in a few months that will supposedly streamline security checkpoints for laptop owners with “specially-designed” laptop bags. Naturally, cheap-ass bag maker Targus is first in line to produce these “government approved” laptop bags, and I’m sure they’ll be first in line to overprice them.

The article itself states that “at a checkpoint, the case would unfold and be placed flat on the X-ray belt” … meaning you still have to open the fucking thing to get through security. Funny stuff — yet another accessory you don’t need, to help you get through a security checkpoint that doesn’t work … just a little bit faster.

Meh. I like the bag I got for my birthday. It’s soft, durable, and makes my laptop damned accessible if I need it in a hurry. Sorry, Targus, but I think I’ll stick with this one.

Recently a Debian developer discovered that a change made (by Debian) in OpenSSL (the underlying toolkit that powers OpenSSH and OpenVPN, as well as providing a stable SSL system for open-source web servers) a couple years ago significantly reduced how much genuine “entropy” (randomness) was available at key creation time for users of the OpenSSL library. Oops The end result is that it is theoretically possible for an attacker to guess your private key with just a little bit of information from your system.

Ubuntu users already have updates waiting when they next check for updates, but there’s the additional step of re-creating your private keys too (and the requisite “installing them on your systems” step that follows) to be free of the impacts of this update. It’s actually pretty straightforward to do (and if you don’t know what the hell I’m talking about, you’re not affected anyway ).

The relevant advisories are:

• OpenSSL vulnerability
• OpenSSH vulnerability
• OpenVPN vulnerability

A handy little tool called ssh-copy-id is a wonderful little bit of shorthand to help install your key on new systems quickly. On a regular box where you’ve just got the one key, you can just copy it over with a single command:

$ ssh-copy-id username@host

You’ll be prompted for your normal login password for username@host, but after that the tool automatically installs your public key in the right place on the target and from then on you shouldn’t need to take any extra steps for it to all “just work.” It’s spiffy.

BTW, anybody who’s gotten a bit rusty on their care and feeding of ssh and needs a refresher on how to regenerate a key, just run

$ ssh-keygen

by itself for an RSA key (add “-t dsa” to get a DSA key).

To the nay-sayers out there whining that this is an “obvious demonstration” that open source isn’t as secure as it’s claimed, bullshit. This is exactly how open source is more secure — somebody noticed a problem and it was fixed and rolled out within hours, not days, weeks, or months like with a closed-source vendor. Also, there is no known exploit for this vulnerability. Finally, this was a Debian-only (Ubuntu is based on Debian, so it and any other Debian-variant Linux distribution was affected as well) goof, and wasn’t a problem with the original OpenSSL on which this package was based.