Debian crypto disaster: Open source "bystander effect" in full swing

Open source code may be public, but the recently-discovered flaw in Debian's random number generator shows that expert auditors may not be looking at it!

The shocking news that Debian's random number generator has been broken for 18 months has overshadowed more serious questions about open source security.

Over the last 48 hours, administrators using Debian-generated keypairs for authentication and transport encryption have had to drop tools immediately to regenerate keys, while security researchers like H D Moore pulled all-night coding sessions [podcast interview] to write exploit toolkits based on the discovery.

While the short-term nightmare of re-generating every key even conceivably generated with Debian (Ubuntu is a Debian-derived distro, by the way) has kept everyone busy, many pundits seem to have missed a gigantic piece of the bigger picture.

And here it is: A laughably weak cryptographic key generator was inserted into a popular distribution of Linux for 18 months and no one noticed until now.

This brings to mind a theory put forth by Peter Gutmann at the inaugural Kiwicon security conference in New Zealand last year (part 1, part 2). He argues making source code public doesn't necessarily mean it will be audited by highly skilled security professionals.

While open source true-believers assume someone else is reviewing the code, quite often it just sits there gathering dust. I know I've got better things to do on a sunny Saturday.

Gutmann related this phenomenon to the way in which ordinary people will stand by and ignore pleas for help, assuming someone else is responding.

The argument around the tenets of open source versus proprietary software is hardly a new one, and hardly one that's likely to be resolved soon.

With absolute clangers still popping up in all sorts of closed-source enterprise software it's doubtful anyone could argue this latest instance of open source stupidity is a knock-out blow to the credibility of Linux as an enterprise-grade operating system.

But it sure doesn't help.

Patrick Gray is the host of Risky Business, the weekly security podcast.



Read more on Security policy and user awareness