The Debian OpenSSL disaster
Unfortunately, it is much cheaper in the short term simply to treat the most damaging symptoms of bad software engineering than it is to address the underlying problems and causes. However, in the long run, this leads to huge amounts of time spent by end users applying patches and updates and developers needing to address the same problems repeatedly.
The good news is that many of the solutions to these problems are not that expensive, and most require little if any technology to implement.
Simply commenting code, documenting communications channels, and asking questions clearly – with as much context as possible – will go a long way. Also, it's important to remember that open source isn't just about access to source code, but access to the very culture that writes the source code, which means everyone has the chance to help make it that much better.
- DSA-1571-1 openssl: http://www.debian.org/security/2008/dsa-1571
- Key rollover: http://www.debian.org/security/key-rollover/
- SSLkeys: http://wiki.debian.org/SSLkeys
- OpenSSL bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516
Buy this article as PDF
Leading browser makers say no to porous encryption algorithm
Report from the X-Force group says attackers are using TOR to hide their crimes
Future Firefox extensions will be compatible with Chrome.
Better read this if you bought your computer before 2011
Users should upgrade to the new version as soon as possible
Xen project announces a privilege escalation problem for Qemu host systems
Attackers can compromise an Android phone just by sending a text message
PC vendor will pre-install Ubuntu on portables in India.
More embarrassment for Adobe's embattled multimedia tool
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.