RTFA: http://rhn.redhat.com/errata/RHSA-2008-0855.html

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).

Interesting situation here… Public key encryption is the primary basis for establishing trust in the online world. A private key is supposed to be a complete secret, such that anything signed by it can only have come from the person who holds that secret. As long as you trust the holder of the private key, then you can theoretically trust their works… or at least you can deduce whether or not their work has been tampered with en route.

The situation with Red Hat/Fedora, it would appear, is that some private keys have been compromised - specifically those used for signing packages. A “package” consists of pre-compiled software, ready to install. You don’t install the software if the signature can’t be verified. In this case, the signature will not be a good indicator of the validity of the package, because the signatures have been generated by the legitimate private key.

Specifically, in this case, the attack was aimed against the package-signing servers. This one is really major, because as an “infrastructure attack” it has massive scaling potential. We all knew this sort of thing was possible… but it’s finally time to confront the issue.

One of the hot topics on Bugtraq this month involved certificate revocation - namely, what to do when one of these signatures (or certificates) is compromised? …how does the world know that they should ignore the “bad” ones?

When an earlier Debian-specific OpenSSH vuln was discovered (predictable random number generation) the situation was easy, insofar as the vuln specifically reduced the number of bad keys that could be generated, thereby making the revocation list trivial to generate. This fix was disseminated as a series of Linux-distribution-specific packages, for even though the problem was Debian-specific, all clients must be aware of bad keys while connecting to a Debian-based machine. These updates were then gathered and installed by the package-management software that is standard with any modern Linux or BSD system.

The major question is about this very system of distribution. First, the revocation list may need to be updated more frequently than a 24-hour cron job would permit. That need doesn’t exist this year, but in ten years it may. Next, software needs to honor these revocation lists. TLS, the predominant browser-based encryption scheme, does include a specific mechanism for this purpose: the ability to import a Certificate Revocation List (CRL). However, in practice, this practice is essentially ignored. As a consequence, when any browser visits a SSL- or TLS-encrypted page on the web, the only check performed is to determine if the certificate (signature) is valid. Significantly, there is NO major mechanism for checking if a signature is valid but has been revoked.

This scenario is important in the Fedora case, where there are valid keys on the signing server, but those keys have been compromised and must be revoked… and that is a surprisingly difficult challenge.

RTFA: http://ssandler.wordpress.com/MTmini/

Don’t have a Multitouch Table yet? Have one, but need something smaller for testing? Building a small portable multitouch pad will allow you to test software and experiment on a smaller scale while building your full table or when away from your multitouch screen. Have fun and make a MTmini! This uses Front Diffused Illumination, with normal ambient light (infrared not required or needed) and a normal off-the-shelf webcam (IR filter can still be in place).

This is the easiest version I have yet seen. I haven’t made one myself, but it looks like the multitouch drivers are available for XP, Linux, and OS X. Totally awesome!

RTFA: http://goodbye-microsoft.com/

Click on the image to install Debian GNU/Linux

Totally sweet. I use Ubuntu, which is derived from and roughly parallels Debian. However, you really can’t lower the barrier to entry any more, at this point. There isn’t a one-click, browser-delivered installer for Windows XP or Mac OS X. Try Linux.

RTFA: http://www.miguelcarrasco.net/miguelcarrasco/2006/…

Nos. 2, 4, 5, 6, 8, 9, and 10 do not show any kind of crash. Those are normal messages. Note a couple of them are too blurry to read, so they might even be BSD or even OSX in diagnostics mode.

#1 looks like SVGAlib crashed, implying bad third-party software, but that’s not what a kernel panic (linux itself crashing) looks like.

#3 again, looks like some third-party software crashed. Linux is doing exactly what it ought to, prompting to launch a recovery (”diagnostics”) console

#7 isn’t even Linux. That’s what Windows looks like when it crashes, my friend.

As for those listed at the beginning of this comment…

#9 and #10 are perfectly normal. That’s what DS Linux looks like after a successful boot, and #10 shows LILO saying it successfully loaded the kernel.

# 2, 4, 5, 6 are too blurry to read. They appear to be normal kernel messages during boot. I can’t even confirm whether 5 is Linux.

#7 displays an inability to access the drive it’s configured to access. Either bad configuration - which is user error - or hardware problems, which is not a problem. Either way, it does not show a single fatal error - the picture shows a successful boot.

The bonus crash image looks like some kid was trying to demo his software and it segfaulted. His fault (bad code), not a Linux crash.

About a year late to the lulz, but this is a totally hilarious collection of “linux crash” images. The comic gold is really in the comments, most of which are just like the one above. As I’m currently battling to build a heavily patched 2.6.18 kernel on potentially unstable, poor-selling 2003-era server hardware, I would have some real pictures to share…