Russell Coker,
commenting on my last blog, and apparently after exploring some of the links stemming from the SFWA kerfuflle, apparently stumbled on a post from former SFWA VP Howard V. Hendrix, where he took the amazing position (for a SF writer) that he hated the using the internet, and that people who posted their stories on the web for free download were
web-scabs, has taken the position that since such comments were an attack on our (Open Source Developer’s) community, that he would resolve “to not buy any more Sci-Fi books until I have read all the freely available books that I want to read”. Obviously, that’s his choice, but while I don’t have much respect for SFWA the organization, and certainly not for their choice in past and current vice presidents, there’s another side of the story here.
First of all, Dr. Hendrix comments are not the official position of the SFWA, and there are many others who are SFWA members who would very strongly disagree with both the attitudes of Dr. Hendrix as well as the ham-handed DMCA pseudo-invocation by Dr. Burt. In addition, to quote
Rick Cook:
The first thing you ve got to understand about the Science Fiction and Fantasy Writers of America is that it isn t. Like the Holy Roman Empire, which in Voltaire s phrase was neither holy, Roman nor an empire, SFWA is not an organization of science fiction and fantasy writers. While some of the leading SF and Fantasy writers belong, the vast majority of the members are people who barely meet SFWA s extremely lax publication requirements. They are not professional SF or Fantasy writers in any meaningful sense of the term and many of them haven t published a word of either science fiction or fantasy in years.
Secondly, there are plenty of Science Fiction writers that do really understand this issue quite well. In addition Rick Cook, whom I recommended in my last post, another example of a Science Function writer who has penned a very cogent series of articles about copyright, science fiction, and the business issues of being a SFF writer is
Eric Flint. I strongly recommend his series, “Salvos Against Big Brother”,which includes a back-to-the basics examination of copyright quoting and reprinting
two speeches by British Parliamentarian Thomas McCauley in 1841. Definitely worth a read, and again a demonstration that there exists Science Fiction authors that aren’t stuck in the dark ages; few (at least it is to be hoped) are like Dr. Hendrix.
Eric Flint is also a senior editor for
Baen Books (read more about the founder, Jim Baen
here). Baen makes all of its titles available in e-book form without DRM, and many of its authors have agreed to make their books available completely free of charge. Eric Flint does so for all or most of his books shortly after they are published in mass-market paperback form; others only make a few of their books available, typically the first or second books in a series (in the hopes you will buy the rest of their books) — a wise strategy, as he explains in
one of his Salvos Against Big Brother columns.
More importantly, I strongly believe that if we enjoy an artist’s works, we should support the artist. That’s why I’ve directly reached out and given money to
musicians,
authors, and
Debian release engineers. (Yes, that last was controversial, but to me and personal ethics, it’s all of the same piece.) Is patronage the right way to support musicians? Well, it’s one way, and I’ve always been fond of the “distributed patronage” model where we use the Internet to allow a large number of people to each contribute to support an artist’s work.
The Big Meow is a good example how it might work. (By the way, to
people who are wondering what is happening with The Big Meow — I have very recently pinged Diane, and she’s working on it. Between health and family emergencies, the last 12 months have thrown a lot of delays into her writing schedule.)
Are there other models other than patronage that might work? Well, there is the traditional one — just buying the author’s books. But what if we don’t want a dead-tree copy and just want to be able to read it on our Irex Iliad, and the book wasn’t published by Baen Books, or one of the few enlightened publishers who make non-DRM’d eBooks available? That’s a harder question. Personally, I don’t find “Copyright Theft” immoral per se. Illegal, yes, but immoral only if I haven’t done something to materially support the author. If I’ve purchased a new copy of a book, and the eBook version isn’t available via legal means, I don’t believe it is immoral to download it from a site like scribd so I can read it on my laptop. Of course, that brings up other questions, such as what if the book is out of print (because the publisher don’t think it’s commercially viable to reissue the books), the author is dead, and the
widow needs money? Lots of hard questions, and no good answers….
But in any case, I think it is the right thing to do to support those authors we care about as we can, and boyotting all SFF books isn’t necessarily appropriate or helpful.
Let me just point out, that the consequences affect all users of SSH.
Therefore IMHO all other Linux and BSD distributions need to release a
security update to OpenSSH as well, to prevent the use of insecure (too common)
keys, because it threatens the security of their systems as well!Apparently, there are only about 2^15 different keys generated by the SSH
versions shipped with Debian for 2 years. It's really surprising that noone
noticed this earler. This is just about 32767 different keys. (For each type,
size and endianess, but that still makes this number much much much too low)
The weakness is caused by a bad random number generator in the Debian package.Hackers have already generated all these 32767 different keys, for two key
lengths and types. In a few hours, they'll also have generated all the 4096 bit
keys that could have been generated. Other key lengths are uncommon and
sometimes might even be unsupported. Most people use keys with length 1024 or
2048.So we now have about 32767 keys which are used by lots of Debian and Ubuntu
users. That's not very much. Now you have to realize how the keys are used:The key is used to log into a system without a password. Sometimes a key is
protected with a passphrase (you really should do that), but this doesn't help
here, because an unencrypted clone of the key was already generated.Sometimes (or let me even claim 'often') one such key is also used to login as
root into a server. This is equivalent to just 32767 different passwords being
used as root passwords. So with about this number of tries, an attacker might
be able to log into your server as 'root'!Now the weakness is 'distributed' by the users, it's not just a server-side
vulnerability. If your server is running e.g. RedHat, it doesn't mean it is
secure!.In fact, if your server is running Debian and you installed the
Debian security
update for openssh, it will be much more secure than the RedHat server.
Because the Debian server has a blacklist of keys that are too common.
The other-Linux server who doesn't have this blacklist doesn't know that a
certain 'weak' key is not trustworthy.Fixing the bad key-generation is just half of the deal. "Recalling" all the
keys in use out there is the big challenge, that affects all systems using
SSH (and to a different extend, SSL). The most reliable way is if all other
distributions would release a security update as well, which refuses to
accept the keys that were generated by vulnerable Debian systems.Let me just repeat it in other words:
Any Linux/Unix/*BSD system is vulnerable that grants access to a
key that was generated on an affected Debian or Ubuntu system.
(Until the system has a reliable detection method of such weak keys.)
Keys are usually generated on the users workstation, so if any of your users
is or was potentially running Debian or Ubuntu ... you get the idea.Note that if you are not careful, you might lock yourself out from your server.
If you don't have or remember the password, installing the security update
might disable your login key. So if your key is bad, make sure to generate
a new, secure key and distribute it ASAP. Also remove any vulnerable key
ASAP; remember that hackers now have a list of all possible keys and could use
that to brute-force login.P.S. Since some people still don't seem to get the consequences in full: The
bigger problem is to remove are the weak keys, not to fix the broken
library. The weak keys (especially in the form of public keys!) can live
on tons of other systems, not just on Debian and Ubuntu. This is why
TOR also released a security update and e.g.
CACert urges non-Debian
distributors to also ship and use the blacklists of known weak keys.
Also note that not all keys that can be considered compromised can be detected
this easily. If you've been using a DSA key on an affected system - even when
it was created on a different system - it is to be considered compromised.
Needless to say, the above photo doesn’t do great justice to what happened last night; it came from my elric which I didn’t get use much as a camera since I too was happily chatting away. That said, I expect RJ Ian will be posting his photos from his brand-spanking-new Kodak camera to the Ubuntu-PH site once he gets back to Mindanao with Yolynne and company. I also think the FOSS@Work folks also have their own photosite or wiki to post more photos, which we’ll be seeing sooner.
Jerome Gotangco and Ealden Esca an, the guys whom we all owe Ubuntu-PH to, were unfortunately unable to attend last night, as Jerome was off to Cebu to participate in the ICT congress there, while Ealden was quite busy at work. Hopefully they (as well as last night’s attendees!) can attend the next Release Party for 7.04 (aka Feisty Fawn,) and hopefully it will be just as fun, and be more meaningful if more Ubuntu-PH folks get involved in its development!
Update: Yolynne and RJ just posted