I completely missed any news of this vulnerability in OpenSSH. But I was scanning along today and saw a reference to this description of the issue. It appears that a vulnerability was entered into the OpenSSH code inside the debian distribution. Now I don’t directly use any debian based linux distros, but that doesnt mean the problem doesn’t effect me. I have no control over the systems used by the companies that sign my SSL for instance. The code has been fixed but the problem is that possibily millions off secure keys have been compromised and need to be regenerated and its not black and white for which ones need to be replaced.

The vulnerability is not what I wanted to highlight in this post. I am amazed by how simple the change was that introduced this and is going to cost business millions of dollars to fix. And how I can only imagine how easy it would be for this to happen all over. It also highlights how important open source software is because otherwise we might not have known there was a problem until our most important systems had been compromised. Such a simple change caused such amazingly devastating effects. I can only imagine what kinds of things are lurking inside closed source software we use everyday, and how the end user could be protected by allowing outside parties to review that code. This vulnerability was not exploited because the source was available. It was exploited and the solution was found because the source was available.

So my PSA for this post… Evaluate the software you use. And consider that if you can’t see the source, you can’t really evaluate the security risks you are putting on your self, your clients and your business. Choose wisely, Choose Open Source.