Open-source security is improving rapidly, according to our colleagues on vnunet.com, but a rather different picture emerges from a report in MIT Technology Review. It says a cock-up two years ago by some coders at Linux house Debian has compromised millions of machines, not to mention some of the web's most important software.

A fix has been produced but the problems caused cannot simply be patched away. New keys have to be generated, certified and distributed,  which takes time.

The coders were using a tool called Valgrind that, ironically, identifies possible vulnerabilities. It spotted what appeared to be a problem in the OpenSSL Library used by software including the Apache web server, the IPsec Virtual Private Network, and SSH remote access software.

Valgrind flagged that the OpenSSL Libray used a block of memory without initialising it to a known state, which is normally considered to be a mistake. But in this case the unknown memory values were used by the library as one of several sources of randomness when generating encryption keys.

The Debian programmers simply commented out the lines implementing the 'mistake'. The effect was to narrow considerably the number of possible keys, rendering the encryption open to attack.

Astonishingly, so-called secure systems have been running with this vulnerability for two years. No-one knows how many machines are affected;, not least because some may not even have been using  the compromised code.

At least it brings a new meaning to the term OpenSSL.