Posted on 05/25/2008 3:18:15 PM PDT by PapaBear3625
Back in May 2006, a few programmers working on an open-source security project made a whopper of a mistake. Last week, the full impact of that mistake was just beginning to dawn on security professionals around the world.
In technical terms, a programming error reduced the amount of entropy used to create the cryptographic keys in a piece of code called the OpenSSL library, which is used by programs like the Apache Web server, the SSH remote access program, the IPsec Virtual Private Network (VPN), secure e-mail programs, some software used for anonymously accessing the Internet, and so on.
The error doesn't give every computer the same cryptographic key--that would have been caught before now. Instead, it reduces the number of different keys that these Linux computers can generate to 32,767 different keys, depending on the computer's processor architecture, the size of the key, and the key type.
Less than a day after the vulnerability was announced, computer hacker HD Moore of the Metasploit project released a set of "toys" for cracking the keys of these poor Linux and Ubuntu computer systems. As of Sunday, Moore's website had downloadable files of precomputed keys, just to make it easier to identify vulnerable computer systems.
(Excerpt) Read more at technologyreview.com ...
A simple programming error reduced the entropy in the generated program keys created by the OpenSSL library. Why does this matter? The OpenSSL library's key generation and other routines are used by the SSH remote access program, the IPsec Virtual Private Network (VPN), the Apache Web server, secure email clients, programs that offer secure internet portals and more.In a nutshell, a 128-bit encryption key, instead of having 10^38 possible values (making it effectively impossible to guess they key), really only has 32,767 possible values, meaning that guessing the key becomes trivial
Preliminary tech ping
And what liberal arts degree did this “programmer” have? Obviously no math degree.
So you get something for free and what - demand it is as secure as something you pay for? Silly people.
Probably was a math major instead of a computer engineer who actually understands how registers work and how integer arithmetic works in a computer.
Butbutbutbut I thought only evil Windows systems were vulnerable. /sarc
Bill Gates, is that you?
debian screwed up and modified something they shouldn’t have. The OpenSSL Project itself does not have the bug nor does any non-debian based system.
bookmark
Yeah, because we all know that paid closed source software never has any security problems. /sarc
No matter though, a Linux migration is not that particularly difficult, and the “upgrade” is free or very very low cost.
If this had happened on Blista, the cost of reverting back to XP would be tremendous.
The penguin is an adaptable beast after all..:)
Nope, it was dumber than that:
A programmer, who didn't understand the function of the randomizing variables in the key generator, removed all but one (the process ID, 0-32767). He eliminated random memory contents, mouse movements, keyboard input, everything but process ID.This was unintentional, but the fallout is horrific.Why? Because a "bug-catching" program told him that memory whould be initialized, not left "random", etc. Rather than strive to figure out why the code would have contained such things, he merely commented them out to quiet the bug-catcher software.
whould => should
Looks like Kubuntu has a fix up, and I also saw a list of blacklisted keys can be installed.
Here is the slashdot thread about this from two weeks ago.
http://it.slashdot.org/article.pl?sid=08/05/13/1533212
You miss the point.
There are two years' worth of WORTHLESS KEYS out in the world. The problem doesn't go away because a patch is available.
Somebody has to go out and FIND and REGENERATE and REPLACE all those keys before some hacker knocks on the door.
That's bad. Look I like, use, and boost Linux. But this is not funny. It's awful.
The bug is limited to Debian and Ubuntu systems. One problem is that Linux is widely used in web server systems
Sounds like the original author didn't document his code well enough.
My automatic update for Kubuntu contained blacklisted key files 5-6 days ago.
Ah. I don’t run automatic updates; prefer to do it manually.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.