Alarming Open-Source Security Holes (key generation flaw leaves millions vulnerable)

Technology Review ^ | 5/20/2008 | Simson Garfinkel

[PapaBear3625]

Commentary from Daily Tech:

A simple programming error reduced the entropy in the generated program keys created by the OpenSSL library. Why does this matter? The OpenSSL library's key generation and other routines are used by the SSH remote access program, the IPsec Virtual Private Network (VPN), the Apache Web server, secure email clients, programs that offer secure internet portals and more.

In a nutshell, a 128-bit encryption key, instead of having 10^38 possible values (making it effectively impossible to guess they key), really only has 32,767 possible values, meaning that guessing the key becomes trivial

All your encryption keys are belong to us

[PapaBear3625]

Preliminary tech ping

[Da Coyote]

And what liberal arts degree did this “programmer” have? Obviously no math degree.

[edcoil]

So you get something for free and what - demand it is as secure as something you pay for? Silly people.

[krb]

Probably was a math major instead of a computer engineer who actually understands how registers work and how integer arithmetic works in a computer.

[LiberConservative]

... cracking the keys of these poor Linux and Ubuntu computer systems ...

Butbutbutbut I thought only evil Windows systems were vulnerable. /sarc

[Eddie01]

Bill Gates, is that you?

[ezsmoke]

debian screwed up and modified something they shouldn’t have. The OpenSSL Project itself does not have the bug nor does any non-debian based system.

[Big Giant Head]

bookmark

[perfect_rovian_storm]

Yeah, because we all know that paid closed source software never has any security problems. /sarc

[padre35]

No matter though, a Linux migration is not that particularly difficult, and the “upgrade” is free or very very low cost.

If this had happened on Blista, the cost of reverting back to XP would be tremendous.

The penguin is an adaptable beast after all..:)

[dayglored]

> Probably was a math major instead of a computer engineer who actually understands how registers work and how integer arithmetic works in a computer.

Nope, it was dumber than that:

A programmer, who didn't understand the function of the randomizing variables in the key generator, removed all but one (the process ID, 0-32767). He eliminated random memory contents, mouse movements, keyboard input, everything but process ID.

Why? Because a "bug-catching" program told him that memory whould be initialized, not left "random", etc. Rather than strive to figure out why the code would have contained such things, he merely commented them out to quiet the bug-catcher software.

This was unintentional, but the fallout is horrific.

[dayglored]

whould => should

[sionnsar]

Looks like Kubuntu has a fix up, and I also saw a list of blacklisted keys can be installed.

[ezsmoke]

Here is the slashdot thread about this from two weeks ago.
http://it.slashdot.org/article.pl?sid=08/05/13/1533212

[dayglored]

> No matter though, a Linux migration is not that particularly difficult, and the “upgrade” is free or very very low cost. If this had happened on Blista, the cost of reverting back to XP would be tremendous. The penguin is an adaptable beast after all..:)

You miss the point.

There are two years' worth of WORTHLESS KEYS out in the world. The problem doesn't go away because a patch is available.

Somebody has to go out and FIND and REGENERATE and REPLACE all those keys before some hacker knocks on the door.

That's bad. Look I like, use, and boost Linux. But this is not funny. It's awful.

[PapaBear3625]

The bug is limited to Debian and Ubuntu systems. One problem is that Linux is widely used in web server systems

[sionnsar]

Why? Because a "bug-catching" program told him that memory whould be initialized, not left "random", etc. Rather than strive to figure out why the code would have contained such things, he merely commented them out to quiet the bug-catcher software.

Sounds like the original author didn't document his code well enough.

[Clara Lou]

My automatic update for Kubuntu contained blacklisted key files 5-6 days ago.

[sionnsar]

Ah. I don’t run automatic updates; prefer to do it manually.