The Bug That Needs An Unofficial Name That Consists Of "The" And One Word

A few days later, I'd say the Debian OpenSSL PRNG seed bug is probably one of the most significant bugs in computing history, and it hasn't even made the mainstream news so no one knows about it. Probably for the best. :-) A few major assumptions were hit hard:

• Software patched by your distro is just as good as the upstream software
• Source code visibility ensures that crypto bugs are found quickly
• Software-based PRNGs are good enough
• Encryption ensures that no bad guys can get your data before the death of the universe

I'm not sure what's worse: the fact that there were only 32,767 unique SSH/SSL keys generated over a 1.5-year timespan by all the Debian/Ubuntu systems in the world, or the fact that NO ONE NOTICED[1] even though a lot of very big projects use ssh keys for authentication and, given the birthday paradox, collisions were practically inevitable... Ah well, all we can do is laugh: http://xkcd.com/424/ FYI: For those to whom I mentioned a possible happy hour here this afternoon: the weather looks like it'll be good enough, but we made other plans for this evening. Perhaps next week! -rt [1] Except for github, who probably thought (at the time) they were being pranked: http://github.com/blog/63-ssh-keys-generated-on-debian-ubuntu-compromised