| « Behind the Scenes, RocWiki Edition | Richard Feynman urgently requests juice » |
The Bug That Needs An Unofficial Name That Consists Of "The" And One Word
05/16/08 09:16, by Ryan, Categories: Useless Blatherings, Beer, Geekery , Tags: bugs, crypto, debian, happy hour, open source, openssh, openssl, prng, ssh, ubuntu A few days later, I'd say the Debian OpenSSL PRNG seed bug is probably one of the most significant bugs in computing history, and it hasn't even made the mainstream news so no one knows about it. Probably for the best. :-) A few major assumptions were hit hard:
- Software patched by your distro is just as good as the upstream software
- Source code visibility ensures that crypto bugs are found quickly
- Software-based PRNGs are good enough
- Encryption ensures that no bad guys can get your data before the death of the universe
I'm not sure what's worse: the fact that there were only 32,767 unique SSH/SSL keys generated over a 1.5-year timespan by all the Debian/Ubuntu systems in the world, or the fact that NO ONE NOTICED[1] even though a lot of very big projects use ssh keys for authentication and, given the birthday paradox, collisions were practically inevitable...
Ah well, all we can do is laugh: http://xkcd.com/424/
FYI: For those to whom I mentioned a possible happy hour here this afternoon: the weather looks like it'll be good enough, but we made other plans for this evening. Perhaps next week! -rt
[1] Except for github, who probably thought (at the time) they were being pranked: http://github.com/blog/63-ssh-keys-generated-on-debian-ubuntu-compromised
No feedback yet
Comment feed for this postLeave a comment
Powered by Linode: Life's too short for crappy hosting
![[Powered by Linode]](http://hoopycat.com/linodebtnpo3.png "Linode: It's like having your own server, without the server."){kind=small}
