Huge Hole in Open Source Software Found, Leaves Millions Vulnerable


It is incredible just how big the effects of the newly discovered error in open source key generation is



Reading that makes me relieved I didn’t switch my system over to linux last week :eek:

[QUOTE=wazzy;2064222]Reading that makes me relieved I didn’t switch my system over to linux last week :eek:[/QUOTE]psssst wazzy don’t tell debro that :stuck_out_tongue: :bigsmile:

Hmm, that’s erm…yeah, not good at all! However it seems to have been limited to a mistake originating in Debian, only affecting Debian and Ubuntu systems. Yay for openSUSE!

So just to clarify, are these keys used for things like remote access via SSH or are they more widespread, for instance being generated for https connections when a server is running one of the aforementioned distros (not many Ubuntu servers that I know of but not sure about Debian)?

I guess it goes to show that all OSs have their flaws, and that no developer is perfect. However if Debian hadn’t tried to get clever with their implementation and just left certain things to the openSSH team then it seems this wouldn’t have happened!

Lol … limited cypher keys … err… oops …

Luckily it’s limited to Debian & debian derivatives :iagree: and really only affects servers, as they will be generating & distributing keys … not the general desktop user.

*But Wait! There’s still more!

Um, the problem is … how many corporations are running Debian, or Debian Derivative, servers - Debain is the “Stable release” of the linux world. This problem doesn’t just affect Linux users!!! It affects anyone which uses a compromised server!!!

This problem affects anyone using a debian server -> Anyone using netbanking ever asked their bank what server OS they’re using to serve their internet banking site?
Be afraid … be very afraid :iagree: Even if you are running windows.

I am not familiar with Linux any more that the average joe but from what i have read already around the web this aint a serious problem since the system will reset the key every ten attempts or so of someone trying to guess it; so even if the combinations are less the key getting reset every 10 guesses makes it almost impossible to brute force it or something.

Am i wrong?

I’m not sure of the time that it takes to test every conceivable key available to the encryption … but it’s freaking LONG time. A period which is deemed so long that the relevance of the information is quite low. In the case of “social security numbers” in the USA, that’s a 90yr lifetime, so I’m assuming that the time required to brute force the encryption open is many times that.

This problem manifests in 2 ways:

  1. Communications encryptions.
  2. File encryptions.

If someone intercepts a communications packet (or many packets) between an affected Debian based server and any (OS) client, there is a significantly reduced range of possible encryption keys that the server will use to negotiate comms with the client, so brute forcing the intercepted packets open will be much faster since they only need to check a very small subset of the possible keys. This could mean a matter of days or weeks of brute forcing, meaning the information inside can still be relevant.
How often do you change your internet banking password?

The second way is file encryptions on the servers, or personal file security, which is probably less of a problem than the interception problem, as the crackers would need local access to the server, or to have previously intercepted packets between an affected server & a remote administrator.

That said, crackers could already have intercepted communications with financial institutions, or other matters of interest within the last few years … and recorded it somewhere … with the discovery & publication of this limited range, they can now focus on brute-forcing anything recorded since the problem began, and it will likely be open to them within a short time.

Quick … everyone change all your internet passwords

twice as good

I’m a happy user of Slackware at 11 years. :bigsmile:

I’d be tempted to try slackware out but I like the GNOME desktop way too much…I suppose I could install something along the lines of though.

[QUOTE=Chriso;2068375]I’d be tempted to try slackware out but I like the GNOME desktop way too much…I suppose I could install something along the lines of though.[/QUOTE]

Actual Slackware 12.1 includes KDE and GNOME.

Really? I thought they dropped GNOME support a while back…might have a go of it this summer when I’ve got some free time then!

EDIT “and two of the most advanced desktop environments available today: Xfce 4.4.2, a fast, lightweight, and visually appealing desktop environment, and KDE 3.5.9, the latest 3.x version of the full-featured K Desktop Environment.”

Their site seems to suggest otherwise…