16 May 2008

Debian “patch” allows simple brute force attacks

Filed under: Commentary — András Salamon @ 11:42

Back in May 2006, an enterprising Debian team member decided to address the complaints from Purify and/or Valgrind, when compiling OpenSSL.

The result was a patch that silenced those pesky warnings for good.

Notice how the second part of the patch comments out a piece of code calling the MD_Update() function; a piece of code that is explicitly bracketed by a pair of #ifndef PURIFY/#endif directives. In other words, the “right” way to fix this is probably to ensure that PURIFY is set during compilation. The reason provided for the change: “/* purify complains */”. Perhaps it is now usual to ignore the immediate context of code.

The interesting thing about this “patch” is that it reduces the space of keys to 32767 values for each of the common key sizes. As pointed out by the folks over at Metasploit, this makes it easy to generate the full list of keys. In fact, it’s so easy that they provide the list as a convenient download for each common key size, about 250MB of data in all.

The consequence: all SSH and SSL keys generated on Debian 4.0 (etch) derived systems from September 2006 or so are rather easy to guess.

Corollary: any data encrypted using such keys during the last 18 months can now be decrypted by anyone.

Let’s hope people have not kept too many packet traces of SSH connections between machines that use affected keys.

Corollary: change affected keys immediately.

5 May 2008

Ideas are cheap

Filed under: Commentary,Ideas — András Salamon @ 16:53

Contrary to popular belief, ideas are easy to come by. In the meantime, Malcolm Gladwell reports that there is money in generating some, by playing the hoary patents game.  Perhaps it’s time to turn this into an open source game?  Ideas are cheap, execution is hard, and well-executed good ideas really should be more common: there are just too many counterexamples.

Social surplus: gin vs. television?

Filed under: Commentary — András Salamon @ 15:54

If gin was the favoured coping strategy in the early part of the Industrial Revolution, then television is surely the Atomic Age equivalent. People have been living with several hours of free time each day for decades now, with most of that free time soaked up by watching TV. However, Clay Shirky argues that when it becomes easy enough to contribute, then people will tend to actively produce instead of just passively consuming. Wikipedia constitutes only about 100 million hours of effort, he says, which is a tiny fraction of the total amount of time spent watching television in a single weekend.

Shirky relates an anecdote of a four year old looking for a mouse to interact with a DVD, and then extrapolates this to a vision of people engaging in production as a leisure activity. I’m dubious that everyone is going to prefer to spend their leisure time producing cultural artefacts instead of essentially passive activities like taking in another repeat episode on the couch, laughing at clever captions, or “watching” records being played. However, if even a small fraction of people do make this shift, the effect should still be very significant.

One prediction: politics will become a mainstream time sink in the next few years, and representative democracy should slowly nudge towards finer grained structures. Of course, all the other social changes will be obvious, once they’ve taken place…

Blog at