not as secure as everyone thought... among other open-source projects affected.
http://www.dailytech.com/article.aspx?newsid=11869
http://www.technologyreview.com/Infotech/20801/page1/

128-bit, 16-bit FTW!

5/23/2008 4:57:04 PM

ok, to clarify:

Quote :

"Be careful. This whole article implies that the problem is more widespread than it really is. Only distributions (like Ubuntu) that use the Debian repositories were affected. NONE of the commercial vendors and most of the other major distributions (RPM-based, source-based, etc.) are completely unaffected. This also only affects keys generated on Debian derivatives. Further, Ubuntu is distributing with the updated OpenSSH packages a key blacklist and vulnerability assessment utility. Users who have bad keys are being notified at the time of update that their keys may be compromised."

http://www.ubuntu.com/usn/usn-612-1

sorry for the partially incorrect title

[Edited on May 23, 2008 at 5:03 PM. Reason : .]

5/23/2008 5:00:31 PM

partially incorrect title?

more like extremely misleading title

5/23/2008 5:10:52 PM

ok, replace linux with openssh

linux distros = ubuntu & debian

do millions of linux distro's out there (people running linux) only have 32,767 keys at their disposal? yes.

it essentially means that of the millions of people running debian / ubuntu, you could brute force their OpenSSH key in like seconds.

[Edited on May 23, 2008 at 5:16 PM. Reason : .]

5/23/2008 5:12:49 PM

Ummm, even if I were running Ubuntu/Debian ... no, you can't brute force my OpenSSH key in any useful timeframe. It's multiple words and 36 characters long. Good luck.

[Edited on May 23, 2008 at 5:35 PM. Reason : .]

5/23/2008 5:34:51 PM

um, that's not how it works.

you're passphrase is not the key, the key is a randomly generated key that's used to send your data, so after 2^15 attempts, the key WOULD be compromised since that's the maximum # of keys it has to generate. once someone has the key they can view your data being sent, so any "passphrase" you use for any other website.... no matter how long it is, would be compromised.

[Edited on May 23, 2008 at 6:08 PM. Reason : .]

5/23/2008 6:04:40 PM

this only matters if you're using 16bit hashing in addition to passphrase-less auth (pub/priv key pair) which most people do NOT set up.
read the article instead of going off what you posted.

this still isn't a huge deal without a lot of other conditions met

[Edited on May 23, 2008 at 9:18 PM. Reason : I haven't used debian/ubuntu, does it setup pub/priv ssh by default or something?]

5/23/2008 9:07:59 PM

http://metasploit.com/users/hdm/tools/debian-openssl/

^ Good explanation of the bug and its impact.

5/24/2008 12:12:48 AM

^Thanks, that explanation makes a lot more sense.

5/24/2008 12:55:09 AM