Last months have been good for the security market. SPAM rose [it has been since 30 years but who is counting?], BOTNETS grew, CC snooping went bigger and the list was nicely added with two, well, astounding issues within the last 24 hours.
First we have a crypto nub who decides to remove basically all randomness [the seed used for PRNG (Pseudo Random Number Generator) used when creating SSL keys] from SSL in Debian. That did not happen last week, nor last month, not even last year, but on Tue May 2 16:34:53 2006 UTC. For reasons that have been mentioned over and over again, not security people should not, repeat NOT fiddle with security issues. Specially not packagers who just want things to install cleanly and silently. That bad.
In this case an unnamed individual did not like what he saw as uninitialized data, he removed one line:
That was enough to make ALL SLL certificates [and thus too the SSH keys that are based on SSL] generated on these systems a randomness that is limited to 32.768 options [all possible PID's on UNIX... That sounds a lot to humans, to computers that is nothing and to crypto it is fcuk all. It is so small that all possible keys have been generated in about two hours for the 1024-bit DSA and 2048-bit RSA keys for x86. HD Moore used 31 Xeon cores clocked at 2.33Ghz to do this.
Luckily for the researchers, HD Moore of metasploit moved quickly and created the OpenSSL Debian toolset WITHIN 24 HOURS[!!!] to toy with the issue.
Thank you. Scripters of the world: unite and have a ball!
To bring the issues a little closer to your mom & pop [who hardly depend on SSH], Aviv Raff decided to post a real nice and nifty 0-day for IE. Scripters of the world, you know what to do.
This is a particular nasty one, not just because it affects about 60% of all browsers in the world but also because our friends in Redmond just pushed out their monthly 'updates' so it will take at least another month before a patch is available, let alone the time it takes for mom & pop to actually update their IE.
So life is good, money there is to be made for us security people. Or is it?