Bonum Certa Men Certa

Preserving Information About Debian's SSH Blunder (Amid Revelations About Edward Brocklesby (ejb) and "Proximity to Oxford and GCHQ")

posted by Roy Schestowitz on Jun 08, 2024

Not Edward Snowden but a very rogue actor

Re: Proposed change to Debian constitution

Remember that he got expelled for illegal activities, but almost nobody knew. Debian kept quiet about it.

MY WIFE and I both use Debian. Our Web sites also use Debian. Almost everything in our home uses Debian. So we're genuinely concerned, not "concern-trolling" (or acting as "controlled opposition"). My wife and I were bullied (for years) by someone who claims to be in Debian, but also seems to be in the Microsoft camp, not Debian. The bullying intensified greatly when we started reposting many old articles from Daniel Pocock, whereupon he filed a SLAPP-style lawsuit, trying to bankrupt us with 6-figure financial demands. Yet worse, the Debian Project is entrusting security or offloading the decision-making to people who are not only lacking qualifications but are openly (publicly) saying "social interaction with Debian-the-distribution makes me want to stab people" (nope, not a typo! Not making this up!).

Today I spoke to my mother, who was also attacked by these very vicious people. She's not even technical, so what on Earth do they want from her? Those who did this will regret what they did and we won't accept an apology. They will pay for it. We got the best lawyer in the area, according to his esteemed peers. We won't be intimidated or hold back.

This morning we republished an article from 16 years ago, albeit not in full. It's a good article and an external link to another fairly authoritative source was included. The full article has more technical bits, but the overall description of the issue matters more than a proof of concept (PoC). How did Debian get something so basic... so very wrong? There were even errors shown, but these were ignored or suppressed. The issue may be 16 years old, but when it comes to Edward Brocklesby (ejb) we're talking about decades back and in Snowden's NSA leaks we saw allusions to SSH too. I personally wrote about those at the time (2013-2014).

We'd like to quote extensively from this second article before it goes offline (the original will be gone one day; that's just how the Web works).

Last week, Debian announced that in September 2006 they accidentally broke the OpenSSL pseudo-random number generator while trying to silence a Valgrind warning. One effect this had is that the ssh-keygen program installed on recent Debian systems (and Debian-derived systems like Ubuntu) could only generate 32,767 different possible SSH keys of a given type and size, so there are a lot of people walking around with the same keys.

Many people have had fingers pointed at them, but it is not really interesting who made the mistake: everyone makes mistakes. What's interesting is the situation that encouraged making the mistake and that made it possible not to notice it for almost two years.

To do that, you have to understand the code involved and the details of the bug; those require understanding a little bit about entropy and random number generators.

Entropy

Entropy is a measure of how surprising a piece of data is. Jon Lester didn't pitch in last night's Red Sox game, but that's not surprising--he only pitches in every fifth game, so most nights he doesn't pitch. On Monday night, though, he did pitch and (surprise!) threw a no-hitter. No one expected that before the game: it was a high-entropy event.

Entropy can be measured in bits: a perfect coin flip produces 1 bit of entropy. A biased coin produces less: flipping a coin that comes up heads only 25% of the time produces only about 0.4 bits for tails and 2 bits for heads, or 0.8 bits of entropy on average. The exact details aren't too important. What is important is that entropy is a quantitative measure of the amount of unpredictability in a piece of data.

An ideal random byte sequence has entropy equal to its length, but most of the time we have to make do with lower-entropy sequences. For example, the dates of Major League no-hitters this year would be a very unpredictable sequence, but also a very short one. On the other hand, collecting the dates that Lester pitches for the Red Sox this year is fairly predictable—it's basically every fifth day—but there are still unexpected events like injuries and rain-outs that make it not completely predictable. The no-hitter sequence is very unpredictable but is very short. The Lester starts sequence is only a little unpredictable but so much longer that it likely has more total entropy.

Computers are faced with the same problem: they have access to long low-entropy (mostly predictable) sources, like the interarrival times between device interrupts or static sampled from a sound or video card, but they need high-entropy (completely unpredictable) byte sequences where every bit is completely unpredictable. To convert the former into the latter, a secure pseudo-random number generator uses a deterministic function that acts as an “entropy juicer.” It takes a large amount of low-entropy data, called the entropy pool, and then squeezes it to produce a smaller amount of high-entropy random byte sequences. Deterministic programs can't create entropy, so the amount of entropy coming out can't be greater than the amount of entropy going in. The generator has just condensed the entropy pool into a more concentrated form. Cryptographic hash functions like MD5 and SHA1 turn out to be good entropy juicers. They let every input bit have some effect on each output bit, so that no matter which input bits were the unpredictable ones, the output has a uniformly high entropy. (In fact this is the very essence of a hash function, which is why cryptographers just say hash function instead of made-up terms like entropy juicer.)

The bad part about entropy is that you can't actually measure it except in context: if you read a 32-bit number from /dev/random, as I just did, you're likely to be happy with 4016139919, but if you read ten more, you won't be happy if you keep getting 4016139919. (That last sentence is, technically, completely flawed, but you get the point. See also this comic and this comic.) The nice thing about entropy juicers is that as long as there's some entropy somewhere in the pool, they'll extract it. It never hurts to add some more data to the pool: either it will add to the collective entropy, or it will have no effect.

There's a lot more there inside the page, including finer and more technical details. It's not only about Debian but also distributions (or operating systems) based on Debian. It was a catastrophe at the time. However, like most of the Web (www), there's a vast level of amnesia, so it's hard to find press reports. We need to ensure that what happened in 2008 isn't getting lost or being progressively forgotten, downplayed and so on. "The citations are very important so as not to give the Microsofters an attack point," an associate noted, but at the same time we must respect Fair Use (legal doctrine). What we posted this morning was probably sufficient as the goal was to make this stick online and be easier to find. I remembered that incident very well, a lot of media covered it at the time, but right now it is HARD TO FIND. Either Google "forgets", deranks for "age", or the sites go offline (or change CMS, lose old material et cetera). Apparently Google doesn't even give/prioritise results anymore, it plagiarises sites and offers low-grade text, falsely portrayed as "AI" (stochastic parrot, LLM).

Here is one online copy that's a backup (archive.today), hopefully one that can stick for decades to come (the latter relies not on that one online copy being live).

"Make sure that one of the archives has it then," an associate has told me. Well, archive.ph has it, as do the TLD/suffix mirrors. We may need to cite it and quote key portions of it as Daniel Pocock progresses with his series (3 parts so far). To quote a key part: "One effect this had is that the ssh-keygen program installed on recent Debian systems (and Debian-derived systems like Ubuntu) could only generate 32,767 different possible SSH keys of a given type and size, so there are a lot of people walking around with the same keys."

People had to go through a lot of trouble at the time, not to mention feel paranoid that they may have already been cracked without knowing and without verifiable traces of an intrusion. What if a state actor was responsible for this? What if it was a FIVE-EYES agent, rather than the popular Chinese or Russian scapegoat? What if Debian knew about it but chose not to tell (just to save face)? This is what makes the Edward Brocklesby revelations so very damning.

We remind readers that the NSA's mathematicians often target the weakening of an RNG by lowering entropy (while giving an illusion of entropy - i.e. uncertainty or variance - being very high). That's a subject covered in parts in my Ph.D. thesis; I'm not unfamiliar with the science of entropy.

As Pocock progresses maybe we can collect and file links related to this from Snowden's stash, as some of it covered this topic before GCHQ's blackmail against the British press (and plunder by Pierre Omidyar) killed any remaining journalism on this subject.

In order to make a compelling timeline or sequence of events we'd have to dig up very old articles, if they're still online at all. But that's OK, we have time. To us, time isn't money because this site isn't a business. It's grotesque that we too became a target for blackmail, after we had been bullied and defamed for years. Why does Debian harbour such monsters/mobsters? Intimidating female users of Debian, then wondering why barely any women join Debian? We'll say more about Debian's mistreatment, even of its own developers, in the next article.

Other Recent Techrights' Posts

4 Years Ago Freenode Crumbled From Within
there are still hundreds of thousands of users online at any given time
Microsoft Has Tainted GNOME, Which Has Key People Acting as a SLAPP Front Against Techrights (Trying to Censor the Site by Extortion and Many Threats)
One common denominator (other than Microsoft salaries) is GNOME, which was led by an actual professional crank until she quit so suddenly months ago
Homeland of Linux Kernel Turning to GNU/Linux?
Adoption of Vista 11 has been relatively low
Deja vu: Hitler's Birthday, Andreas Tille elected Debian Project Leader again
Reprinted with permission from Daniel Pocock
 
On Desktops/Laptops in Singapore Does a Fifth of Users Run GNU/Linux?
Probably not, but it's growing fast there
Links 21/04/2025: Fake Ceasefire and Software Patents (Fake Patents) Thrown Out
Links for the day
Companies With Fake Values and a Fake Economic/Financial State (Phony Valuations)
It'll all go up in smoke, eventually
Links 21/04/2025: Microsoft LLM Slop (Plagiarism) Going Out of Control, CT Scans' Cancer Problems Was Underrated
Links for the day
GNOME Has a Long History (Over a Decade) Misusing the Code of Conduct (CoC) to Censor (Cull) Legitimate Technical Criticism
This has nothing to do with manners, it's about control (by cover-up)
According to StatCounter, This is What Linux Adoption Looks Like (Based on Web Requests Visible to StatCounter)
How much worse will it get for Microsoft?
Gemini Capsules Still Outsourcing to Certificate Authority Let's Encrypt Now Measured at Less Than 10 (or Less Than 0.3%)
In Geminispace, Let's Encrypt is not commonly used
Twisting Microsoft's Failure (Transmitting Malware) as "SSH Backdoors" and a Linux Problem
Somehow we almost always find that those FUD pieces about "Linux" are based on obvious falsehoods
Vista 11 Has Burned OEMs and Some Move to GNU/Linux
When people can finally avoid Windows (there's no reason to attach it to new PCs) there will be a lot more GNU/Linux users out there
Remember That Microsoft Mass Layoffs Are Imminent Because Its 'Empire' is Falling Apart
European politicians take a long, hard look a Free software
Richard Stallman in the UK This Week, Scheduled to Give Two Public Talks (London and Oxford)
Those talks do not cover the same topics
Gemini Links 21/04/2025: April, Autism, and ASN
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, April 20, 2025
IRC logs for Sunday, April 20, 2025
Links 20/04/2025: Partly Assorted Scientific and Political Leftovers
Links for the day
Links 20/04/2025: Many Data Breaches and Growing Censorship Wave
Links for the day
Gemini Links 20/04/2025: Canadian Elections and "Use the Best Tools You Have for the Current Environment"
Links for the day
Links 20/04/2025: Bleeding Constitution and ChatGPT Infuriates Users Some More
Links for the day
Chinese OEMs (and World's Largest) Pave a Path Out of Microsoft Windows
So Microsoft now values (or prices) Vista 11 at just $140?
Gemini Links 20/04/2025: Contradictions of Mark Carney and Blog Questions Challenge
Links for the day
Microsoft's 'Lawsuit Diplomacy' (SLAPPs Riding UK Libel Law and Piggybacking UK GDPR, Inapplicable!) Will Only Give a Worse Image to Microsofters (and Microsoft), Give Exposure to Even More Suppressed Facts and Scandals
Microsoft came to dominate some sectors because of (or owing to) crimes; Microsoft won't just go away without some more crimes.
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, April 19, 2025
IRC logs for Saturday, April 19, 2025
Five (or Three) Years Without Social Control Media
Glyn Moody quit X (Twitter)
Electronics in People's Bedrooms
Modern technology not only blurred the gap between "functions" of rooms
Why GNU/Linux is Growing
There's growing interest in GNU/Linux right now because people do not fancy buying a new PC just to 'upgrade' (more spying) Windows
Gemini Links 19/04/2025: Contingencies, GTD, and Old Computers
Links for the day
Links 19/04/2025: Economic Races, Charm Offensives, and USB-C Rants
Links for the day
Links 19/04/2025: "Infantilization at Big Tech" and LLM Slop Abused in Defiance of Workplace Rules/Policies
Links for the day
Gemini Links 19/04/2025: Palm Addiction and Real Experts
Links for the day
Egypt is Controlled by Google, Not Microsoft
Moving from Microsoft to Google is not the answer
Microsofters Say They Cannot Find a Job (That They Want) Because of Techrights, But Techrights Merely Reported on Their Behaviour
Quit pointing the finger at people who are recipients of abuse or merely mention the abuse
Free Software and Standards - Not Marketing Blitz - Needed Amid Growing Severity of Dependency on Hostile Suppliers (or Another Country's Sovereignty)
ZenDiS can be described as the "Center for Digital Sovereignty of Public Administration"
When It Comes to the Web, Google is Evil and It Destroys the Web's Integrity With LLM Slop
Even academia, which is meant to keep standards high, is being lured into LLM slop
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, April 18, 2025
IRC logs for Friday, April 18, 2025