Preserving Information About Debian's SSH Blunder (Amid Revelations About Edward Brocklesby (ejb) and "Proximity to Oxford and GCHQ")
Not Edward Snowden but a very rogue actor
Remember that he got expelled for illegal activities, but almost nobody knew. Debian kept quiet about it.
MY WIFE and I both use Debian. Our Web sites also use Debian. Almost everything in our home uses Debian. So we're genuinely concerned, not "concern-trolling" (or acting as "controlled opposition"). My wife and I were bullied (for years) by someone who claims to be in Debian, but also seems to be in the Microsoft camp, not Debian. The bullying intensified greatly when we started reposting many old articles from Daniel Pocock, whereupon he filed a SLAPP-style lawsuit, trying to bankrupt us with 6-figure financial demands. Yet worse, the Debian Project is entrusting security or offloading the decision-making to people who are not only lacking qualifications but are openly (publicly) saying "social interaction with Debian-the-distribution makes me want to stab people" (nope, not a typo! Not making this up!).
Today I spoke to my mother, who was also attacked by these very vicious people. She's not even technical, so what on Earth do they want from her? Those who did this will regret what they did and we won't accept an apology. They will pay for it. We got the best lawyer in the area, according to his esteemed peers. We won't be intimidated or hold back.
This morning we republished an article from 16 years ago, albeit not in full. It's a good article and an external link to another fairly authoritative source was included. The full article has more technical bits, but the overall description of the issue matters more than a proof of concept (PoC). How did Debian get something so basic... so very wrong? There were even errors shown, but these were ignored or suppressed. The issue may be 16 years old, but when it comes to Edward Brocklesby (ejb) we're talking about decades back and in Snowden's NSA leaks we saw allusions to SSH too. I personally wrote about those at the time (2013-2014).
We'd like to quote extensively from this second article before it goes offline (the original will be gone one day; that's just how the Web works).
Last week, Debian announced that in September 2006 they accidentally broke the OpenSSL pseudo-random number generator while trying to silence a Valgrind warning. One effect this had is that the ssh-keygen program installed on recent Debian systems (and Debian-derived systems like Ubuntu) could only generate 32,767 different possible SSH keys of a given type and size, so there are a lot of people walking around with the same keys.Many people have had fingers pointed at them, but it is not really interesting who made the mistake: everyone makes mistakes. What's interesting is the situation that encouraged making the mistake and that made it possible not to notice it for almost two years.
To do that, you have to understand the code involved and the details of the bug; those require understanding a little bit about entropy and random number generators.
Entropy
Entropy is a measure of how surprising a piece of data is. Jon Lester didn't pitch in last night's Red Sox game, but that's not surprising--he only pitches in every fifth game, so most nights he doesn't pitch. On Monday night, though, he did pitch and (surprise!) threw a no-hitter. No one expected that before the game: it was a high-entropy event.
Entropy can be measured in bits: a perfect coin flip produces 1 bit of entropy. A biased coin produces less: flipping a coin that comes up heads only 25% of the time produces only about 0.4 bits for tails and 2 bits for heads, or 0.8 bits of entropy on average. The exact details aren't too important. What is important is that entropy is a quantitative measure of the amount of unpredictability in a piece of data.
An ideal random byte sequence has entropy equal to its length, but most of the time we have to make do with lower-entropy sequences. For example, the dates of Major League no-hitters this year would be a very unpredictable sequence, but also a very short one. On the other hand, collecting the dates that Lester pitches for the Red Sox this year is fairly predictable—it's basically every fifth day—but there are still unexpected events like injuries and rain-outs that make it not completely predictable. The no-hitter sequence is very unpredictable but is very short. The Lester starts sequence is only a little unpredictable but so much longer that it likely has more total entropy.
Computers are faced with the same problem: they have access to long low-entropy (mostly predictable) sources, like the interarrival times between device interrupts or static sampled from a sound or video card, but they need high-entropy (completely unpredictable) byte sequences where every bit is completely unpredictable. To convert the former into the latter, a secure pseudo-random number generator uses a deterministic function that acts as an “entropy juicer.” It takes a large amount of low-entropy data, called the entropy pool, and then squeezes it to produce a smaller amount of high-entropy random byte sequences. Deterministic programs can't create entropy, so the amount of entropy coming out can't be greater than the amount of entropy going in. The generator has just condensed the entropy pool into a more concentrated form. Cryptographic hash functions like MD5 and SHA1 turn out to be good entropy juicers. They let every input bit have some effect on each output bit, so that no matter which input bits were the unpredictable ones, the output has a uniformly high entropy. (In fact this is the very essence of a hash function, which is why cryptographers just say hash function instead of made-up terms like entropy juicer.)
The bad part about entropy is that you can't actually measure it except in context: if you read a 32-bit number from /dev/random, as I just did, you're likely to be happy with 4016139919, but if you read ten more, you won't be happy if you keep getting 4016139919. (That last sentence is, technically, completely flawed, but you get the point. See also this comic and this comic.) The nice thing about entropy juicers is that as long as there's some entropy somewhere in the pool, they'll extract it. It never hurts to add some more data to the pool: either it will add to the collective entropy, or it will have no effect.
There's a lot more there inside the page, including finer and more technical details. It's not only about Debian but also distributions (or operating systems) based on Debian. It was a catastrophe at the time. However, like most of the Web (www), there's a vast level of amnesia, so it's hard to find press reports. We need to ensure that what happened in 2008 isn't getting lost or being progressively forgotten, downplayed and so on. "The citations are very important so as not to give the Microsofters an attack point," an associate noted, but at the same time we must respect Fair Use (legal doctrine). What we posted this morning was probably sufficient as the goal was to make this stick online and be easier to find. I remembered that incident very well, a lot of media covered it at the time, but right now it is HARD TO FIND. Either Google "forgets", deranks for "age", or the sites go offline (or change CMS, lose old material et cetera). Apparently Google doesn't even give/prioritise results anymore, it plagiarises sites and offers low-grade text, falsely portrayed as "AI" (stochastic parrot, LLM).
Here is one online copy that's a backup (archive.today), hopefully one that can stick for decades to come (the latter relies not on that one online copy being live).
"Make sure that one of the archives has it then," an associate has told me. Well, archive.ph has it, as do the TLD/suffix mirrors. We may need to cite it and quote key portions of it as Daniel Pocock progresses with his series (3 parts so far). To quote a key part: "One effect this had is that the ssh-keygen program installed on recent Debian systems (and Debian-derived systems like Ubuntu) could only generate 32,767 different possible SSH keys of a given type and size, so there are a lot of people walking around with the same keys."
People had to go through a lot of trouble at the time, not to mention feel paranoid that they may have already been cracked without knowing and without verifiable traces of an intrusion. What if a state actor was responsible for this? What if it was a FIVE-EYES agent, rather than the popular Chinese or Russian scapegoat? What if Debian knew about it but chose not to tell (just to save face)? This is what makes the Edward Brocklesby revelations so very damning.
We remind readers that the NSA's mathematicians often target the weakening of an RNG by lowering entropy (while giving an illusion of entropy - i.e. uncertainty or variance - being very high). That's a subject covered in parts in my Ph.D. thesis; I'm not unfamiliar with the science of entropy.
As Pocock progresses maybe we can collect and file links related to this from Snowden's stash, as some of it covered this topic before GCHQ's blackmail against the British press (and plunder by Pierre Omidyar) killed any remaining journalism on this subject.
In order to make a compelling timeline or sequence of events we'd have to dig up very old articles, if they're still online at all. But that's OK, we have time. To us, time isn't money because this site isn't a business. It's grotesque that we too became a target for blackmail, after we had been bullied and defamed for years. Why does Debian harbour such monsters/mobsters? Intimidating female users of Debian, then wondering why barely any women join Debian? We'll say more about Debian's mistreatment, even of its own developers, in the next article. █