Bonum Certa Men Certa

Preserving Information About Debian's SSH Blunder (Amid Revelations About Edward Brocklesby (ejb) and "Proximity to Oxford and GCHQ")

posted by Roy Schestowitz on Jun 08, 2024

Not Edward Snowden but a very rogue actor

Re: Proposed change to Debian constitution

Remember that he got expelled for illegal activities, but almost nobody knew. Debian kept quiet about it.

MY WIFE and I both use Debian. Our Web sites also use Debian. Almost everything in our home uses Debian. So we're genuinely concerned, not "concern-trolling" (or acting as "controlled opposition"). My wife and I were bullied (for years) by someone who claims to be in Debian, but also seems to be in the Microsoft camp, not Debian. The bullying intensified greatly when we started reposting many old articles from Daniel Pocock, whereupon he filed a SLAPP-style lawsuit, trying to bankrupt us with 6-figure financial demands. Yet worse, the Debian Project is entrusting security or offloading the decision-making to people who are not only lacking qualifications but are openly (publicly) saying "social interaction with Debian-the-distribution makes me want to stab people" (nope, not a typo! Not making this up!).

Today I spoke to my mother, who was also attacked by these very vicious people. She's not even technical, so what on Earth do they want from her? Those who did this will regret what they did and we won't accept an apology. They will pay for it. We got the best lawyer in the area, according to his esteemed peers. We won't be intimidated or hold back.

This morning we republished an article from 16 years ago, albeit not in full. It's a good article and an external link to another fairly authoritative source was included. The full article has more technical bits, but the overall description of the issue matters more than a proof of concept (PoC). How did Debian get something so basic... so very wrong? There were even errors shown, but these were ignored or suppressed. The issue may be 16 years old, but when it comes to Edward Brocklesby (ejb) we're talking about decades back and in Snowden's NSA leaks we saw allusions to SSH too. I personally wrote about those at the time (2013-2014).

We'd like to quote extensively from this second article before it goes offline (the original will be gone one day; that's just how the Web works).

Last week, Debian announced that in September 2006 they accidentally broke the OpenSSL pseudo-random number generator while trying to silence a Valgrind warning. One effect this had is that the ssh-keygen program installed on recent Debian systems (and Debian-derived systems like Ubuntu) could only generate 32,767 different possible SSH keys of a given type and size, so there are a lot of people walking around with the same keys.

Many people have had fingers pointed at them, but it is not really interesting who made the mistake: everyone makes mistakes. What's interesting is the situation that encouraged making the mistake and that made it possible not to notice it for almost two years.

To do that, you have to understand the code involved and the details of the bug; those require understanding a little bit about entropy and random number generators.

Entropy

Entropy is a measure of how surprising a piece of data is. Jon Lester didn't pitch in last night's Red Sox game, but that's not surprising--he only pitches in every fifth game, so most nights he doesn't pitch. On Monday night, though, he did pitch and (surprise!) threw a no-hitter. No one expected that before the game: it was a high-entropy event.

Entropy can be measured in bits: a perfect coin flip produces 1 bit of entropy. A biased coin produces less: flipping a coin that comes up heads only 25% of the time produces only about 0.4 bits for tails and 2 bits for heads, or 0.8 bits of entropy on average. The exact details aren't too important. What is important is that entropy is a quantitative measure of the amount of unpredictability in a piece of data.

An ideal random byte sequence has entropy equal to its length, but most of the time we have to make do with lower-entropy sequences. For example, the dates of Major League no-hitters this year would be a very unpredictable sequence, but also a very short one. On the other hand, collecting the dates that Lester pitches for the Red Sox this year is fairly predictable—it's basically every fifth day—but there are still unexpected events like injuries and rain-outs that make it not completely predictable. The no-hitter sequence is very unpredictable but is very short. The Lester starts sequence is only a little unpredictable but so much longer that it likely has more total entropy.

Computers are faced with the same problem: they have access to long low-entropy (mostly predictable) sources, like the interarrival times between device interrupts or static sampled from a sound or video card, but they need high-entropy (completely unpredictable) byte sequences where every bit is completely unpredictable. To convert the former into the latter, a secure pseudo-random number generator uses a deterministic function that acts as an “entropy juicer.” It takes a large amount of low-entropy data, called the entropy pool, and then squeezes it to produce a smaller amount of high-entropy random byte sequences. Deterministic programs can't create entropy, so the amount of entropy coming out can't be greater than the amount of entropy going in. The generator has just condensed the entropy pool into a more concentrated form. Cryptographic hash functions like MD5 and SHA1 turn out to be good entropy juicers. They let every input bit have some effect on each output bit, so that no matter which input bits were the unpredictable ones, the output has a uniformly high entropy. (In fact this is the very essence of a hash function, which is why cryptographers just say hash function instead of made-up terms like entropy juicer.)

The bad part about entropy is that you can't actually measure it except in context: if you read a 32-bit number from /dev/random, as I just did, you're likely to be happy with 4016139919, but if you read ten more, you won't be happy if you keep getting 4016139919. (That last sentence is, technically, completely flawed, but you get the point. See also this comic and this comic.) The nice thing about entropy juicers is that as long as there's some entropy somewhere in the pool, they'll extract it. It never hurts to add some more data to the pool: either it will add to the collective entropy, or it will have no effect.

There's a lot more there inside the page, including finer and more technical details. It's not only about Debian but also distributions (or operating systems) based on Debian. It was a catastrophe at the time. However, like most of the Web (www), there's a vast level of amnesia, so it's hard to find press reports. We need to ensure that what happened in 2008 isn't getting lost or being progressively forgotten, downplayed and so on. "The citations are very important so as not to give the Microsofters an attack point," an associate noted, but at the same time we must respect Fair Use (legal doctrine). What we posted this morning was probably sufficient as the goal was to make this stick online and be easier to find. I remembered that incident very well, a lot of media covered it at the time, but right now it is HARD TO FIND. Either Google "forgets", deranks for "age", or the sites go offline (or change CMS, lose old material et cetera). Apparently Google doesn't even give/prioritise results anymore, it plagiarises sites and offers low-grade text, falsely portrayed as "AI" (stochastic parrot, LLM).

Here is one online copy that's a backup (archive.today), hopefully one that can stick for decades to come (the latter relies not on that one online copy being live).

"Make sure that one of the archives has it then," an associate has told me. Well, archive.ph has it, as do the TLD/suffix mirrors. We may need to cite it and quote key portions of it as Daniel Pocock progresses with his series (3 parts so far). To quote a key part: "One effect this had is that the ssh-keygen program installed on recent Debian systems (and Debian-derived systems like Ubuntu) could only generate 32,767 different possible SSH keys of a given type and size, so there are a lot of people walking around with the same keys."

People had to go through a lot of trouble at the time, not to mention feel paranoid that they may have already been cracked without knowing and without verifiable traces of an intrusion. What if a state actor was responsible for this? What if it was a FIVE-EYES agent, rather than the popular Chinese or Russian scapegoat? What if Debian knew about it but chose not to tell (just to save face)? This is what makes the Edward Brocklesby revelations so very damning.

We remind readers that the NSA's mathematicians often target the weakening of an RNG by lowering entropy (while giving an illusion of entropy - i.e. uncertainty or variance - being very high). That's a subject covered in parts in my Ph.D. thesis; I'm not unfamiliar with the science of entropy.

As Pocock progresses maybe we can collect and file links related to this from Snowden's stash, as some of it covered this topic before GCHQ's blackmail against the British press (and plunder by Pierre Omidyar) killed any remaining journalism on this subject.

In order to make a compelling timeline or sequence of events we'd have to dig up very old articles, if they're still online at all. But that's OK, we have time. To us, time isn't money because this site isn't a business. It's grotesque that we too became a target for blackmail, after we had been bullied and defamed for years. Why does Debian harbour such monsters/mobsters? Intimidating female users of Debian, then wondering why barely any women join Debian? We'll say more about Debian's mistreatment, even of its own developers, in the next article.

Other Recent Techrights' Posts

Slop Is Not Intelligence and It Does Not Enhance Productivity
Like voice dictation, which cannot tell the difference between "sheet" and "shit"
Our Three Lawsuits Against Microsofters Are About to Become a Lot More Relevant to GNU/Linux
The Master will easily understand why Garrett has been attacking me since 2012
They Don't Tell Us that 'Digitalisation' (Now Sold as "Hey Hi") Just Means Customers Become Unpaid Staff and Are Made Accountable
People are being conditioned to associate technology with something undesirable, at times even unbearable
 
Links 23/07/2025: Retreating From Transparency on Jeffrey Epstein, We No Longer Have Press Freedom
Links for the day
Gemini Links 23/07/2025: Piano and Food
Links for the day
New and Old
On Ageism in Tech
EPO Crimes Are Spreading to the British Court System
Society is now paying the price for failing to tackle crimes at the EPO
It's Time to Dump SharePoint and Here's What to Use Instead
Nextcloud, ownCloud, Bookstack, MediaWiki, and MediaGoblin
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, July 22, 2025
IRC logs for Tuesday, July 22, 2025
Brett Wilson LLP Has Gone Silent
Sometimes silence says more than nothing at all
Slopwatch: LinuxSecurity, Planet Ubuntu, and LinuxTechLab
some slopfarms show no remorse and they don't value their reputation at all
Links 23/07/2025: Book Bans, Storms, and Kangaroo Court for Patents Commits More Unlawful Acts of Overreach
Links for the day
Gemini Links 22/07/2025: Thinkpad and Pinephone
Links for the day
Links 22/07/2025: "Blog Restart" and Microsoft Clobbered by “ToolShell"
Links for the day
Global Warming and Global GAFAM Energy-Wasting
Burn more money (borrowed, loans), then hope the waste will somehow translate into profit?
No Compliance With the European Patent Convention (EPC) at the European Patent Office (EPO)
It's about preventing competition against this autocracy
Blue-Collar Trolls vs White-Collar Trolls
Examples of white-collar trolls
Apple Vision Pro Failed So Badly That Its Sales Are About 2,000 Times Smaller Than iPhone Sales
What's left for Apple to offer other than hype?
To Millions of People "Year of the Linux Desktop" Was Some Time in the 1990s (Bootable GNU/Linux as a Complete Operating System is Over 33 in Age)
In some sense, "year of the Linux desktop" was 33 years ago
Make No Assumptions (or Demands) About the Screen Resolution Used by Other People
There are usability aspects, aside from accessibility aspects
Why Wayland (and XWayland) Won't Solve the Key Problem It Proclaims to be Tackling (the Same Is True for Rust)
The problem isn't Wayland per se but the false promises and efforts to force everybody to move to it whilst insulting or demonising everyone who won't play along
Diplomatic Immunity Should Not Exist for Anybody
The EPO in its current form gradually 'normalises' the end of European democracy
Brett Wilson LLP Stopped Sending Me Papers When I Showed It had Sent Me Over 5 Kilograms of Legal Papers
A week ago we lodged our third lawsuit
Microsoft Mass Layoffs and Shutdowns Became the New Normal at Microsoft
Microsoft mass layoffs became a topic of everyday media coverage since May
Amazon Web Services (AWS) Has Layoffs and Microsoft Gaming/Entertainment Division Has an Uncertain Future
it's good to see all those horrible things crashing and burning
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, July 21, 2025
IRC logs for Monday, July 21, 2025
FSF "Raised Almost $139,000 During This Summer Campaign"
"Thank you for making a stand against dystopia!"
Gemini Links 22/07/2025: VPS Exploited and Fear of View
Links for the day
LLM Bots vs Techrights
Slows things down a bit
New Publication Sheds Lights on Abuse of Workers at the European Patent Office (EPO)
Put in simple terms, they're killing the Office, harming remaining staff, try to hire rubber-stampers
Links 21/07/2025: Hardware, Health, and Imperialism
Links for the day
Gemini Links 21/07/2025: "When Buying Isn't Owning" and "CMS Special Edition"
Links for the day
Links 21/07/2025: Indie Web and Toxic Politics
Links for the day
[Meme] Microsoft Lawyers Throwing Stones in Glass Houses
threatened me with bankruptcy
Google "AI Overview" is Not AI and Not Overview
do not be misled; what Google does isn't smart, it's just ripping off the sites it already crawled for as long as 27 years
Making the Case to Dump Microsoft and GAFAM for National and Digital Sovereignty
"Sovereignty is difficult"
The Tactics of the Opposition (Microsoft Lunduke): Associate With K00ks, Throw in Vaccines to Muddy the Water
Who stands to gain from this?
Europe's Second-Largest Institution (EPO) and Largest Patent Monopoly Office Needs More Transparency, Not Less Transparency
In the EPO, what good are elections when one candidate literally bribes all the voters?
How Not to Report News About Microsoft
This pattern of misreporting is so widespread that it's hard to believe it's not intentional
Computer Science is Under Attack, They Want Everyone to be a Consumer
If people can no longer acquire Computer Science education and real Computer Science experience, they will not know how to control their own digital destiny or emancipate the very same universities that now control the syllabus and instead of teaching Computer Science encourage the outsourcing of systems
The Best Tools Are the Simplest Tools
There's a hidden message here about the merits of sticking with X
Ofcom Online Safety Group Speaks of Protecting Women Online, Will Brett Wilson LLP Ever Listen?
They've essentially became like the Taliban's "burka police"
Social Control Media Relies on Advertisers, So It'll Always Be Hostile Towards Free Software
Sales, sales, sales
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, July 20, 2025
IRC logs for Sunday, July 20, 2025
Fragmentation of Data
Life is too short to "hoard" data
In Defence of "Spinning Rust"
Just because something is "old" (or older) doesn't mean it ought to become extinct
Using Free Software to Prepare Legal Documents
LibreOffice is openly complaining about OOXML as an obstacle
Tech and Technology Are Not the Same Anymore
"Are you into tech, Sir?"
Our Articles About SLAPPs Receive Recognition and Interest
This week we shall continue writing about the 3 lawsuits we filed