On Thu, May 15, 2008 at 05:18:52PM -0500, Ken Bloom wrote: > On Thu, 2008-05-15 at 14:29 -0700, Jeffrey Nonken wrote: > > http://www.linux.com/feature/135270 > > This paragraph is probably wrong: > > > Debian and derivative distribution users can use the apt-get upgrade > > command to replace vulnerable keys on their systems, and Ubuntu users > > applying the security patches which appeared yesterday will have their > > weak keys replaced automatically, but as Moore points out, that > > doesn't solve the problems caused by weak keys being used to sign > > certificates or copied to other servers. > > More detailed information is available at http://wiki.debian.org/SSLkeys > > Note that the vulnerability meant that only 2^15 different keys of each > size were being generated. This is an incredibly small number, and I'm > sure many hackers have dictionaries of the entire key set now to break > in to systems with affected authorized_keys files.
I downloaded a dictionary of keys. I haven't tried to run the crack yet. Hackers build things, crackers break into things. -- Brian Lavender http://www.brie.com/brian/ _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
