Back in May 2006, a few programmers working on an open-sourcesecurity project made a whopper of a mistake. Last week, the fullimpact of that mistake was just beginning to dawn on securityprofessionals around the world.
In technical terms, a programming error reduced the amount ofentropy used to create the cryptographic keys in a piece of code calledthe OpenSSL library, which is used by programs like the Apache Webserver, the SSH remote access program, the IPsec Virtual PrivateNetwork (VPN), secure e-mail programs, some software used foranonymously accessing the Internet, and so on.
In plainer language: after a week of analysis, we now know that twochanged lines of code have created profound security vulnerabilities inat least four different open-source operating systems, 25 differentapplication programs, and millions of individual computer systems onthe Internet. And even though the vulnerability was discovered on May13 and a patch has been distributed, installing the patch doesn'trepair the damage to the compromised systems. What's even more alarmingis that some computers may be compromised even though they aren'trunning the suspect code.
The reason that the patch doesn't fix the problem has to do with thespecifics of the programmers' error. Modern computer systems employlarge numbers to generate the keys that are used to encrypt and decryptinformation sent over a network. Authorized users know the right key,so they don't have to guess it. Malevolent hackers don't know the rightkey. Normally, it would simply take too long to guess it by trying allpossible keys--like, hundreds of billions of years too long.
