Hacker News new | ask | show | jobs
by SoftwareMaven 4405 days ago
That's a fine attitude for normal code, but crypto is a whole different ball game. Linux security was significantly reduced at one point because somebody changed int i to int i=0, something most developers would thing is a positive. Side channel attacks are extremely easy to create and extremely hard to find. And, unfortunately, the "many eyes" thing doesn't work here because it requires experienced, knowledgable eyes, and there aren't enough of those, and they are usually busy getting paid, researching how to break software or building their own stuff.
1 comments
quasque 4405 days ago
> Linux security was significantly reduced at one point because somebody changed int i to int i=0

Could you please elaborate on this one?

link
SoftwareMaven 4405 days ago
It's been a while. I should have restricted it to Debian: http://jblevins.org/log/ssh-vulnkey
link
nikbackm 4405 days ago
Seems to me they relied on the uninitialized memory of a stack variable as a partial source of randomness for key generation.

Initializing the variable with 0 removed that part.

link
quasque 4405 days ago
Your explanation makes sense. Though I'm still curious as to when this happened and what the impact was.
link