[Cryptech Tech] Some Friday relief (and horrors)

Joachim Strömbergson joachim at secworks.se
Fri Apr 25 08:21:06 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

I guess you might have seen that Theo at al @ OpenBSD due to HB and
subsequent discovery of OpenSSL macroing away the ASLR functionality of
the OpenBSD malloc now have forked OpenSSL and created libressl (OpenTLS
was taken.)

If one wants to follow their work there is a tumblr blog that tracks all
commits:

http://opensslrampage.org/

Some of the more horrid discoveries is that OpenSSL when it decides
there isn't sufficient randomness happily borrows the secret exponent of
any private RSA key and us it as seed(!).

IMHO, there are some good coding lessons to be learned from their
gutting, shredding and mending of OpenSSL.

Also, if you haven't seen i, the backdoor in Sercomm manufactured
network devices has resurfaced:

http://thehackernews.com/2014/04/router-manufacturers-secretly-added-tcp.html

Scary stuff, but good analysis.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJTWhryAAoJEF3cfFQkIuyNkBUP/3H+XdVO5pojLR01kG9zO5D+
Z6BxUiypLkMSTAsKI6xmm/5gmGDMwZU+4U9LMq/DFEjye95aM0ZsLNfFGzZjkXoR
5CqywaqwQythDk4ovswqsvILMjQFERm/a4DOl2LpWF7htVc8SX4q2E4DCBFCcjHi
b6P2WFRY0gkxQBf+GC1hMOWdkA5tsET1Myc57Uoth0fWf4WDqktgb6OEsdbk8dTc
0PhyeePFM0WCbZfzBIuzVcpuePngq6qBb8RWYTaSwFo+btG2rsMEbawGfw5zOrhm
5p/3ClKSO2BiH3UtbdiwRuOkaKgO2ZeUEfNQ8KSz2FSSn8xJbzKj1ciMSPVtndqG
gC0ho7k4B4T/WoiwtRLcaFTnDp55SbMMoejDfpRw2qGquqwt4zUda6f/DwdvRz9v
s+yrIrTDrevGZMJKPDnzKfE1EsiNFZm/tPKbtIqYLqQRUhIGJBTbwyX/DhPHxKxu
46Z5ANR1kzDKi2VmH1wyFbI2Y400VY0wf1WRIqWtzGcRgko8vl/CP9y1lPFp8KAU
UWHW2wTvg3jcqGyiAAV+0OXqUH1ukYFXTZJer4wemNza4DaKY3O/dqDp4ALq7Ree
+96FB2gzKcQvMSjgk29TRu7kfYdMpba7fRgDi2CMdC5iSTlQQzGkE4vWOwXl9Vks
ktXxjAWv9enjLsfKmL8a
=/668
-----END PGP SIGNATURE-----



More information about the Tech mailing list