lunes, 8 de septiembre de 2008

One line to own them all

The last Friday, i finally met Luciano Bello during the "DSP" (Drunken Security Professional, is like a 2600, but better).

For those of you who don't know Luciano, he find the infamous commented line on the openssl package in debian, ubuntu, etc which as a consequence it generate only 32k keys. (The Story short: Valgrind bitch about the line, a month-long discussion about the line, debian finally commented).

Anyways, I must state that he surprise me in the good way, I though he will came with the opensource coat and will start fighting us with a tux in his right hand, trying to save the world or something, but he didn't.

We had a huge talk (most of them were laughs), at some point it was more like an interview. I regret myself not having a digital recorder (which i would mandatory buy from now on) because I pretty much forgot most of the stuffs.

As a researcher he is, in the area of cryptographic, when he discover it he wasn't looking at code as us will, instead he was comparing keys, weekends and weekends comparing keys until he realise something was not working correctly.

Something was not working as expected, keys were repeating 1 each 5000. So then he start looking into code.

The obliged question:
You could pretty much own every debian/ubuntu in the world with ssh... What did you pick?
The answer is none. And if you re ask the question including the word "hypothetical" (he wasn't 100% sure about the bug when he disclosure it), he will reply again None.
Luciano was so into the bug, testing, checking all his crypto theory that, and this is my feeling, he never realise of the consequence or what he really *had* between his hands.
He didn't realise ssh was affected until someone from debian told him and he did the math.

The conversation took around two hours, and after that I have the feeling (and this is personal) that he is a bit more into the dark side now, maybe not completely but he took a good peek.

From left to right: Luciano Bello, myself and Fran "Rulos Adolescentes" Amato (evilgrade's coder)

Btw, Luciano will be talking at the Eko Party, same as Pablo Solé and Dave Aitel from Immunity. I'll be around Eko and Ba-Con, look for the same version of me, but shaved.

Note: Picture taken by Leo from KungFoosion

