A major announcement on the FreeBSD mailing list landed earlier today:
URGENT: RNG broken for last 4 months in the -current branch [...] This means most/all keys generated may be predictable and must be regenerated. This includes, but not limited to, ssh keys and keys generated by openssl. This is purely a kernel issue, and a simple kernel upgrade w/ the patch is sufficient to fix the issue.
Various security companies and blogs are already reporting duplicate keys spotted in the wild. So, patch your systems!.
[Updates: (1) This pertains to the '-current' branch which is not recommended for use on production systems. (2) The statement about "duplicate keys" was in the original submission, but lacks confirmation. If you can confirm/deny, please reply in the comments with a link to the source.]
(Score: 5, Informative) by Anonymous Coward on Wednesday February 18 2015, @10:36AM
Apparently this issue only affects people running the current version (unstable/testing branch). If you're on 10.1 (the latest production release) you should be fine.
(Score: 2, Troll) by E_NOENT on Wednesday February 18 2015, @11:10AM
Schadenfreude levels: increasing...
I'm not in the business... I *am* the business.
(Score: 2, Funny) by ThG on Wednesday February 18 2015, @11:12AM
Obligatory: http://www.tedunangst.com/flak/post/random-in-the-wild [tedunangst.com]
(Score: 2) by FatPhil on Wednesday February 18 2015, @02:17PM
Also, when I raised the topic amongst C standard experts (which included committee members) the general consensus was that Ted and Theo were at least in part talking crap. However, it was suggested that I should raise a DR on the standard, so that the wording could leave less room for the misinterpretation that Theo and Ted have tricked themselves into believing.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by Marand on Wednesday February 18 2015, @11:30AM
It sounds like they got their RNG from Debian [debian.org] :)
(Score: 0) by Anonymous Coward on Thursday February 19 2015, @03:52AM
Which was defective by design (Debian). Intentional "oops lets fuck with what the OpenBSD guys did RNG wise". """oops"""
It was intentional.
Same with systemd.
(Score: 5, Informative) by TheRaven on Wednesday February 18 2015, @11:37AM
Second, a big [citation needed] for the 'Various security companies and blogs are already reporting duplicate keys spotted in the wild' - none of them have reported them to the FreeBSD project or on the project's mailing lists...
sudo mod me up
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @07:55PM
The second one is somewhat right. Shodan's blog is reporting numerous duplicate keys found in ssh installs. However, that does not appear to be related to this PRNG issue.
(Score: 4, Funny) by Anonymous Coward on Wednesday February 18 2015, @11:44AM
https://www.xkcd.com/221/ [xkcd.com]
(Score: -1, Disagree) by Anonymous Coward on Wednesday February 18 2015, @12:13PM
Randall is a fucking asshole who fucks canine bitch anuses and calls all of his bitches Megan.
(Score: 4, Funny) by Anonymous Coward on Wednesday February 18 2015, @01:05PM
Obligatory Dilbert [dilbert.com]
(Score: 2) by fritsd on Wednesday February 18 2015, @01:28PM
It doesn't say *who* at the IEEE committed that patch ;-)
(Score: 0) by Anonymous Coward on Wednesday February 18 2015, @12:32PM
If you can confirm/deny, please reply in the comments with a link to the source.
This is the internet, the wild west of anonymity and irresponsible expression of free speech. I can be convinced to confirm or deny these statements based on your willingness to offset my efforts with appropriate compensation. Here is a link [google.com] to my source.