Devs Working To Stop Go Math Error Bugging Crypto Software (theregister.co.uk) 73
Richard Chirgwin, writing for The Register: Consider this an item for the watch-list, rather than a reason to hit the panic button: a math error in the Go language could potentially affect cryptographic libraries. Security researcher Guido Vranken (who earlier this year fuzzed up some bugs in OpenVPN) found an exponentiation error in the Go math/big package. Big numbers -- particularly big primes -- are the foundation of cryptography. Vranken posted to the oss-sec mailing list that he found the potential issue during testing of a fuzzer he wrote that "compares the results of mathematical operations (addition, subtraction, multiplication, ...) across multiple bignum libraries." Vranken and Go developer Russ Cox agreed that the bug needs specific conditions to be manifest: "it only affects the case e = 1 with m != nil and a pre-allocated non-zero receiver."
Very slim edge case (Score:1, Interesting)
Re: (Score:2, Insightful)
A few months ago you would've told "The possibility [...] is about the same as Trump being elected." but it happened! Even if chances are low, it can still happens!
Re: Very slim edge case (Score:1, Offtopic)
Ranges for Trump's election we're 2-33 percent a year and a month ago.
I hope that's not the odds of this big coming up, that seems quite high.
I'd actually put reelection at 25% personally.
Re: Very slim edge case (Score:5, Insightful)
I'd actually put reelection at 25% personally.
I give him 50%. He is unpopular, and the election is the Democrat's to lose, but the Dems have an immense capacity for squandering opportunities and self-destructing. If they nominate someone like Elizabeth Warren or Chuck Schumer, I don't see how they are going to carry a single southern state (maybe Virginia), or win much of the Midwest.They can't win with just the coasts. That have to flip either Pennsylvania or Florida. If they can flip both, they win. Otherwise they also need to flip either Michigan or Wisconsin. That will be very hard with a coastal lefty, and there are few moderate Democrats with national stature.
Re: (Score:2)
Re: (Score:2)
Shit happens.
Re: Very slim edge case (Score:5, Funny)
Congrats, you've managed to bring up Trump in a completely unrelated article. You guys are worse than Hitler.
Re: (Score:3)
That's literally what Slashdot has been since the election. Just a competition to see who can shoehorn the president into today's unrelated topic.
It's really quite pathetic. But it shouldn't be surprising when you realize all the industry experts have left Slashdot and moved to Hacker News.
No more John Carmack. No more Walter Bright (creator of D and dozens of compilers). They're all gone because the SNR of this site has gone from good, to parody.
Re: (Score:3)
FTFY
Re: (Score:3)
Really? Hitler whacked millions. Okay youse guys, how many have you whacked so we can run the numbers and get this Hitler accusation decided.
Re: (Score:2)
Re:Very slim edge case (Score:5, Insightful)
I remember, years ago, hearing pretty much that same argument (excepting the Trump reference) when the first jpeg executable exploit was discovered.
Once a flaw is known, it is a mistake to assume clever people won’t find a clever way to practically leverage it - no matter how obscure it seems at first glance.
Re: (Score:1)
Trump is actually projected to win, so greater than 50%?
Re: (Score:3, Funny)
You laughed at us Iranians when we got ahmadi-nejad, TWICE. Who's laughing now?
Re: Very slim edge case (Score:3)
We weren't laughing, we were watching in horror.
Re: Very slim edge case (Score:2)
Some other candidate: It only affects the case e = 1 with m != nil and a pre-allocated non-zero receiver.
Trump: Didâ(TM)ya understand any of that? [laughter] Who needs that? [â¦] Me neither! [cheer and applause]
Boom elected!
Re: (Score:2)
Re: (Score:3)
Like the code to my luggage! 1231!
It was 1234 but someone told me prime numbers are more secure so I changed it.
Re: (Score:2)
Re: (Score:2)
14389 is a prime with uneven digits in even positions
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Thinking that specific numbers or days of the week or years or similar are intrinsically better than others only makes sense within magic-like expectations
You can't hack my work account on a weekend, because the helpdesk is closed. Everything is turned off.
The first day back after the Christmas shutdown period would be the best time to do it, since the number of password resets being logged at the helpdesk will overload the poor people working there. They're going to be less vigilant with each call so they can get through them all.
What do you know... computer security does matter when it comes to specific days of the week and religion defined celebrations.
Re: (Score:2)
Re: (Score:2)
You are getting my statement out of context.
No, I'm winding you up.
Have been this whole time
Re: (Score:2)
Young Math is Best Math (Score:2, Funny)
Fuck you old people don't know your shit. Young rockstar coders need to reinvent your dinosaur wheels because you fucking suck.
Lol whut r codez iz bugged?!!
Re: (Score:2)
Actually, python is much more consistent and documented than go :(
Congratulations, msmash! (Score:4, Insightful)
You have composed what may be the world's most incomprehensible headline!
Re: (Score:3)
You have composed what may be the world's most incomprehensible headline!
Actually, he just copied the headline straight from the article (yes, I read it).
Re: (Score:2)
Working to stop go...got it.
Language specific (Score:1)
Re: (Score:3)
Because only Go uses the Go math/big package, and the issue is with how the math is done in that package?
Re: Language specific (Score:1)
Re: (Score:1)
So why is this a Go only problem and not one across all languages?
*snip*
Except all libraries are derived from earlier work done in the computing field all the way back to when they had to wire computers manually and before that pen and paper.
Remember kids, when you derive a new library for a new language, you still need to be capable of counting up to at least the same number as the old libraries can.
Go just can't count that high and gives up trying when it gets just one number away from the finish line.
From the article:
Vranken and Go developer Russ Cox agreed that the bug needs specific conditions to be manifest: "it only affects the case e = 1 with m != nil and a pre-allocated non-zero receiver."
That's expanded in the post, by way of ex
Re: (Score:2)
Re: Language specific (Score:2)
Re: Language specific (Score:1)
another f'd up headline (Score:3)
Will someone pull Slashdot out of the Dark Ages?
There was a time when it made (commercial) sense to capitalize every word in a headline. Yes, it made money for the hawkers of early newspapers. Big noisy obnoxious headlines made the news sound exciting and motivated people to spend a penny or a nickel.
How does this mess of a headline make money for Slashdot. How does it make the headline readable? Exactly what are the benefits of this abuse of the language in the age of the internet?
Wake up Slashdot. Look around- many publishers aren't living in the Dark Ages any more.
Re: another f'd up headline (Score:2)
Re: (Score:1)
Where there's one bug there's more. (Score:3)
It behooves them to look deeper, because it's always unclear whether those bugs are intentional or not. The more preconditions there are the more likely the issue wasn't organic.
Re: (Score:1)
Where there are no bugs, they're just hiding better. Works on real insects as well.
Re: (Score:2)
That may sound plausible if you've never looked at security issues; but if you actually look at the bugs behind security issues in more depth, it becomes obvious that such "lots of conditions need to be met" is pretty natural.
In a well-reviewed and well-tested project (as Golang's math library certainly is), the "obvious stupid" bugs were caught and fixed in review or testing. So the kinds of bugs that manage to slip past this filte
Re: (Score:2)