Assume your GitHub account is hacked, users with weak crypto keys told

GitHub has revoked an unknown number of cryptographic keys used to access accounts after a developer found they contained a catastrophic weakness that came to light some seven years ago.

The keys, which allow authorized users to log into public repository accounts belonging to the likes of Spotify, Yandex, and UK government developers, were generated using a buggy pseudo random number generator originally contained in the Debian distribution of Linux. During a 20-month span from 2006 to 2008, the pool of numbers available was so small that it made cracking the secret keys trivial. Almost seven years after Debian maintainers patched the bug and implored users to revoke old keys and regenerate new ones, London-based developer Ben Cartwright-Cox said he discovered the weakness still resided in a statistically significant number of keys used to gain secure shell (SSH) access to GitHub accounts.

"If you have just/as of late gotten an email about your keys being revoked, this is because of me, and if you have, you should really go through and make sure that no one has done anything terrible to you, since you have opened yourself to people doing very mean things to you for what is most likely a very long time," Cartwright-Cox wrote in a blog post published Monday. "It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker."

Read 6 remaining paragraphs | Comments

How the end of Patriot Act provisions changes NSA surveillance

Thanks to resistance from Senator Rand Paul and other members of the Senate, the provisions of the USA Patriot Act that were used to justify the National Security Administration's broad collection of phone call metadata have expired. The Senate leadership is now scrambling to pass legislation that will restore some of these provisions, though the phone metadata provision—Section 215 of the Patriot Act—will likely not be renewed as it stood prior to its expiration.

So what does that do to the NSA's surveillance capabilities from a technical standpoint? All it really does is change where phone records are retained—they're back at the telephone carriers. It may create some technical and administrative hurdles to gain access to records, but those are hurdles the NSA has likely already addressed.

Section 215 changed aspects of the Foreign Intelligence Surveillance Act to allow requests through the Foreign Intelligence Surveillance Court for secret warrants that would grant access to "certain business records" by the FBI—including individuals' library and medical records, book sales records, educational records, and other "tangible things" related to interactions with businesses and public institutions. The NSA's bulk collection of phone records was justified under this provision—the request was made jointly with the FBI, and the phone companies who were served with the warrants were compelled to provide the data directly to the NSA. Because of their secrecy, these warrants compelled those served with them not to reveal that they had turned over data.

Read 9 remaining paragraphs | Comments