Menu
Menu
Little safety in a very small number

Little safety in a very small number

We're reporting to you today from the Myers-Briggs psychobabble and associated party tricks department here at the digital life labs - a division we set up several years ago, to investigate the use of psychological profiling as a means of hacking into computers to read our personnel files.

We're reporting to you today from the Myers-Briggs psychobabble and associated party tricks department here at the digital life labs - a division we set up several years ago, to investigate the use of psychological profiling as a means of hacking into computers to read our personnel files. It always seemed like a promising idea. According to the Myers-Briggs psychological profile theory, the world is populated by just 16 personality types, ranging from your shy, touchy-feely INFP (introvert, intuitive, feeling, perceptive) type, who usually ends up as a missionary or a school teacher, to your bolshie, some might say fascistic ESTJ (extrovert, sensate, thinking, judging) types, who usually end up in charge of something.

Well 16 is a pretty manageable number of types to deal with, don't you think, and our theory was that, if we were able to obtain the psychological profiles of our intended hacking victims, that might give us an insight into what sort of password the victims would choose on their computers. INFPs, for example, might have "teddy bear" or "Meg Ryan" as their password. ESTJs would be more likely to have "Mussolini", "Benito" or something like that.

We won't go into the details of how this theory worked, and of the few thousand passwords we came up with for each of the 16 personality types, because it turns out it's wrong.

It turns out there are not just 16 types of people out there in the world. Rather, there are precisely 32,768 types of people out there, and from a hacker's perspective, that's a far more manageable number. Each of those 32,768 types, you see, has just one password, common to everyone who shares that type. Hacking into their computers is as easy as pie.

News that there were just 32,768 types of people out there started to filter out a few weeks ago, when the makers of Debian, one of the world's most popular distributions of the open source operating system Linux, announced that they had discovered a bug in Debian's security software, OpenSSL. (OpenSSL is a separate project from Debian, and is used by many other operating systems in addition to Debian.)

In 2006, a Debian developer going by the name of Kurt Roeckx, who was packaging up OpenSSL to make it work nicely inside Debian, ran OpenSSL through a program known as Valgrind, a debugging program that scans programs to check that they don't inadvertently chew up a computer's memory. (Badly written programs will often take a slice of memory, use it, and then forget to hand it back when they're done with it. Such a memory leakage can cause a computer to grind to a halt, because the offending program gobbles up more memory the longer its runs and the computer eventually runs out of it.)

When Valgrind scanned OpenSSL, it reported that certain lines of code in OpenSSL had a problem with the way they handled memory. Kurt emailed the OpenSSL developers, asking about the problem, and suggesting that the simplest way to fix it was to simply remove two of the offending lines of code. In his email, Roeckx admits that he had no idea what effect that action would have, other than stopping Valgrind nagging about the error and maybe reducing the randomness of OpenSSL's random number generator.

Well apparently Kurt never got a reply to his email, because the lines that Valgrind was complaining about were removed from Debian's implementation of OpenSSL in 2006, creating possibly the biggest security hole the computer world has ever seen.

The lines of code that were removed in Debian were the lines that helped OpenSSL generate random numbers, for use in the public key cryptography that secures most of the world's computers from intrusion. Rather than being capable of randomly generating millions of security keys - so many that it would take a supercomputer billions of years to correctly guess one - Debian and the many operating systems that are based on it (such as Ubuntu) were for two years capable of generating only 32,768 different keys.

From a hacker's perspective, 32,768 is a trivial number. A computer can make 32,768 guesses in no time, and so hacking into any Debian machine that had its security key generated in the last two years can, it turns out, be accomplished in minutes, not millennia.

Worse still, computers have a file known as an authorised keys file - essentially a VIP list allowing one computer to come and go inside another, without worrying about the bouncers - and any computer running any operating system (including Windows) that put a compromised Debian key into its list of authorised keys can be hacked into just as easily as the offending Debian machine itself.

It's a major security debacle, but it's not without its upside.

For starters, it means that if you try to remotely log into a computer that one other person has logged into before, there will be a one in 32,768 chance that the machine you're logging into will log you in as that other person, because you happen to share the same key. This could make for serendipitous meetings, which could form the basis of long and passionate relationships, as you can see from the following conversation:

Computer user No.1: "Hey, we have the same public keys! What are the chances?"

Computer user No.2: "Why don't you use yours to let yourself into my bedroom tonight?"

Online dating services could be set up, which, rather than trying to match you based on some psychological profile, could just rely on your computer's public key, matching you with the millions of other people who share your key.

Once people have figured out their personal key, they could join a user group of people with the exact same key, freely logging into each others' computers, swapping recipes and play lists, and generally feeling like they belong. You could even get a T-shirt made with the key on it, so like-keyed individuals could easily spot each other in a crowd.

Or, at parties, you could sit around trying to guess each other's key, just like you can do with Myers-Briggs profiles, only with far less room for cheating.

Send comments to jdavidson@afr.com.au

Fairfax Business Media

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Error: Please check your email address.

Tags securitypasswordcomputersnew technologies

Show Comments