Hi folks,

Just a quick message to let you know that I've updating my GPG keys because of the issue described at http://www.debian-administration.org/users/dkg/weblog/48.

The new key is available by running gpg --keyserver keyserver.ubuntu.com --recv-keys EC66FA7D. You'll see that it's signed by my old key, 4DAD18FA.

The old key will be knocking around for a while, but I'll start using the new key to sign things straight away.

   -----BEGIN PGP SIGNED MESSAGE-----
   Hash: SHA1


 

     -----BEGIN PGP SIGNED MESSAGE-----
     Hash: SHA256
 

For the sake of records, this little message is signed with the new key
   and the resulting signed text is signed with the old key.
   - -----BEGIN PGP SIGNATURE-----
   Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJKC+jUAAoJEL+CbdjsZvp9SNwQAII63IKWYuoZ8VzV0YGZmOUp
   Fu/EBr9hoBx84upATnFTAGHd3OvGxW25fHr6VaiFzkWJc0EebxYFaYT0qQT7fyXU
   GdNtXsLfFX2u+mw9Ci48T5tEFU2BZYzltv0cfww6m7/PpSB2agXcb6BOzMSqTzxt
   4mVEUvlqNfBC57Ds7FOcDnIv5IvT4RN6eLqxabSw6boworLyVUcjw8rMu2Fw0PDo
   /wKV77FLnn1FLf9zcPmZ41n4Oy5OCdTcymZq/BOTj/+a/5aa5HMY59QXp9W1VgKT
   wEBSb5d1flZ3BOa+Xh9f3boMIE81GnfIH4CuoBS0JMgaaRrMDVtnFZSjtNu36wp2
   NiLuGd+rPUTZhXDLA3bWT+C5ShupauE7eHIWMMAZcxq8N/WgYbLvDDvae2fhaQmm
   EmnWKwcMoNW/paao2zgFxQwXMBtVxbseWref4Bc7Z9FOz6hcjEpS2bY0s/5nAlf4
   iGr7/wtIgiCAw8vDaVph4uy3A3jXAUD9J8jFgeVdgdD3Zove5f8DPz2ba57lOBay
   +lqQ4jjz8DLhrvy8lS7SUqJaGhdWPvu2UUkBXCYXFH1ERYbP/PXW2kQrjbI/hrd5
   jQzEuseWoDNXipfdXzlan+guBfAddySCFejLy9n6ezvy1ZWUOTNqQHKs20z5mf6R
   uhSLUOuqJKGJNOo5oWpN
   =PdAw
   - -----END PGP SIGNATURE-----
   -----BEGIN PGP SIGNATURE-----
   Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoL6OAACgkQwutMq02tGPrtmwCfQ8PhNtDnTYt+K5cGLShmJhEW
   PgwAni3XdbRbPT+A9+rUOQLJj3JSvFe3
   =vSEU
   -----END PGP SIGNATURE-----
   

For the record, don't rely on FireGPG to verify the text above; it gets confused. Copy it to disk, gpg --verify it and then extract the inner section and remove the whitespace after the first '-' on the nested signature before gpg --verifying the result.

Graham Binns posted a photo:

Three hundred and sixty-odd days of 2008, day 339

A security camera watches the tourists walking along Queen's Walk under the London Eye.

This will only apply to Ubuntu users (server or desktop). Anyone who's not one can probably look away now.

An urgent Ubuntu Security Notice, USN-612-1, has just been put out. The full notice is here.

An extract of the salient details:

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

So, update and upgrade your systems now and regenerate your key pairs.