Psychic Signatures (Java Vulnerability) - Computerphile

“Zero does indeed equal zero, as far as I can see, I haven’t noticed anything wrong with that” - lol this why I love Mike

anywallsocket

There is a small mistake here, this could not happen with a bank cause no bank uses java systems that are newer than 11. More likely they are using java7 oder java8

_aullik

It's hilarious how accurate the Doctor Who reference is, a blank certificate is used to validate whatever credentials the system is looking for

consciouscode

Mike's an amazing explainer, love the guy

jaopredoramires

Another interesting implementation bug for signature checking (aside from PS3's constant k mentioned by David Alvarez):
Wii used strncmp function (for comparing strings) to verify whether or not the signature is valid, instead of memcmp (for comparing bytes).
A byte of value 0 signifies end of the string, at least in in C(++) world, and causes strncmp to stop, even if there is some further data.
As result, only about 128 different combinations had to be brute forced, until expected value for a signature started with zero (out of 256 possible values for a byte). Even JavaScript could do that in millisecond(s).
This is called Signing bug, or Trucha bug.

adul

Always nice when a Computerphile video drops!

python-programming

This is also a severe quality assurance problem.
Cryptography only works if it is checked completely.
Zero is one of the first things that should have been tested.
What company is responsible for this disaster of QA? Oracle?

zyxzevn

13:03 You should totally attend one of the Java Conferences held around the country and use that as your ID badge 🤣

bluegizmo

The most informative part for me was learning that some people actually use Java versions 15-17 :D

SkenonSLive

Almost every single major corporation I've worked at has some vendor that insists on using deprecated Java.
At one employer I set up a small workstation that was outside of our firewall perimeter, had AV and firewall software installed, and was scanned for malware every week.
At another employer it was not an option to do so, because the vendor in question was used by our accounting dept!
Several times a year I had to go in and eradicate every last trace of Java and re-install the old version. Got to keep those computers vulnerable so they can scan checks into our corporate bank account, with hundreds of thousands of dollars laying about.

NullStaticVoid

So, how important is for that random k to be random? You can ask Sony about it, the private key used to sign games on PS3 was exposed because they picked the same random k every time

genrazhan

7:32 "I have a marvelous explanation for how this works that the margins of this video are too narrow to contain." -Mike Pound, maybe

UB

13:03 would make a great out of context clip.

KyleAButler

I always love your videos. Thank you. I'm glad you are paid to do this. Thank you Nottingham

usnoozeyuloosey

Well that sucks. It really makes me wonder what other implementation errors are out there. As an app developer you trust that the standard lib is somewhat safe. Cool to learn about the process though.

hypergraphic

Wonder how that slipped through. Also wonder how it took THREE VERSIONS until it was patched. I mean, testing for a number to be within a range is just about the easiest, least labor-intensive task you could imagine.

thecakeredux

You have to give it to Oracle, it takes a lot of skill and effort to port C++ to Java and have the code get buggier somehow

shukterhousejive

Omg people are still patching log4j or even hearing about it and now this? What a time to be alive

metalpachuramon

When you talk about security vulnerabilities, can you please give the CVE number? Or a link, or anything?

captainchaos

I loved psychic paper from Dr Who when I was a kid. Also great for the prop department. 😁

gworfish