What the fuck This month has a vulnerability on every single software imaginable, no one is safe

Bro is reporting every single vulnerability ever before anywhere else.

Vulnerabilities need to know that it's not April 1st anymore and that we're already overwhelmed

And they don't stop coming and they don't stop coming....

Have you guys heard about "insert new vulnerbility", is April's new motto

Algorithm. It has been awesome how many vulnerabilities found. Makes you wonder how many more are out there. Thanks, Kenny.

all these fucking bots in the comments and meanwhile google's too busy circlejerking about fucking adblock

I use Ed25519, which uses the fact that 2^255-19 is prime as a trick to make software implementations faster (modulo operations have software optimisations when you're close to a power of 2). As a bonus, the nonce can be any 255 bit number, such as sha256(concatenate(privkey, message)) trimming one bit. This is secure because the order of the generator point is guaranteed to be between 2^255-19 and 2^255-19 - sqrt(2^255 - 19) from Hasse's theorem, limiting any bias to sqrt(2^-255-19) which is not faster to crack than the baby-step giant-step algorithm. Obviously a quantum computer would crack the private key instantly using Shor's algorithm, but for now we're safe.

This channel for me is like manual for cyber security. Thank you

government agencies stash of exploits getting discovered this month, huh... (x2) linux exploit giving ring 0 xz poorly escaped strings in windows firewall not firewalling this crazy year for the tech world, no?

I don't know how I found your channel because I've never even been into tech, but you are just so entertaining.

You’re a legend, Kenny! I have no idea what you’re talking about in each video, but I understand your genius. Learning so much! ❤ you

SSH is being attacked constantly at this point.

Thank you for the work you do to keep people informed of these things 👍

A new day, a new vulnerability.

always grab some bio metrics such as mouse movement, microphone, camera pixel, and/or key stroke times to throw in with your RNG.

Thank you mental for keeping us informed!

Also the ongoing attacks on xmr and tor. Crazy

I'm really happy that a based individual that actually has some good shit on yt got recognized so fast. Keep on doing the good work

Lololol bruh my whole cs program has been based around utilizing putty to connect to the schools student machine. Awesome hahahahahahahahab

Outlaw has been such a good resource for me breaking into cyber security

Return 4. Chosen by fair dice roll. Guaranteed to be random. - xkcd

Of course it's far too early for drawing conclusions, but NIST keys have been the subject of skepticism by cryptographers for quite some time, and this exploit was specific to NIST ECC curves (created by the US government) not Ed25519 or RSA...

thanks for the save. I had a vulnerable version.

Love when I get notified for another banger video

very important stuff indeed. Mental Outlaw 1st man on deck!

Me about to check my version when a whole sting of words come out that probably indicate that I am not in the vulnerable group. I'll finish watching and finish dinner before I update.

Why are all these CVEs and RCEs coming out, you think some AI algo is finding them?

Thank you for your service 😆

Thank-you I was just using putty this morning...

What a wild month. Major vulnerabilities in almost everything.

April being a significant month for security vulnerabilities is not all that surprising when you look at all the macro forces at play. The majority of CVEs are discovered by consulting firms hired by organizations to perform security testing. Due to the budgetary schedule, security testing is normally performed at the end of a quarter. Q1 Jan-Mar, Q2 Apr-Jun, Q3 Jul-Sep, & Q4 Oct-Dec. Standard practice is to wait 90 days (1 Quarter) before disclosing a new vulnerability. Because of these two factors, the majority of CVEs will almost always be disclosed Mar-Apr, Jun-Jul, Sep-Oct, & Dec-Jan. Especially so for Mar-Apr & Dec-Jan as the beginning of the year sees the highest releases of new products and the end of the year has the highest spending to clear any surplus budget. Many of us are data scientists, I don't believe in coincidental trends. I would be interested to hear if anyone has any opposing opinions, this is mostly informed from my own experience in the industry.

I always knew there was a reason to stick with hash-like passwords....

This year is wild

ECDSA an asymmetric cryptography algorithm I have always avoided because of security concerns. So no action needed. 🤓 EdDSA on the other hand is an Elliptic curve cryptography algorithm that I have used and are using. Much shorter keys than RSA 4096 and not potentially vulnerable to prime factorization using Shore's algorithm on potential future and practical quantum computers. Interesting video though! 👍

PHP had a venerability found as well!

So glad i haven't been using ECDSA!

Your videos are addictive. I keep waiting for the new upload every single day.😂

I've never seen a 521 bit key, never even saw that as on option. I wonder if anyone is affected.

Am watching ads for you Kenny 🎉

Hi Kenny I love your videos

Wow, I thought this is just poor randomness. Cool vulnerability!

I started programming in 1979 and all the programming languages except assembly/machine code had random number functions and all the OSes have had random number APIs. But what does apply to "these days" is that the RNGs have been getting better and better and random number hardware has become more common since cryptography started getting more and more mainstream.

Well then... guess it's time to go back to banging rocks together, hope Grog doesn't steal my rock.

10-15 years ago there were wide open vulnerabilities on every software and nobody cared. Now every edgecase makes headlines.

tomorrow is the birthday of Austrian painter as well. can't wait to see what vulnerability will be discovered in Polish systems.

I have had a lot of system updates this month

lol even tf2 wasnt safe this month, by doing some memory fudging you could upload a really large image onto a sign, photo badge, or badges, that nornally other clients wouldnt have to process, but are now forced to with this exploit, resulting in a texture OOM crash if you ever come into render distance of one of these signs

I suppose I'm safe, since I only use PuTTY within my own network. I don't believe I'm using the exploitable key type anyhow. I'll update ASAP just to be safe though. Thanks for the heads-up.

Since the last weeks I only hear about vunerabilities what the ... is going on man

Someone has to make an advent calendar with these. Every day IT admins and security specialists would open one and be like "Yaaaaay, this isn't our software!"

wow double brimstone combination 😮

Seems like some higher-ups finally understood just how dangerous software vulnerabilities are. But where one backdoor closes...

Seriously though, I have NEVER seen an ECDSA PK used anywhere. Not to say someone out there doesn’t use one…but it’s definitely a fringe case.

When do you drop your first DJ set?

I am currently studying cyber security but I do have a question. I’m not sure if it is silly but, How is it that these vulnerabilities are found? Are there people constantly hunting for vulnerabilities and bugs? Or are people exploiting these vulnerabilities which eventually raise alarms?

I've been using built-in OpenSSH on Windows for years.

“wake up babe, Mental Outlaw just posted”

FUCK. I love your channel, especially the opsec stuff. But it makes me have to do all this extra stuff I never cared about before. As they say, ignorance is bliss XD

Vulnerability and TechImma1st

yo what, Time to go check my stuff

Does this also affect you if your key was stored in a Yubikey?

this is what i dreamed about whenever i roaming for pokemons

God im glad im not a security admin this month

King Puddy!

Why did I think this was a video about Melee

Luckily I always go directly to the different headless servers directly from the terminal of my MacBook or through Powershell, zsh or bash on Windows or Linux workstations. I really don't get why people still use putty while the ssh command is on any terminal.

just as we taught cybersec is getting tighter these late years, this year comes with wild vulnerabilities and exploits !

They just keep coming OUT! What is happening

Good morning! 🙌😁

Eliptic curve anything is vulnerable, right?

So is ai being used to discover vulnerabilities (and this is our first glimpse at the ai terror) or have things just been F'ed this month

Windows Brothers use Powershell ssh

Steady lads we only 4 months in.

Ahh yes it's all coming together

I'm not entirely sure that having literally everyone just stick always to the "industry standard" is the best thing. If that were the case and a vulnerability were to be found in such industry standard method, that would mean *no one* would be safe and we would have little or no options to switch to asap 😐

what about edcsa brainpool 521 curve???

It actually is volnurability month

I used to use programs like PuTTY and WinSCP to transfer files, because they are well known and recommended everywhere. But at one point I thought: This is dumb. Why should I use a special file explorer just to access a different kind of file system? Now I only use software that acts as a filesystem driver and can mount directories to a drive letter. Thus, every other program on my system can access the files, not just one special program. It's a much more sensible approach in my view.

Does this go for PGP/GPG also?

what if dudes just use RSA with a VERY high number of bits?

thats why i dont use private keys aka the honeypotkey

WINSCP just issued an update 6.3.3

wow

So many vulnerabilities, it's like the Bogdanoff twins are trolling us from beyond the grave.

the thing i dont get is, why would someone use putty instead of the 'ssh' cli tool?

😱

Normies might be screwed

Nonces means something else where I'm from.

Like this kind of content ... 🎉

At the beginning of your video, you showed a website that is not actually affiliated with the creator's website.

there wont be any vulnerability if you dont notice it 💀

The KZbinr Pudi is way more random than the Putty algorithm haha

Did someone leak the source code for Pegasus?

Bro I was gonna install putty for my raspberry pi. What should I use instead? I’m trying access it but don’t know what to do… 😢

I love the videos man 👍

Ruh roh

How the fuck does windows not have bundled ssh capabilities yet?

Copying random code from the internet are worse than doing it yourself, the only real solution is to use a well maintained library, preferably one that gets updated automatically by the operating system.

Whats that first line you typed ?