There is a small mistake here, this could not happen with a bank cause no bank uses java systems that are newer than 11. More likely they are using java7 oder java8

“Zero does indeed equal zero, as far as I can see, I haven’t noticed anything wrong with that” - lol this why I love Mike

It's hilarious how accurate the Doctor Who reference is, a blank certificate is used to validate whatever credentials the system is looking for

This is also a severe quality assurance problem. Cryptography only works if it is checked completely. Zero is one of the first things that should have been tested. What company is responsible for this disaster of QA? Oracle?

13:03 You should totally attend one of the Java Conferences held around the country and use that as your ID badge 🤣

So, how important is for that random k to be random? You can ask Sony about it, the private key used to sign games on PS3 was exposed because they picked the same random k every time

Another interesting implementation bug for signature checking (aside from PS3's constant k mentioned by David Alvarez): Wii used strncmp function (for comparing strings) to verify whether or not the signature is valid, instead of memcmp (for comparing bytes). A byte of value 0 signifies end of the string, at least in in C(++) world, and causes strncmp to stop, even if there is some further data. As result, only about 128 different combinations had to be brute forced, until expected value for a signature started with zero (out of 256 possible values for a byte). Even JavaScript could do that in millisecond(s). This is called Signing bug, or Trucha bug.

Mike's an amazing explainer, love the guy

13:03 would make a great out of context clip.

Almost every single major corporation I've worked at has some vendor that insists on using deprecated Java. At one employer I set up a small workstation that was outside of our firewall perimeter, had AV and firewall software installed, and was scanned for malware every week. At another employer it was not an option to do so, because the vendor in question was used by our accounting dept! Several times a year I had to go in and eradicate every last trace of Java and re-install the old version. Got to keep those computers vulnerable so they can scan checks into our corporate bank account, with hundreds of thousands of dollars laying about.

Always nice when a Computerphile video drops!

The most informative part for me was learning that some people actually use Java versions 15-17 :D

When you talk about security vulnerabilities, can you please give the CVE number? Or a link, or anything?

7:32 "I have a marvelous explanation for how this works that the margins of this video are too narrow to contain." -Mike Pound, maybe

Well that sucks. It really makes me wonder what other implementation errors are out there. As an app developer you trust that the standard lib is somewhat safe. Cool to learn about the process though.

Wonder how that slipped through. Also wonder how it took THREE VERSIONS until it was patched. I mean, testing for a number to be within a range is just about the easiest, least labor-intensive task you could imagine.

I always love your videos. Thank you. I'm glad you are paid to do this. Thank you Nottingham

Wow, that’s a really embarrassing bug. I can’t believe that made it into production…

Omg people are still patching log4j or even hearing about it and now this? What a time to be alive

I loved psychic paper from Dr Who when I was a kid. Also great for the prop department. 😁

Oh no! Anyways... *continues programming in Java 8*

So send... an owl... to Java (0,0), and Java capitulates. Got it.

You should totally do an episode covering the nitty gritty of the proof. That would be awesome!

Maybe when porting the source code from C(++) to Java, the programmer thought the (r != 0) and (s != 0) checks are typical "nullpointer checks" and are not explicitly needed in Java? And therefore omitted these checks?

Never felt so happy about still running Java 1.8 :)

You have to give it to Oracle, it takes a lot of skill and effort to port C++ to Java and have the code get buggier somehow

Very clear video thank you !

11:03 Yes it's used everywhere on the web. Those social media posts with faulty algebra cancelling out denominator x when it must be zero are all over the damn place!

5:25 camera man, thank you so much.

How has this only a CVSS Score of 7.5? Seems like extreme critical!

Very cool

Dr.Pound pulling off the deep V. Wild times, for a wild man. Keep the videos coming!

Dammit Alice, you had 0 job! Dammit Alice, you had ∞ job! # # Alice, you have the job!

Wow, who did not test this after implementation? Maybe testing edge cases before release would have helped.

I like to imagine a high flying java dev looking at the spec and thinking "I don't really need that check. Gosh, what were they thinking?" and then don't implementing it cause it's obviously unnecessary.

Yay Mike!

It's a shame there's not a sci-fi show in the US that the overwhelming majority have glommed onto the way those in the UK have for Doctor Who. It's more fringe than mainstream for people here to like sci-fi, and that's sad.

I've heard about this being a bug in Oracle JDK, was OpenJDK also affected?

"The math is sound but the implementation is off" / "What are the implications of this?" The implications are that security packages need to be compiled from provable code!

5:05 math notation for the property of an object is commonly the sub notation

This is my argument against one of my (slightly annoying) colleague who insists on always running the latest version of everything, heck, he would run a nightly snapshot build of Java in production if he could. I mean yes, patch known bad versions, but I still run most of my stuff on Java 11.

“Psychic Signatures.” Well, now we know who will be playing the next Doctor. ;-)

very interesting

Love Doctor Who reference here

Its the Kneel Madden name that i love the most

My first thought about the check was what if it was 0 the system would find a huge fault as 0 can cancel out all the multiplication and creating a true statement.

Roll an El-Gamal with DHKeys. Of course with the 512 limit if statement in the generator removed.

Content post-ECDSA starts at 8:52.

I understand that it's important that k always be unique. But does it need to be random, or can it be deterministic (such as via a hash on the message being signed)?

Ow... this isn't even the same issue affecting most online Java Spring JWT guides (as of a couple years ago when our team fixed a vulnerability that would allow arbitrary tokens to authenticate.) Spring developers: The bug was in decoding a token and checking to see whether the person was actually authorized, either the sub or the name field. The user could have a non-valid session and still gain access. I'm very sorry I can't remember the details. Several other large projects we were in contact with had the same bug. It's one of the big reasons I actively avoid Java and especially Spring projects now; the piecemeal and easy-to-mess-up implementation of security via plugin lost all of my trust. Security libraries shouldn't make security holes so easy that they're the most common implementation!

Well, I understood as far as "there are two people called Alice and Bob who want to talk privately"

When you port something, why would you ever leave out checks when it comes to security sensitive implementations?

I waved a white paper with zeros and the front desk security let me through. Nice!

0:52 I think it's Json web tokens and not Java web tokens :)

11:52 key ant

Java, more than 1 billion unsecure devices ;).

You could substitute "I've performed the necessary checks in the elliptic curve digital signature algorithm" for any instance of "I've reversed the polarity of the neutron flow" and nobody (except the kinds of nerds who like to overanalyze fictional technobabble for fun) would notice

Nice

Can you guys do a video about LLL?

Java has been involved in SO MANY serious CVEs over the last decade or so.

The only thing I took away from that video was Alice and Bob. T-T time to go study.

Maybe I misunderstood something but from what I gathered, they check that r and s are in the range of [1..n-1] but they do not explicitly check if they are 0. But if they are 0 they would be outside of the valid range. Did they forget to check the range too or did I misunderstand something?

Do we already have a post-quantum encryption video?

i'd like to imagine the doctor just time travels back n time , becomes the found of whatever institution he wants to enter , and then programs the piece of paper/monitor to display his credentials when faced with a person ... just to imnpress the companion :D

Why they did not have a unit test for this boggles the mind. When building unit tests for cryptography, the spec is the first place to look for test cases. After many years as a lead Java developer on enterprise systems, glad I don't touch it any more.

nice guys

Multiplicatve inverse of zero returns zero because its assumed the programmer would check first and not try to do such nonsense so the function doesn't generate an error. Overall the situation could be seen as a bit of don't fix what aint broke. The original code worked perfectly and they replaced it cause reasons and messed it all up.

So they patched it in JDK19, but will JDK17 be patched? I ask since JDK17 is the LTS release.

Damn. I'd watch several hours worh of lectures about cryptography, encryption, eliptic curves, all focused on how to actually implement it in code.

* 3am, i really should be asleep * me watching this video: ( 0 , 0 )

remember when people robbing you stealing your bank login online was common back in the day but now it isn't? it's all about transferring information across a wire that is only valuable when it is in the correct place so hacker thief's always get useless jargon if the try to read the info on the way around the internet (encryption)

huh I just realized Dr Pound is left handed.

just don't forget to like and subscribe, before you run off patching your java servers.

I still don't get how the inverse of s (s^-1) gets returned as 0 when s=0. Shouldn't that cause an exception?

I dunno, porting the C++ version but skipping the check for zero's kinda sounds deliberate.

Does Dr. Mike Pound have a KZbin channel or something?

Death, taxes and security issues related to Java.

So the patch version is like Java saying, "I am universally recognized as a responsible adult"? 😁

Checking the case where r=0 and s=0 should be part of the automated testing for Java builds, before going onto other levels of testing. Checking this is required by the spec. A rookie mistake.

Why does every university love to use Alice and Bob My Contemporary Topics module also uses Alice and Bob to explain Public Key Encryption

I thought banks still use COBOL …

So, uh, can we see the piece of code where the bug was?

Great explanation. That’s like the 3rd massive Java security issue in very recent history. Are people getting tired of running this legacy language yet?

Food for algorithm ;-)

2:43 would Steve Mould be the one to step outside the mold? no, he is the Mould 13:10 "before this video began" if I had a TARDIS I could

Sounds like they forgot to Just Read The Instructions.

bhadiya

I'm just gonna bank on the fact that no one is gonna want to hack my Minecraft server running Java 17.

What is so wrong with this is not only they didn't test it but for some reason there were no divide by zero exception. You always and forever when handling exception. Handle them specifically simply using a try and catching an exception of the basic exception class is the worst idea ever. The entire point of using a strictly typed language like java in your backend is you know for sure your code will crash when it has a bug. So you don't simply wrap it in big try catch that catches any and all exceptions to print out error or perform the default action. You are actually better having an implemention error that crashes your backend so even if you publish it in beta release and you didn't test it that well a user will crash it and when that happens you will find out and patch it. Which is a lot better than having a security vulnerability for 3 major releases in this case.

hain sab kuch ,

Seeing Dr. Mike having some white hair makes me feel old.

It also seems that some unit tests where missing. For algorithms like this at least 2 people should be writing code : 1 to implement the algorithm, 1 to implement the unit tests. Or at least the output of the existing C++ algorithm should have been matched to the java implementation.

akash,

Wow

You always have to bounds check your inputs. Sadly programmers are lazy (i know i am) and don't do it all the time. Sometimes this just means your program is buggy. Other times it ruins peoples lives. So programmers, please be better! ^-^

This guy pronouncing "r" is the base for villager sounds in Minecraft.

Lions watch Kilogram's videos twice & still never figure out the crytography math. He could easily make $1/2 million at goog.

With all these problems Java has, it's long overdue for retirement.

Far too much "don't worry about the details, it just works" What is 'n as in n-1? How, does Alice get G?...........

You called him "Doctor Who" and I'm very angry! >:O