It looks like QNX decided to implement their own passwd() algorithm instead of using the standard Unix version. As is often the case with home-brewed, non-peer-reviewed crypto, it is totally insecure. Source code to break it is on www.i-opener-linux.net.
This apparently affects the Netpliance iOpener, as well as probably most other QNX-based devices. Quite a number of nontrivial passwords have been posted already.
This isn't really a free software story (my apologies if readers find it off-topic), but it does highlight one of the serious risks of not using free software. Obviously, a fiasco like this would never happen with Linux or any of the BSD variants.
Thanks to Peter Gutmann for posting a heads-up to cypherpunks.
Using well known, field tested crypto and hashing algorithms is the issue. Free software is merely one way that could prevent wannabe algorithm from ever being used.
It is sad that companies are _still_ trying to "roll their own" crypto when excellent algorithms and protocols are proven and Freely available.
I can understand their aversion to Unix crypt() though. It is an algorithm well past its time. They should have used OpenBSD's blowfish password system which is close to future-proof.
New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!
del.icio.us
Digg
Google bookmark
reddit
Simpy
StumbleUpon
Furl
Newsvine
Technorati
Tailrank