Long story short: you can't generate error messages that reveal whether messages decrypted properly, or attackers can permute and reply valid messages and use them to reveal plaintext. This touches on the same radioactive mistake Atwood made earlier this week, but even if you don't make his mistake, there are simplier implementation errors you can make that have the same impact.
A good deck from 2005, from the same group cited here:
I could dispute whether this is really a "design error" in OpenSSH, in that you wouldn't want to imply that this was particularly hard to fix; the fix, for instance, won't break compatibility.
Would have been nice for the zdnet article to provide a link to it.
"The most straightforward solution is to use CTR mode instead
of CBC mode, since this renders SSH resistant to the attack."
there is also this page:
both one level down from that one.
"They've fixed [OpenSSH]; they've put countermeasures in place to stop our attack," said Patterson. "But the standard has not changed."
"We were unable to find the page you requested."