pinkas.net— A recent paper (pdf) details how flaws in the random number generator embedded in the Linux kernal expose critical security vulnerabilities. One particular attack is laid out.
May 8, 2006View in Crawl 4
Inaccurate. Alarmist. FUD. Inexcusable self-promotion.The gist of the aritcle is that the builtin Linux random number generator is too predictable to use in cryptography. This is old news, and true for all major operating systems. The RNG provided by the OS is NOT DESIGNED TO BE USED IN CRYPTOGRAPHY. The builtin RNG is strictly designed for general utility purposes; that is, it's optimized to provided the most uniform distribution of results with the least resource consumption, rather than be unpredictable to attackers.Cryptography-grade RNGs are a totally separate product, always independant of the OS. If you know enough about cryptography to understand that you need a secure RNG, then you also know that the OS never provides that RNG. That's why products like OpenSSL come with their own random number generators. These researchers most certainly know better. The fact that they published this paper is inexcusable. They're just trying to make a name for themselves at the public's expense.No Digg.
If you read the article, you don't seem to have understood any of it. It's not a "small error"; it's a fundamental design flaw. (Actually a few.)And frankly, even if he did say "lack of documentation" as many times as you think he did (which he didn't), it's warranted. The process that the authors went through was painfully tedious. And most of it was completely unnecessary - but for lack of documentation.I'm a big fan of Linux (mostly), but I'm no fanboy. Sadly, in this case the "many eyes" theory seems to have been working in reverse. I applaud the efforts of the authors, and hope that their recomendations are taken very seriously.
It's capable of spitting out the digits of Pi as well, but is it likely? No. You don't need an infinite number of samples to determine such an obvious trend.
Tommstein: You either missed the original poster's point, or you're trying to sidetrack the argument... It's about random numbers, not the nature of divinity, or, generally, about metaphysics. It is not possible to computationally predict particle emissions stemming from radioactive decay, so for the purposes of the topic at hand, they are random.
sundancekid503May 9, 2006
I've got some random numbers for you guys... 7.... 48... 5If you want more check out my profile on Ebay.
tylerlMay 10, 2006
Inaccurate. Alarmist. FUD. Inexcusable self-promotion.The gist of the aritcle is that the builtin Linux random number generator is too predictable to use in cryptography. This is old news, and true for all major operating systems. The RNG provided by the OS is NOT DESIGNED TO BE USED IN CRYPTOGRAPHY. The builtin RNG is strictly designed for general utility purposes; that is, it's optimized to provided the most uniform distribution of results with the least resource consumption, rather than be unpredictable to attackers.Cryptography-grade RNGs are a totally separate product, always independant of the OS. If you know enough about cryptography to understand that you need a secure RNG, then you also know that the OS never provides that RNG. That's why products like OpenSSL come with their own random number generators. These researchers most certainly know better. The fact that they published this paper is inexcusable. They're just trying to make a name for themselves at the public's expense.No Digg.
Closed AccountMay 10, 2006
Research takes time.
nonlnearMay 10, 2006
If you read the article, you don't seem to have understood any of it. It's not a "small error"; it's a fundamental design flaw. (Actually a few.)And frankly, even if he did say "lack of documentation" as many times as you think he did (which he didn't), it's warranted. The process that the authors went through was painfully tedious. And most of it was completely unnecessary - but for lack of documentation.I'm a big fan of Linux (mostly), but I'm no fanboy. Sadly, in this case the "many eyes" theory seems to have been working in reverse. I applaud the efforts of the authors, and hope that their recomendations are taken very seriously.
Closed AccountMay 10, 2006
is it patched yet? i went on synaptic and saw a new kernel update was available, i assume that's it.
allenuMay 10, 2006
It's capable of spitting out the digits of Pi as well, but is it likely? No. You don't need an infinite number of samples to determine such an obvious trend.
moochaMay 10, 2006
Tommstein: Heisenberg's Uncertainty Principle, for one.
Closed AccountMay 10, 2006
"i dont see why he had to put the word israel in the title in the first place."Because they were from Israel?
jamsMay 11, 2006
Because I didnt read the headline/article properly and made a stupid comment. So I went back and edited the comment.
Closed AccountMay 11, 2006
Since you've all obviously missed it, that was a Dilbert reference.
moochaMay 11, 2006
Tommstein: You either missed the original poster's point, or you're trying to sidetrack the argument... It's about random numbers, not the nature of divinity, or, generally, about metaphysics. It is not possible to computationally predict particle emissions stemming from radioactive decay, so for the purposes of the topic at hand, they are random.