[ROS] The perils of security tools
Ben Laurie
ben at links.org
Tue May 13 18:45:06 EDT 2008
Steven M. Bellovin wrote:
> On Tue, 13 May 2008 23:27:52 +0100
> Ben Laurie <ben at links.org> wrote:
>
>>>>> Ben: I haven't looked at the actual code in question -- are you
>>>>> saying that the *only* way to add more entropy is via this pool of
>>>>> uninitialized memory?
>>>> No. That would be fantastically stupid.
>>>>
>>> So why are are the keys so guessable? Or did they delete other
>>> code?
>> "However, the Debian maintainers, instead of tracking down the source
>> of the uninitialised memory instead chose to remove any possibility
>> of adding memory to the pool at all."
>>
> Ah -- you wrote "adding memory" rather than "adding entropy", which I
> found ambiguous.
I must confess that I said that because I did not have the energy to
figure out the other routes to adding entropy, such as adding an int
(e.g. a PID, which I'm told still makes it in there).
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list