[ROS] The perils of security tools

Steven M. Bellovin smb at cs.columbia.edu
Tue May 13 18:35:24 EDT 2008

On Tue, 13 May 2008 23:27:52 +0100
Ben Laurie <ben at links.org> wrote:

> >>> Ben: I haven't looked at the actual code in question -- are you
> >>> saying that the *only* way to add more entropy is via this pool of
> >>> uninitialized memory?
> >> No. That would be fantastically stupid.
> >>
> > So why are are the keys so guessable?  Or did they delete other
> > code?
> "However, the Debian maintainers, instead of tracking down the source
> of the uninitialised memory instead chose to remove any possibility
> of adding memory to the pool at all."
Ah -- you wrote "adding memory" rather than "adding entropy", which I
found ambiguous.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list