[ROS] The perils of security tools

Ben Laurie ben at links.org
Tue May 13 18:45:06 EDT 2008

Steven M. Bellovin wrote:
> On Tue, 13 May 2008 23:27:52 +0100
> Ben Laurie <ben at links.org> wrote:
>>>>> Ben: I haven't looked at the actual code in question -- are you
>>>>> saying that the *only* way to add more entropy is via this pool of
>>>>> uninitialized memory?
>>>> No. That would be fantastically stupid.
>>> So why are are the keys so guessable?  Or did they delete other
>>> code?
>> "However, the Debian maintainers, instead of tracking down the source
>> of the uninitialised memory instead chose to remove any possibility
>> of adding memory to the pool at all."
> Ah -- you wrote "adding memory" rather than "adding entropy", which I
> found ambiguous.

I must confess that I said that because I did not have the energy to 
figure out the other routes to adding entropy, such as adding an int 
(e.g. a PID, which I'm told still makes it in there).

http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list