(And don't forget the French!)
(And don't forget the French!)
I think you forgot "FCUK NSA" somewhere in that NSA food... Or is it "FSCK GCHQ''?
Anything that has a USB port, really.
Essentially, anything that is run by NGOs or individuals.
Sure, in a corporate or governmental/military environment, USB ports are usually a big ''no no'' but some of use like them USB gadgets.
(Yes, before anyone ask, there has been infiltration through contaminated USB drives and keys ''abandoned'' in strategic locations...)
No, not extortion against Tails - extortion of money from the NSA or whoever else their ''clients'' are.
I am sure a lot of TLAs right now are salivating -- unless they have discovered these vulnerabilities before Exodus. In which case, silence can be golden, indeed.
how come you have spent years designing and programnming PRNGs
I do them in hardware, where they should be. Software is no place for an RNG.
Good for you. Not everyone can afford an hardware PRNG, though, so software it is for most of us.
Precisely - which is why PIDs are randomized on OpenBSD since... well, a long long time.
Try "ps -auxwww" on, say, Mac OS X and OpenBSD and the difference is truly evident.
I've spent the past 5 years of my life fully employed in the design, creation, testing, and deployment of secure RNGs.
Citation needed. Seriously, this is
The world is full of bad PRNGs, NRNGs, CSPRNGs, DRBGs, TRNGs and any other form of RNG.
I will grant you that one.
LibreSSL doesn't have a leg to stand on. A good secure RNG will return unpredictable output.
Bzzzzt! Sorry, you lose. As I have already said, this is not a LibreSSL problem - it's a Linux PRNG problem. Unless I am mistaken, the same issue is non-existent under OpenBSD, because it's PRNG is different from Linux, better seeded and because PIDs are randomized under that OS.
We know how to do these things. It isn't trivial, but it isn't hard either.
You contradict yourself: if programming PRNGs is, let's say, a medium difficulty task (neither trivial nor too hard), how come you have spent years designing and programnming PRNGs (your words, not mine) and how come the world is full of bad bad bad PRNGs? Surely, by now, everyone would have agreed on a reasonable implementation?
The truth is, PRNGs are HARD to program, because computers are not good at generating truly random numbers. Period. The best implementations all rely on some form of hardware generator. But don't take my word for it, go ahead and read this instead.
Allowing someone to extract predictable behavior from the service end of a security library is a gross failure and an exposition of incompetence.
As opposed to the magnificent job OpenSSL has done all these years, with information leakage, bug reports that went uncorrected for years and accumulated cruft for such modern OS as VMS, DOS and Windows 3.1?
I think you need to tone down the hysteria a notch right here.
I'd say this is almost a best case scenario even, so far the only bug found was one that could not easily exploited. and it was patched, the response from Beck was by OpenBSD standards, tactful.
For different values of "tactful", of course...
Incorrect. If your PRNG is garbage, all crypto is also garbage.
A car analogy - if I know where and when you started driving I can make fairly accurate guesses of your location without having to rely on GPS tracking.
That is absolutely right, but I will note right away that this is a problem specific to the Linux PRNG - OpenBSD does not have this vulnerability (also, because PIDs are randomized under OpenBSD)...
Oh boy, there is so much wrong here... Where to start?
First of all, OpenSSL problems are not ''getting fixed''. Part of the problem is that funding for OpenSSL was primarily based on company XYZ sponsoring function ABC. This gave incentives to the OpenSSL devs to add more functionalities on top of the cruft, the horrible mess that was the code base. More funding equals more developpers equals more eyeballs, but we haven't seen the progress so far.
Second of all, OpenBSD has given a HUGE amount of (BSD licensed) code to the rest of the world, Linux included. Try typing "ssh -V" on any Linux machine and I can guarantee you will get OpenSSH. And if you are like me, this is something you use EVERY. FREAKING. DAY. So please stop the trolling about OpenBSD, mmmmkay?
Third, the amount of code that has been cleaned up, improved, deleted and just plain scrubbed is simply amazing. You can say whatever you want about OpenBSD cranky devs, they know their stuff and they know their way around C code.
Fourth, OpenSSL is BSD/Apache licensed, and not GPL, so stop spouting off about supporting GPL software - not everything has to be blessed by Stallmann to be acceptable. And, yes, the Linux Foundation recognizes this - while you don't.
There is not just ''cruft'' in the code base: if I remember correctly, they removed thousands upon thousands of lines of code from OpenSSL - think VMS, Borland C, Windows 3.x, MS Visual C++ (etc) support.
And they tested the whole thing on the OpenBSD ports - so far, nothing has been broken.
Oh and FIPS support? Not gonna happen. Bob Beck has been very very clear on that subject. OpenBSD does not care too much about US government standard.
That was the goal from the vey beginning: make the code less horrible to get people involved and correct as much as possible.
So, yes, they will find more problems. They expect that.
Acetaminophen is illegal now??!! Please say it ain't so!!
I just read this study as an example of how people are completely disconnected from their own inner life and addicted to constant stimulation. Seriously, an electric shock instead of enjoying a little bit of peace and quiet and a chance to gather yourself? What kind of total lack of self-control is that?
There's no Berlin Wall in America.
I think you didn't get the memo on the whole Berlin Wall metaphor.
Your poor attempt at sarcasm betrays (a) an overly sensitivity to criticism of your country, and (b) a complete misunderstanding of the issue at hand. There is no Berlin Wall because there is no escaping the NSA. They are spying on the entire world. You can move to Mexico - that makes you a suspect. You can move to Canada - that makes you a suspect. If you even talk to someone who may know someone who may have been in contact with a suspect, you will be caught in the dragnet.
Everyone is fair game, everyone is a potential target. Everyone will be spied on, because terrorists! 9/11! Dirty bomb! Mushroom clouds! They hate our freedom!
I suspect YOU did not get THAT memo. Or maybe you are of the "I did not do anything wrong - so I have nothing to hide and nothing to fear from Big Brother" persuasion? Hmmm?
By the way, why are you reading Slashdot, citizen? Do you have your permit for that? And why talk to this terrorist suspect or that one?
The rest of your comment are more of the same drivel, so I will not even dignify it with a response.
Programmers do it bit by bit.