[124210] in cryptography@c2.net mail archive
Re: [ROS] The perils of security tools
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu May 22 11:34:21 2008
Date: Tue, 13 May 2008 18:35:24 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Ben Laurie <ben@links.org>
Cc: Robust Open Source <open-source@csl.sri.com>, Cryptography
<cryptography@metzdowd.com>
In-Reply-To: <482A15E8.4020709@links.org>
On Tue, 13 May 2008 23:27:52 +0100
Ben Laurie <ben@links.org> wrote:
> >>> Ben: I haven't looked at the actual code in question -- are you
> >>> saying that the *only* way to add more entropy is via this pool of
> >>> uninitialized memory?
> >> No. That would be fantastically stupid.
> >>
> > So why are are the keys so guessable? Or did they delete other
> > code?
>
> "However, the Debian maintainers, instead of tracking down the source
> of the uninitialised memory instead chose to remove any possibility
> of adding memory to the pool at all."
>
Ah -- you wrote "adding memory" rather than "adding entropy", which I
found ambiguous.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com