[124210] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: [ROS] The perils of security tools

daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu May 22 11:34:21 2008

Date: Tue, 13 May 2008 18:35:24 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Ben Laurie <ben@links.org>
Cc: Robust Open Source <open-source@csl.sri.com>, Cryptography
 <cryptography@metzdowd.com>
In-Reply-To: <482A15E8.4020709@links.org>

On Tue, 13 May 2008 23:27:52 +0100
Ben Laurie <ben@links.org> wrote:

> >>> Ben: I haven't looked at the actual code in question -- are you
> >>> saying that the *only* way to add more entropy is via this pool of
> >>> uninitialized memory?
> >> No. That would be fantastically stupid.
> >>
> > So why are are the keys so guessable?  Or did they delete other
> > code?
> 
> "However, the Debian maintainers, instead of tracking down the source
> of the uninitialised memory instead chose to remove any possibility
> of adding memory to the pool at all."
> 
Ah -- you wrote "adding memory" rather than "adding entropy", which I
found ambiguous.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post