|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Tempfile vulnerabilities
From: Marc Lehmann (marc
GIMP.ORG)Date: Tue Feb 08 2000 - 17:27:43 CST
- Next message: Dustin Miller: "Re: 'cross site scripting' CERT advisory and MS"
- Previous message: Smith, Eric V.: "Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)"
- In reply to: antirez: "Re: Tempfile vulnerabilities"
- Next in thread: Horst von Brand: "Re: Tempfile vulnerabilities"
- Reply: Marc Lehmann: "Re: Tempfile vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> > /dev/random -- a world readable device -- should do the following:
> >
> > cat /dev/random > /dev/null &
> >
> > Crypto software which uses those devices should be doing some kind of
> > checking to make sure that they are getting at least good entropy. I
On linux at least, the above is at most a denial of service attack, as
/dev/random does not deliver any data when it runs out of entropy (and
programs usually are prepared to wait for data on that devices for some
time).
On linux/x86, moving my mouse generates >400bytes/s random data (this is
currently specific to x86), and if two processes listen on /dev/random,
both get about half the random data, so it seems that there isn't even a
denial of service attack here.
--
-----==- |
----==-- _ |
---==---(_)__ __ ____ __ Marc Lehmann +--
--==---/ / _ \/ // /\ \/ / pcgopengroup.org |e|
-=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+
The choice of a GNU generation |
|
- Next message: Dustin Miller: "Re: 'cross site scripting' CERT advisory and MS"
- Previous message: Smith, Eric V.: "Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)"
- In reply to: antirez: "Re: Tempfile vulnerabilities"
- Next in thread: Horst von Brand: "Re: Tempfile vulnerabilities"
- Reply: Marc Lehmann: "Re: Tempfile vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]