the Daily Irrelevant

Amazon wishlist
May 2008

M T W T F S S

« Apr Jun »

1 2 3 4

5 6 7 8 9 10 11

12 13 14 15 16 17 18

19 20 21 22 23 24 25

26 27 28 29 30 31
Recent Comments
- Maarten on BT silences customers over Phorm And so the discussion will move to other forums, where BT is less able to share it's side of the argument. Not so smart.
- John Sinteur on Remember the photoshopped missile photos from Iran? different does the background make? The background, none at all. But here's the interesting question: in the future, can you trust a picture from the US Army? How do you know the next picture isn't doctored as well?
- Mudak on Remember the photoshopped missile photos from Iran? Maybe it's me, but what different does the background make? Specifically, I don't understand: 1. Why the Army felt it necessary to give the photo the flag background, or 2. Why it's a controversy that it was done That said, I wonder if this could legally be considered flag desecration, since the legal definition of a flag includes reasonable and recognizable facsimiles of the flag, and, therefore, by cropping the image of the flag, it was tantamount to taking a knife to the real thing.
- Sue W on Fuck the Pain Away, sung by Miss Piggy perezhilton haha! brilliant...thanks for finding this!
- John Sinteur on Minnesota Senate Recount: Challenged ballots: You be the judge John, as for 1), have you seen the other samples? Not all of them are this clear. As for 2) and 3), yes, indeed.
- John Sinteur on Big Three CEOs Flew Private Jets to Plead for Public Funds The daily show had footage of the hearing where the execs where asked to raise their hands if they were prepared to give up their planes. None did. Very funny...
- Mudak on Minnesota Senate Recount: Challenged ballots: You be the judge Whatever else is true, Minnesota law would count this as a vote for Franken, even if they did it wrong. One very important thing we shouldn't overlook is that the Republican Party tried all sorts of dirty tricks to convince potential Democratic voters either not to vote or to vote incorrectly, so it may not be purely voter stupidity. In Philadelphia, they were passing out brochures that said that, due to anticipated high turnout, Republicans should vote on Tuesday and Democrats should vote on Wednesday. *shrug*
- John on Minnesota Senate Recount: Challenged ballots: You be the judge Well, three ways to look at this one I think: 1. It is pretty clear where the intention was since the machine's optical registration box was circled next to just one candidate. 2. This is a failure of the user interface. I read a similar discussion about web forms that are too strict about how user entered data is formatted. This form's interface, requiring the voter to fill in a small oval to cast their vote us clearly too strict. 3. This is being used as a mechanism to disqualify voters who are either too stupid to follow instructions, or too lazy to read them. I'd say count the vote, and fix the user interface to be simpler and more tolerant of human impreciseness!
- Maarten on Big Three CEOs Flew Private Jets to Plead for Public Funds Aw c'mon, they'll soon have dumped four of the seven planes they leased until recently. Now that's sacrifice.
- Roland Hesz on Yugo, 1953-2008 Yes, that's what I read too, so far Neelie Kroes holds out on it. I hope she can thwart the "oh, fuck capitalism, we are LOOSING!" movement.
- Roland Hesz on Converting Dead Mormons into Homosexuals It is hilarious. What the Mormons declare is "Hey, God is Powerless!" and the Jews and Catholics who reacted with such a panic they did send the clear message "God is Powerless!". How hilarious.
- John Sinteur on Yugo, 1953-2008 you may want to time-stamp that comment, that zero may change to EUR 50b any second now. News: 1, 2, 3.
- Roland Hesz on Yugo, 1953-2008 So far the EU is sending 0EUR to help car manufacturers. It is still debated whether it's needed or not, however Germany stated that they will help Opel. But Germany is not the EU. That's the current status of the car bailout in Europe.
- John Sinteur on Big Three CEOs Flew Private Jets to Plead for Public Funds Here are current CEO compensation numbers. Ballmer makes about 1.2mil, I guess Bill Gates made a similar amount.
- John Sinteur on Yugo, 1953-2008 Have you seen how much money Europe is sending to struggling car manufacturers, including subsidiaries of GM?
Syndication
Spam Blocked

28,263 spam comments

blocked by
Akismet
Last 100 visits are from:
Domains for sale:
- niet.com
- younited.nl

Debian OpenSSL Predictable PRNG Toys

On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing. The bug in question was caused by the removal of the following line of code from md_rand.c
	MD_Update(&m,buf,j);
	[ .. ]
	MD_Update(&m,buf,j); /* purify complains */
These lines were removed because they caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code that was linked to OpenSSL. You can see one such report to the OpenSSL team here. Removing this code has the side effect of crippling the seeding process for the OpenSSL PRNG. Instead of mixing in random data for the initial seed, the only “random” value that was used was the current process ID. On the Linux platform, the default maximum process ID is 32,768, resulting in a very small number of seed values being used for all PRNG operations.

This is what seperates a decent developer from a great one. A decent developer looks at the warnings his tools produce and fixes the code to remove the warnings, a great develeoper looks at the warnings his tools produce and deeply understands when not to fix them.

This entry was posted on Saturday, May 17th, 2008 at 8:42 and is filed under Software. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

One Response to “Debian OpenSSL Predictable PRNG Toys”

Paul van Asseldonk Says:
May 17th, 2008 at 9:09
see also here.

Recent Comments

Syndication

Spam Blocked

Last 100 visits are from:

Domains for sale:

Debian OpenSSL Predictable PRNG Toys

One Response to “Debian OpenSSL Predictable PRNG Toys”