To those writing programming language benchmarks: Stop benchmarking rand(). You are hurting security by penalizing default CSPRNG use.
Using an algorithm that otherwise would yield a csPRNG would just waste time and give users a misleading expectation of cryptographic properties.
-
-
actually OpenBSD deviated from the standard a few years ago and yields a fairly robust random generator by default. Why ? because people are idiots, so they will use rand() for... whatever, and hash-based random generators are fairly fast and secure anyway.
-
Yes, I'm aware of this. It's utterly wrong and unjustifiable. Auditing for programs misusing rand() is trivial to automate without breaking valid programs.
-
where's your automation ? still waiting for it. how come there are still, literally THOUSANDS of opensource software out there with lots of trivial security holes that nobody is fixing ? I, for one, am EAGERLY awaiting your work to fix that.
-
readelf | grep rand. There are NOT thousands of FOSS projects using rand where they need a csPRNG.
-
right. you have all opensource programs compiled and greppable on your machine. I did not say THOUSANDS of FOSS using rand. I said THOUSANDS of trivial security holes. Not all of them are related to rand. I'm talking about scaling. Any individual check is basically trivial.
-
... but still, there are THOUSANDS of opensource projects that fail those basic security checks. Explain that away, if it's such a simple problem to solve. At least, we are taking steps. Yep, even when it flies in the face of ISO, which is frankly, not that helpful.
-
this looks so much like the strlcpy all over again. Just because 1% of coders know how to handle strings safely without strlcpy does NOT mean tweaking things for the 99% is not a good idea.
-
Adding a useless function is a non-breaking change. Not comparable to breaking an existing one.
- 17 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.