Using an algorithm that otherwise would yield a csPRNG would just waste time and give users a misleading expectation of cryptographic properties.
-
-
actually OpenBSD deviated from the standard a few years ago and yields a fairly robust random generator by default. Why ? because people are idiots, so they will use rand() for... whatever, and hash-based random generators are fairly fast and secure anyway.
1 reply 0 retweets 1 like -
Yes, I'm aware of this. It's utterly wrong and unjustifiable. Auditing for programs misusing rand() is trivial to automate without breaking valid programs.
1 reply 0 retweets 0 likes -
where's your automation ? still waiting for it. how come there are still, literally THOUSANDS of opensource software out there with lots of trivial security holes that nobody is fixing ? I, for one, am EAGERLY awaiting your work to fix that.
2 replies 0 retweets 1 like -
readelf | grep rand. There are NOT thousands of FOSS projects using rand where they need a csPRNG.
1 reply 0 retweets 0 likes -
right. you have all opensource programs compiled and greppable on your machine. I did not say THOUSANDS of FOSS using rand. I said THOUSANDS of trivial security holes. Not all of them are related to rand. I'm talking about scaling. Any individual check is basically trivial.
1 reply 0 retweets 0 likes -
Replying to @espie_openbsd @RichFelker and
... but still, there are THOUSANDS of opensource projects that fail those basic security checks. Explain that away, if it's such a simple problem to solve. At least, we are taking steps. Yep, even when it flies in the face of ISO, which is frankly, not that helpful.
2 replies 0 retweets 0 likes -
Replying to @espie_openbsd @RichFelker and
for instance, how much time did it take ISO to *finally* deprecate gets ? How come there still ISN'T any flag in fopen to give us some modicum of control on creating/overwriting files ? At least POSIX reacts, sometimes and they finally took mktemp out, for instance.
1 reply 0 retweets 0 likes -
Again breaking valid programs. Now you have to roll your own mktemp for non-regular-files (e.g. fifos).
1 reply 0 retweets 0 likes -
you're still talking 1% valid use vs 99% bugs. Usage of mktemp for non-file paths is best left to creating stuff in a separate directory after mkdtemp, btw. This works just fine and is reasonably idiot-proof.
1 reply 0 retweets 1 like
Yes, in many cases that's a better solution.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.