OpenBSD Will Not Fix PRNG Weakness

OpenBSD Will Not Fix PRNG Weakness 196

Posted by kdawson on Sunday February 10, 2008 @08:58AM from the random-acts-of-kndness dept.

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

OpenBSD Will Not Fix PRNG Weakness

This discussion has been archived. No new comments can be posted.

Search 196 Comments Log In/Create an Account

Comments Filter:

Re:Uh what (Score:5, Funny)

by fulldecent ( 598482 ) * writes: on Sunday February 10, 2008 @11:13AM (#22369716) Homepage

You cracked Marc's 128-bit encryption, but your Slashdot id is 263942. Doesn't add up.

Re:then exploit it (if you can) (Score:5, Funny)

by orgelspieler ( 865795 ) writes: <w0lfie@@@mac...com> on Sunday February 10, 2008 @12:06PM (#22370152) Journal

I wrote a program like that once. It kept on outputting 42.

Code excerpt for the curious... (Score:5, Funny)

by davidbrit2 ( 775091 ) writes: on Sunday February 10, 2008 @12:15PM (#22370206) Homepage

http://xkcd.com/221/ [xkcd.com] Oh hush, you knew somebody would post it.

Re:Uh what (Score:5, Funny)

by LizardKing ( 5245 ) writes: on Sunday February 10, 2008 @12:51PM (#22370468)

That's because he's so l33t he can pick a Slashdot id at random every time he posts.

Re:then exploit it (if you can) (Score:1, Funny)

by Anonymous Coward writes: on Sunday February 10, 2008 @01:21PM (#22370740)

So did I:

10 PRINT "42"
20 GOTO 10

Re:Uh what (Score:2, Funny)

by Anonymous Coward writes: on Sunday February 10, 2008 @05:12PM (#22372942)

They used to give accounts to anyone...

...and their standards have declined over time :)

Re:Uh what (Score:2, Funny)

by jirka ( 1164 ) writes: on Monday February 11, 2008 @09:23PM (#22386562) Homepage

I would be more impressed if he did not have any slashdot login. Having even read this discussion decreases his credibility.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

OpenBSD Will Not Fix PRNG Weakness 196

OpenBSD Will Not Fix PRNG Weakness More Login

OpenBSD Will Not Fix PRNG Weakness

Re:Uh what (Score:5, Funny)

Re:then exploit it (if you can) (Score:5, Funny)

Code excerpt for the curious... (Score:5, Funny)

Re:Uh what (Score:5, Funny)

Re:then exploit it (if you can) (Score:1, Funny)

Re:Uh what (Score:2, Funny)

Re:Uh what (Score:2, Funny)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot