Re: One real life secure random generator

Adam Shostack (adam@homeport.org)
Thu, 16 Jul 1998 02:46:24 -0400 (EDT)

• Next message: Eric Young: "Re: Elliptical Curve Encryption"
• Previous message: John Kelsey: "Re: Random Data from Geiger Counter"
• Maybe in reply to: William H. Geiger III: "Random Data from Geiger Counter"
• Next in thread: Enzo Michelangeli: "Re: One real life secure random generator"

While you're theoretically correct, Bram, in practice if I have a
shell account on your machine, you're very likely hosed. If you never
have, check out web sites like rootshell.com or insecure.org.
Everything you need to become a security consultant. :)

Adam

bram wrote:
| On Wed, 15 Jul 1998, Bill Frantz wrote:
|
| > Of course, if you assume that your attacker has hacked your machine, you're
| > toast. There is nothing you can do.
|
| Just because someone's hacked some kind of access doesn't mean they have
| root access - if there are system calls for addSeed() and getRandom() it
| would make sense for them to both be available to processes with very low
| access levels. Also, with RNGs specifically, there's the issue of hacking
| the hardware, which is independent of hacking the software.
|
| -Bram
|

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Next message: Eric Young: "Re: Elliptical Curve Encryption"
• Previous message: John Kelsey: "Re: Random Data from Geiger Counter"
• Maybe in reply to: William H. Geiger III: "Random Data from Geiger Counter"
• Next in thread: Enzo Michelangeli: "Re: One real life secure random generator"