|
You are here |
www.2uo.de | ||
| | | | |
freedom-to-tinker.com
|
|
| | | | | You may have seen the preprint posted today by Lenstra et al. about entropy problems in public keys. Zakir Durumeric, Eric Wustrow, Alex Halderman, and I have been waiting to talk about some similar results. We will be publishing a full paper after the relevant manufacturers have been notified. Meanwhile, we'd like to give a more complete explanation of what's really going on. We have been able to remotely compromise about 0.4% of all the public keys used for SSL web site security. The keys we were able ... | |
| | | | |
www.thomas-huehn.com
|
|
| | | | | [AI summary] The article discusses the use of /dev/random and /dev/urandom in Linux systems for generating random numbers. It highlights that /dev/urandom is generally preferred over /dev/random due to its non-blocking nature and sufficient cryptographic security. The article also addresses misconceptions in the man pages and emphasizes that /dev/urandom is safe for most applications, including cryptographic uses, as long as the initial seeding is done properly. It mentions that while /dev/random is considered a legacy interface, it's not always necessary, and modern Linux distributions and syscalls like getrandom(2) provide better alternatives. | |
| | | | |
blog.cryptographyengineering.com
|
|
| | | | | In today's news of the weird, RSA (a division of EMC) hasrecommendedthat developers desist fromusingthe (allegedly) 'backdoored' Dual_EC_DRBG random number generator -- which happens to be thedefault in RSA's BSafe cryptographic toolkit. Youch. In case you're missing the story here, Dual_EC_DRBG (which I wrote about yesterday) is the random number generator voted most likely to... | |
| | | | |
pboyd.io
|
|
| | | Here's a fun list to look through: Dumb Password Rules. Most of the rules seem arbitrary, like only allowing digits, but some hint at deeper problems. For instance, preventing single-quotes. They aren't inserting passwords into a database without a SQL placeholder, right? Nearly every site on that list has a needlessly short maximum password size. If they're storing passwords correctly, there's no need for this. This post will go through a few bad ways to store a password and you can see what I mean.... | ||