/explore

Click through on any links that interest you or select the planets on the right to continue exploring the Outer Web.
You are here

www.2uo.de
| | freedom-to-tinker.com
3.9 parsecs away

Travel
| | You may have seen the preprint posted today by Lenstra et al. about entropy problems in public keys. Zakir Durumeric, Eric Wustrow, Alex Halderman, and I have been waiting to talk about some similar results. We will be publishing a full paper after the relevant manufacturers have been notified. Meanwhile, we'd like to give a more complete explanation of what's really going on. We have been able to remotely compromise about 0.4% of all the public keys used for SSL web site security. The keys we were able ...
| | www.thomas-huehn.com
0.0 parsecs away

Travel
| | [AI summary] The article discusses the use of /dev/random and /dev/urandom in Linux systems for generating random numbers. It highlights that /dev/urandom is generally preferred over /dev/random due to its non-blocking nature and sufficient cryptographic security. The article also addresses misconceptions in the man pages and emphasizes that /dev/urandom is safe for most applications, including cryptographic uses, as long as the initial seeding is done properly. It mentions that while /dev/random is considered a legacy interface, it's not always necessary, and modern Linux distributions and syscalls like getrandom(2) provide better alternatives.
| | blog.cryptographyengineering.com
3.5 parsecs away

Travel
| | In today's news of the weird, RSA (a division of EMC) hasrecommendedthat developers desist fromusingthe (allegedly) 'backdoored' Dual_EC_DRBG random number generator -- which happens to be thedefault in RSA's BSafe cryptographic toolkit. Youch. In case you're missing the story here, Dual_EC_DRBG (which I wrote about yesterday) is the random number generator voted most likely to...
| | pboyd.io
27.1 parsecs away

Travel
| Here's a fun list to look through: Dumb Password Rules. Most of the rules seem arbitrary, like only allowing digits, but some hint at deeper problems. For instance, preventing single-quotes. They aren't inserting passwords into a database without a SQL placeholder, right? Nearly every site on that list has a needlessly short maximum password size. If they're storing passwords correctly, there's no need for this. This post will go through a few bad ways to store a password and you can see what I mean....