Bugtraq mailing list archives
Re: Tempfile vulnerabilities
From: marc () GIMP ORG (Marc Lehmann)
Date: Wed, 9 Feb 2000 00:27:43 +0100
/dev/random -- a world readable device -- should do the following: cat /dev/random > /dev/null & Crypto software which uses those devices should be doing some kind of checking to make sure that they are getting at least good entropy. I
On linux at least, the above is at most a denial of service attack, as
/dev/random does not deliver any data when it runs out of entropy (and
programs usually are prepared to wait for data on that devices for some
time).
On linux/x86, moving my mouse generates >400bytes/s random data (this is
currently specific to x86), and if two processes listen on /dev/random,
both get about half the random data, so it seems that there isn't even a
denial of service attack here.
--
-----==- |
----==-- _ |
---==---(_)__ __ ____ __ Marc Lehmann +--
--==---/ / _ \/ // /\ \/ / pcg () opengroup org |e|
-=====/_/_//_/\_,_/ /_/\_\ XX11-RIPE --+
The choice of a GNU generation |
|
Current thread:
- Cross Site Scripting security issue, (continued)
- Cross Site Scripting security issue Robert Zilbauer (Feb 02)
- Re: Tempfile vulnerabilities Len Budney (Feb 03)
- Re: Tempfile vulnerabilities antirez (Feb 05)
- Re: Tempfile vulnerabilities Ian Turner (Feb 07)
- Re: Tempfile vulnerabilities Seth David Schoen (Feb 07)
- Remote access vulnerability in all MySQL server versions Robert van der Meulen (Feb 08)
- don't run random "exploit" code Marc Slemko (Feb 08)
- cookies - nothing new Steven Champeon (Feb 07)
- Re: cookies - nothing new MJE (Feb 08)
- Re: Tempfile vulnerabilities Peter Berendi (Feb 08)
- Re: Tempfile vulnerabilities Marc Lehmann (Feb 08)