Nmap Announce mailing list archives
Re: 2.06
From: Fyodor <fyodor () dhp com>
Date: Tue, 9 Feb 1999 03:27:49 -0500 (EST)
On Mon, 8 Feb 1999, //Stany wrote:
Oh, and BTW: Switch to new /dev/urandom or /dev/random as the default source of entropy causes a warning upon start-up, as Solaris lacks that (seems to be true for both SunOS 5.6 and 5.7). It might be worth-while to implement OS detection at compile time, and #ifdef Solaris, then transparently switch back to the old source of entropy as the default.
The loud warning messages at startup is intentional. They serve serveral purposes: 1) Lets people know of potential security risks from using the workarounds for missing snprintf() or /dev/{u}random . While I don't know of any offhand, I write code assuming that snprintf() and get_random_bytes() work. 2) If by some compilation problem or other mistake the workaround to snprintf() or /dev/random gets used, I want the user to know immediately. Otherwise a user is _very_ unlikely to figure out the insecure snprintf() and random number generation are bing used. 3) Perhaps a developer at Sun (some of whom are on this list) might realize the importance of kernel-level random number generation and put it in. 4) Perhaps someone on the list will get sick of the annoying message and code/find a better replacement for snprintf or /dev/random. I would be delighted to accept one -- but make sure it is well tested and portable. Cheers, Fyodor -- Fyodor 'finger pgp () www insecure org | pgp -fka' Frustrated by firewalls? Try nmap: http://www.insecure.org/nmap/ "Girls are different from hacking. You can't just brute force them if all else fails." --SKiMo, quoted in _Underground_ (good book)