OpenBSD Will Not Fix PRNG Weakness

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

So much for high security

[Eravnrekaree]

So much for OpenBSD being the highest security OS. Even if the bug is a minor one does not pose a great risk, it seems that one should still fix it to ensure the system is functions properly and as expected. To leave a security bug in place because of an assumption does not make a whole lot of sense and shows a bit of arrogance, when they could just fix it instead. It reminds me of the instance where Microsoft Windows 95 had the problem that even if the user had not explicitely made certain directories accessible via file sharing, all the server did was tell the client not to look at them, but would still let the client access them if it asked. The problem was reported to Microsoft by Samba, who pretty much displayed apathy about the matter and didnt seem to recognise it a as a security problem. The OpenBSD bug is not as severe, but when they have a chance to make OpenBSD a little bit more secure, why not take it, especially when their focus is on security.