Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Will Not Fix PRNG Weakness

Posted by kdawson on from the random-acts-of-kndness dept.

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

3 of 196 comments (clear)

  1. Alternative submission by Anonymous Coward · · Score: -1, Troll

    Here's my alternative restatement of the submission:

    "Last fall Amit Klein found a problem with PRNG that is completely irrelevant in the real world.

    The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem. OpenBSD decided not to fix it. Apple refused to provide any schedule for a fix.

    However, Amit Klein continues to claim that it is a serious weakness. This was highlighted recently when Amit Klein posted to the BugTraq list. All the above-mentioned vendors were contacted in November 2007."

  2. OpenBSD is Dying by Anonymous Coward · · Score: -1, Troll

    It is now official. Netcraft confirms: *BSD is dying

    One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

    You don't need to be the Amazing Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

    FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

    Let's keep to the facts and look at the numbers.

    OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

    Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

    All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

    Fact: *BSD is dying

  3. Re:Uh what ... yeah by RedK · · Score: 0, Troll

    Apple are free to release their putative fix to the community, or not - their free choice. That's one more freedom, relative to being obliged to release any changes they make which lead to a binary release outisde of Apple, which the GPL would oblige.

    There are plenty of folk who see that as a feature not a flaw. Your view of the freedom offered by the GPL is flawed my little BSD troll. How you managed to get that high of a score on your post shows how many of the little devils have moderation points today.

    The GPL isn't about developper freedom, it's about the code's freedom. No matter who decides to pick up and distribute a fork of your project, your users are always sure the source will remain open if the corporate entity decides that it no longer wants to distribute its forks. Hence, they are assured that the modifications done over time are always available and can be included in the main tree of your project if need be.

    There are plenty of folk who see that as a feature, not a flaw.
    --
    "Not to mention all the idiots who use words like boxen."
    Anonymous Coward on Monday August 04, @06:49PM