FreeBSD-Current Random Number Generator Broken

First time accepted submitter bobo the hobo writesThe FreeBSD random number has been discovered to be generating possibly predictable SSH keys and SSL certificates for months. Time to regenerate your keys and certs if using FreeBSD-Current. A message to the freebsd-current mailing list reads in part: "If you are running a current kernel r273872 or later, please upgrade your kernel to r278907 or later immediately and regenerate keys. I discovered an issue where the new framework code was not calling randomdev_init_reader, which means that read_random(9) was not returning good random data. read_random(9) is used by arc4random(9) which is the primary method that arc4random(3) is seeded from."

Is FreeBSD dying?

Netcraft Confirms FreeBSD is dying

Re:Is FreeBSD dying?

[FatdogHaiku]

Netcraft Confirms FreeBSD is dying

Facebook is too confusing!
Don't you have a Twitter link to share?

Cui bono?

I discovered an issue where the new framework code was not calling randomdev_init_reader

So who was responsible for introducing that change? Let's smoke out the mole.

Re:Cui bono?

[MrBingoBoingo]

This. So much this. When these regressions happen there are people behind them. The great value of a Linus or a Theo is shaming this people out the door. At least this was caught in -Current and not -Stable. This incident appears to be at least as much a social engineering attack as a code quality issue.

Bug

Bug fixed in bleeding-edge codebase. News at 11.

Re:Bug

No reason to fuck with the RNG.
This is another fix like in Debian, or systemd.
Intentional security compromise disguised as an "oops"

Re:But FreeBSD is perfect!

I've heard the same things said. However, and I don't say this in jest, that while no security in any OS is perfect, OpenBSD comes the closest due to their audits. Hence, out of the BSDs I do use and endorse, it's OpenBSD.

Some dislike Theo, but he's intensely good at running a tight ship, and since 1999 when I first started using OpenBSD for security-based boxes, I've never had an issue.

Newbish question here..

[wbr1]

Wouldn't it make more sense to patch the kernel to make the correct function calls then update to a kernel with more changes that may not be tested/stable for a given usage scenario?

Re:Newbish question here..

I presume that the bug is only present in the CURRENT branch. CURRENT is usually a an ongoing non-release branch.

Re:Newbish question here..

FreeBSD-current is the bleeding edge testing version, so if that's a concern (such as a production system), you should be on FreeBSD-RELEASE

Re:Newbish question here..

[bsdasym]

No, you should be on -STABLE or at least RELENG_? if you only want security fixes. -RELEASE is just that, the release version, no updates.

Re:Newbish question here..

[DarkHelmet433]

The bug was in the unreleased FreeBSD-11 work-in-progress developer tree.

If you are running an actual release, or one of the stable branches, you are not affected.

The main cause for concern is if you are generating keys in some form on the developer tree.

Re:Newbish question here..

Oh, let's see!
$ uname -a ...9.3-RELEASE-p9...

And you were saying?

Re:Newbish question here..

[wbr1]

Not having used and BSD for much, I did not know the conventions. Thanks for the clarification!

Re:Newbish question here..

[fisted]

No, and who mods this "Informative"?
Both -CURRENT and -STABLE are development branches.

-RELEASE is meant for production and of course gets supplied with security relevant fixes (then referred to as patchlevels).

But yes, please go on educating people about things you don't know jack about.

Re:Newbish question here..

Stable is stable, but you can always check the source out at a bad time. Granted since they switched revision control systems that's much less likely, but stable doesn't get the testing necessary to guarantee that it's going to be properly secure and stable at any point along the line.

Re:Newbish question here..

what bsdasym said:

No, you should be on -STABLE or at least RELENG_? if you only want security fixes. -RELEASE is just that, the release version, no updates.

what fisted said:

-RELEASE is meant for production [freebsd.org] and of course gets supplied with security relevant fixes (then referred to as patchlevels).

There is a distinction between:

- release a.b
- RELENG_ (release a.b + security fixes)

But yes, please go on educating people about things you don't know jack about.

Actually, you are incorrect.

Each update to a security branch is called a “patchlevel”. For every security enhancement that is done, the patchlevel number is increased, making it easy for people tracking the branch to see what security enhancements they have implemented. In cases where there have been especially serious security flaws, an entire new release can be made from a security branch. An example of this is 4.6.2-RELEASE.

In other words, "an entire new release can be made from a security branch" only happens for "especially seirous security flaws" and hence if you only follow -RELEASE and not -RELENG you will NOT get all security relevant fixes in a timely manner.

If you don't care about "in a timely manner" then yes, you can just track -RELEASE and eventually get all the fixes.

Re:Newbish question here..

Wouldn't it make more sense to patch the kernel to make the correct function calls then update to a kernel with more changes that may not be tested/stable for a given usage scenario?

Yes, but -CURRENT is "bleeding edge" anyways...

so "revisions 12345-12355 are buggy, pull later revisions as workaround" is not uncommon for -CURRENT or -STABLE issues.

I assume "patch the kernel" you mean source code + recompile a new kernel, not "binary patch" (live system or not) ...

The fact this was found in -CURRENT before it hit elsewhere is a good thing.

Re:But FreeBSD is perfect!

since 1999 when I first started using OpenBSD for security-based boxes, I've never had an issue.

That you know about.

I guess this is a problem

According to many people on this site almost every Linux user have now switched to FreeBSD because of Systemd.

Re:I guess this is a problem

Out of the frying pan, into another frying pan.

Re: I guess this is a problem

But the first frying pan comes with systemd and burns everything you try to cook with it.

There are/may be worse problems with -current

[mi]

The -current is not a release — it is the trunk of the development tree. Using for anything important — such as data, that may be worthwhile enough for your enemies to hack for — is silly. Far worse bugs may exist in -current — or be introduced at any point.

Stick to releases — or one of the -stable branches — for anything, that's not about working on FreeBSD itself.

Non-news.... Bug is in CURRENT not STABLE

[tomxor]

Bleeding edge software has bugs?? what

Re:Non-news.... Bug is in CURRENT not STABLE

[bobo+the+hobo]

Bleeding edge software has bugs?? what

Many people run CURRENT, so if they put their pubkeys on servers they could possibly be guessable. Try reading the article next time.

Re:Non-news.... Bug is in CURRENT not STABLE

What!!! you don't regen keys everyday OMFG, what is the world coming to, AHHHHHHHHHHHHHHHHHHHHHH!

Re:Non-news.... Bug is in CURRENT not STABLE

Many people run CURRENT, so if they put their pubkeys on servers they could possibly be guessable. Try reading the article next time.

The people who run CURRENT should know that it is unsafe. I don't see a complete retard being able to install FreeBSD CURRENT so those "many" have most likely decided that the relevant keys aren't important and probably stores all their important data on a more secure box.

Re:Non-news.... Bug is in CURRENT not STABLE

[bobo+the+hobo]

What!!! you don't regen keys everyday OMFG, what is the world coming to, AHHHHHHHHHHHHHHHHHHHHHH!

It's been a problem for months, I'm sure some people have generated keys in that time. Are you trolling?

Re:Non-news.... Bug is in CURRENT not STABLE

What article... did you even follow the link? don't talk shit, current is essentially beta, lots of people run beta, but you don't use it for production... BSD specifically tells you this when using current.

Re:Non-news.... Bug is in CURRENT not STABLE

[tomxor]

Bleeding edge software has bugs?? what

Many people run CURRENT, so if they put their pubkeys on servers they could possibly be guessable. Try reading the article next time.

Yes they do, yes they could, no it's not news, it's on the current branch... In true BSD style i'm going to say RTFM: https://www.freebsd.org/doc/en... Current is not intended for production, end of.

Re:Non-news.... Bug is in CURRENT not STABLE

[bobo+the+hobo]

I'm not saying it's running on production. I'm saying the keys made by people running current are.

Re:Non-news.... Bug is in CURRENT not STABLE

[bobo+the+hobo]

What article... did you even follow the link? don't talk shit, current is essentially beta, lots of people run beta, but you don't use it for production... BSD specifically tells you this when using current.

Yeah I submitted the article. I'm not saying it's running on production. I'm saying the keys made by people running current are.

Re:Non-news.... Bug is in CURRENT not STABLE

[ShanghaiBill]

current is essentially beta, lots of people run beta

Actually, current is alpha. Release candidates are beta. "Beta" means it is done, except for testing, and, while there may be bug fixes, there will be no new features. That is not what "current" is. It is under active development.

Re:Non-news.... Bug is in CURRENT not STABLE

this is the same AC again, once a satellite is in space that's it, i guess the keys are all pre generated, one for each day/week, also, to further randomize, put them in a box and shake it, select one every day/week, if the paper slip gets lost one day then those who lost have a new temporary home until its found,

so yes someone spends lots of time creating random keys everyday, and a batch are checked for randomness

Re:Non-news.... Bug is in CURRENT not STABLE

Well then, you are a ignorant fool. Everybody using FreeBSD should know CURRENT is the development (alpha) code line. Running alpha code means following the development mailing lists and keeping up with SCM submissions. If you run that in a non-development environment you need to find another career, maybe basket weaving is more appropriate for your intelligence level.

There have been lots of broken things in CURRENT, including filesystems. If you base anything on that code, such as build filesystems or generate keys, and carry that forward into a production system, you are a fool. We don't do this in a professional software development process; systems are wiped and we start fresh.

This article is click bait on Slasddot, since this site is Linux centric and most people don't have a clue about FreeBSD development.

Re:Non-news.... Bug is in CURRENT not STABLE

And people running current are only doing so to develop or test for FreeBSD security should not be a massive issue for those installations.

How many years...

...before the NSA hooks are all discovered and corrected in the Linux community.

Man, what shills.

Re:How many years...

What great clam! Such oyster!

RE:Random Number Generator Broken

All of these problems will be solved when systemd integrates Rand

Why is someone fiddling with rand number gen?

Really? Was it broken? Did someone want to add "more randomness"? Why would anyone be messing around with this code? Has the random number generator been flawed for years? It bears further scrutiny.

Re:Why is someone fiddling with rand number gen?

[Improv]

It'd be more interesting to ask how this passed code review. Expecting code to remain static out of a fear of touching it is unreasonable. Expecting a solid code review process, by contrast, is very reasonable.

Re:Why is someone fiddling with rand number gen?

It clearly didn't pass a code review, your point is what?

Re:Why is someone fiddling with rand number gen?

The code actually get reviewed, but, it is a lot of code, and there are very few people qualified to review it. One of those is the one that found this bug (sadly, during a post commit review, rather than the pre-commit review)

Re:Why is someone fiddling with rand number gen?

The changes were to make the RNG system pluggable, to support a future upgrade from the no-longer-support-by-Bruce-Schniere 'Yarrow', to the latest-and-greatest-from-Bruce-Schniere 'Fortuna'

Re:Why is someone fiddling with rand number gen?

Any code review worthy of the name happens before the code is committed. The problem has been there for months so either it wasn't reviewed when it was committed or the reviewer missed it.

Re:Why is someone fiddling with rand number gen?

[gweihir]

This is a developer-snapshot, not any release quality one. As some developers are running bleeding-edge kernels, it is right to notify them, but no normal users are affected.

The question why this code was touched is a valid one though, as is the question who touched it.

Re:Why is someone fiddling with rand number gen?

[gweihir]

It did not. This is a developer snapshot.

Re:But FreeBSD is perfect!

[EmeraldBot]

FreeBSD is the new Linux. Full of religious fan boys who act like it was written by God. This old tired line of "Linux is immune to security issues" is now more commonly used with FreeBSD (by idiots).

You know who started the original BSD? This guy did. He also created the original vi editor, was the creator of the modern day TCP/IP stack, and had a huge hand in the creation of Java. What, praytell, have you done?

That explains hearthstone!

Why do I get both my 7 mana-cost cards on my first two draws?

Why does the best card in my hand always wind up being the card that gets discarded on random discards?

Why is the board-clear that I need always at position 30 in the draw pile?

It is because they built their server backend on FreeBSD!

It is all so clear now.

Re:That explains hearthstone!

[idontgno]

"Coming to terms with variance" == "learning to accept that the RNG Gods hate you"

Re:That explains hearthstone!

[ultranova]

RNG Gods hate you

Just make an offering of entropy and they'll be unpredictable again.

How bad was the bug?

[Nonesuch]

This seems like an odd bug to have happen, how bad were the effects? Just 'weaker' randomness, or without randomdev_init_reader do the random routines just return the same series of pseudorandom digits every time?

Also, obligatory Dilbert reference

Re:How bad was the bug?

[danlip]

obligatory XKCD reference

Re:But FreeBSD is perfect!

[Yomers]

I just checked on openbsd.org, and I loved the FAQ section!
4.13 - Common installation problems
4.13.1 - My Compaq only recognizes 16M RAM
4.13.2 - My i386 won't boot after install ...

"Random"

[sexconker]

When blackboxed, even "return 5" is indistinguishable from a true random number generator.
People want noisy numbers, not random numbers. Which is a good thing, because a true random number generator will never exist.

Re:"Random"

A true random number generator not only can exist, it does exist.

When Intel introduced the RdRand instruction, people completely freaked out. Maybe they're right to be paranoid, but it never made sense to me that you can trust the rest of the chip, but not that one instruction. If Intel (or any chip manufacturer) is determined to put in back doors, there's not much anyone can do about it, and this is probably not the best way to do it anyway.

Linux uses it, together with other sources of entropy, but FreeBSD decided to not use it at all:

Linus Torvalds dismissed concerns about the use of RdRand in the Linux kernel, and pointed out that it is not used as the only source of entropy for /dev/random, but rather used to improve the entropy by combining the values received from RdRand with other sources of randomness.

Developers changed the FreeBSD kernel away from using RdRand and VIA PadLock directly with the comment "For [FreeBSD] 10, we are going to backtrack and remove RDRAND and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/random. It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more"

Re:"Random"

Ooops. I think I read that wrong. FreeBSD apparently does use it if it's available, but also combines it with other sources like Linux does.

Re:But FreeBSD is perfect!

[oneeyed2]

...while no security in any OS is perfect, OpenBSD comes the closest due to their audits.

Or maybe, just maybe... The more obscure the OS the less bugs are discovered.

Not saying OpenBSD security policy and practices isn't a good thing, but it might be less of a factor than its low market share (Security through minority).

But it doesn't have SystemD

[Billly+Gates]

So who cares??

Re:But it doesn't have SystemD

That's all fine and well, but how does Lennart's cock taste? Please tell us!

Re:But it doesn't have SystemD

It tastes like whoosh.

An OS RNG?

[TechyImmigrant]

Why would you expect the OS to solve your random number problem for you? It's software. It has no means to know what platform it is really running on and no means to understand the min-entropy of any input it sees. It is the wrong thing in the wrong place and it cannot 'guarantee' secure random numbers unless it gets guarantees of min-entropy sources from the hardware it runs on and uses it correctly.

If you hardware doesn't offer a hardware RNG with specific claims for min-entropy or computational bounds on the adversary, find a new vendor, because there isn't any software that's going to solve it for you.

Re: An OS RNG?

waaaay off base. hardware is far more difficult to audit (tools that cost hundreds of thousands) vs software. openbsd does things right here. they use hardware as an additional (but not the only) source of entropy.

Re:An OS RNG?

[spauldo]

/dev/random has been part of UNIX for ages. It's part of the system, and expected to be there. The kernel developers take it seriously, because most UNIX software that needs random numbers uses it.

If you don't trust it, that's fine, but pretty much all UNIX software uses it - and UNIX runs the 'net. Certificates are generated using it. If you want to avoid it, install Windows and unplug your internet connection.

Re:An OS RNG?

[Bengie]

The OS is responsible for being a reliable source of trusted entropy. There are many ways to create strong pseudo-random numbers, some are faster than others, but all can be strong. Random numbers are a complex issue that should be implemented once and implemented well. Doing random in user land is a horrible idea and has been a reoccurring issue over the years. You also run the issue that software may not get upgraded, but the OS can. Single point of responsibility and all that jazz.

Kind of like how it is recommended not to implement your own version of TCP and let the OS handle it. Could you imagine if random software implemented their own network stacks?

Re:An OS RNG?

[TechyImmigrant]

>The OS is responsible for being a reliable source of trusted entropy.

Yet it cannot possibly be that. The OS has no entropy. It is not a source of entropy. Physical processes are sources of entropy. The OS might be able to demultiplex a source of physical entropy to share it out amongst multiple processes, but as has happened time and time again, we've seen operating systems fail to do exactly that because the OS has no knowledge of whether it's inputs are entropic, and when they are not, you get data that is highly correlated between systems.

The whole set up, where we think the OS will solve a problem it cannot solve in the general case, is brittle and fails frequently. A user land program, invoked by a user, is in no better or worse situation when it comes to doing the right thing, except that the user can run code that is particular to the environment, whereas the OS is necessarily written to work on all platforms, including fully synchronous embedded platforms with zero entropy until the ethernet is up.

Re:An OS RNG?

[TechyImmigrant]

/dev/random blocks on most unix derived operating systems unless you go to some measures to feed the kernel with a continuous supply of data claiming to be entropic.

Certificates generated with software that trusts /dev/[u]random is what led us to the "Mining your Ps and Qs" problem. Google it if you aren't familiar.

Even if you have a good source of entropy on your platform, the odds are high that neither the OS nor RNGd will use it. On some popular Linux distributions I've used, RNGd fails silently at boot. You have to go and check if you need it to be there. I have a massive bloody linux server farm at my corporation and not one of them has RNGd running and /dev/random blocks after a few bytes. I assume this is normal. It is a symptom of the messed up model we have where we trust software that is not in a position to do what we ask of it.

Re: An OS RNG?

[TechyImmigrant]

waaaay off base. hardware is far more difficult to audit (tools that cost hundreds of thousands) vs software. openbsd does things right here. they use hardware as an additional (but not the only) source of entropy.

Hardware, or more accurately, the physical world is the only source of entropy. Software is incapable of making entropy. It is deterministic. It can run entropy extraction algorithms to turn entropic data from physical sourced into uniform, cryptographically secure random numbers, but the entropy out of an extractor is strictly less than or equal to the entropy in. So software cannot itself be a source of entropy.

This isn't an issue of off-base/on-base. It's an issue of fact.

Re:An OS RNG?

You have it backwards. The kernel is the _only_ component that can acquire entropy from the hardware, whether dedicated hardware generators (e.g. Broadcom hardware RNGs), or via more suspect entropy "collection" (disk seek latency, microphone, etc). The exceptions are newer CPU instructions which can be used directly from user-land processes.

Once upon a time it was common to run processes like egd (entropy gathering daemon) which would query the system state (not unlike `ps auxw | sha1`), but of course it was a software only solution and suffered from precisely the problems you describe. It all but disappeared with the advent of /dev/random.

Re:An OS RNG?

And yet, on many systems running many different operating systems, the OS is able to do precisely that: provide a reliable source of entropy. This is of course because many channels which only the operating system can watch do contain a lot of entropy and the operating system is able to mix the data up to create a nice random number, better than applications can. An implementation bug in a non-release version of FreeBSD does not disprove that. Furthermore, it is a given that in modern times random numbers are necessary and functionality that is needed by a lot of different applications should be provided by the OS. Even if what you said were true, saying ‘just shove it down to userspace’ doesn't solve the problem; you should be pushing for better RNGs in OSs instead.

Re:An OS RNG?

[TechyImmigrant]

>And yet, on many systems running many different operating systems, the OS is able to do precisely that:

You should be concerned about the situations where it doesn't work, which are probably in the majority of Linux deployments. The people taking advantage of low entropy crypto systems don't just focus on the ones that work.

FreeBSD isn't doing the 'wrong' thing. It's doing all it can in a bad situation. However my application code can know where to go look for well defined sources of entropy and use it appropriately. We have the math on extractor theory. We have the math on secure PRNGs. The algorithms are easy. The sourcing of the entropy is the problem to solve and OSs demonstrably do it in a way that doesn't work on a wide spectrum of deployments.

>you should be pushing for better RNGs in OSs instead.

No. I'm pushing for better RNGs in hardware, which I can reasonably claim to have done something about.

Re:An OS RNG?

[TechyImmigrant]

>whether dedicated hardware generators

Those would be the ones that cell phone chip companies buy from IP providers right? Like this one..
http://www.discretix.com/accel...

Go look at the the picture. It's a ring oscillator that is sub sampled, to turn the accumulated phase noise of the RO into random bits. The process introduces serial correlation. This is normal.

Then it goes into a "Von-Neumann" whitener. This is a bias correction algorithm. Put in biased bits, get out unbiased bits. Lovely, it doesn't say anything about auto-correlation. The link to the Von Neumann paper is broken, but the Yuval Peres paper is just as illuminating. I quote..

1. Introduction. A source produces independent biased random bits {x_sub_i}^n,i=1 with p = Pr[x_sub_i = 0] ne 1/2, q = Pr[x_sub_i = 1].

So the Von Neumann balancer and the iterated Yuval Peres version have undefined properties for dependent inputs. They require independent inputs. But that isn't what the circuit is generating. They're most definitely auto-correlated.

However I've done the test and I can confirm that a VN whitener will make the result worse. not better when you put auto-correlated data into it.

This is how most of the published IP designs work. They are all wrong by design. /dev/random isn't magic. It needs its input to be entropic. Synchronous embedded systems regularly don't meet this requirement. PCs regularly don't meet this requirement early in the boot cycle.

Good RNGs exist. I've designed a few. Others have designed many. But bad RNGs and naive kernel code outnumbers the good ones.

   

Re:An OS RNG?

[TechyImmigrant]

>The exceptions are newer CPU instructions which can be used directly from user-land processes.

I may have an unusual level of familiarity with those.

Re:An OS RNG?

[Bengie]

where we think the OS will solve a problem it cannot solve in the general case, is brittle and fails frequently

If your OS is so bad that you don't trust it's entropy, then STOP using that OS. If you can't, then sucks to be you, it's a crap OS and the programmers should die in a fire.

Re:An OS RNG?

[Bengie]

No one trusts hardware anymore. It can be used to mix with the entropy pool, but it should never be used directly.

Re:An OS RNG?

[spauldo]

Sure, you've got good points about failures in /dev/random. Surprise, there have been problems - just like there's been problems with pretty much all code everywhere at some time.

But what exactly do you expect kernel developers to do? /dev/random exists, and a lot of stuff uses it. It's expected to be there. Kernel developers (especially BSD developers, who tend to view UNIX much more conservatively than Linux developers) are going to make sure that the service is available and as bug-free as possible. You might not like /dev/random, but it's not going to go away any time soon.

I don't use Linux for anything important (I'm a BSD guy these days - Linux is for desktops in my opinion), so I don't know what to tell you about rngd. I have noticed that a lot of "system" level stuff seems to be on the backburner compared to nifty convenience features. If you need a working rngd, it's up to you to find a working configuration and push it to your servers. Treat it like ntpd or any other service that requires site-specific configuration. I do know that I would expect something like random number generation to be working flawlessly in BSD, but Linux today... I can't say I'm surprised.

Re:An OS RNG?

[TechyImmigrant]

The entropy is coming from nothing but hardware. Your software is running on the hardware. You typed in that post using hardware. If you don't trust the hardware, why do you think an entropy pool implemented in software will save you?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Living in a state of sin

[Beeftopia]

"Anyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin." -- John von Neumann

Alternate strategy...

[damn_registrars]

Just don't use keys for remote ssh logins. I know, keys are supposed to be all that any more. But based on my experience fending off billions of script kiddy attempts from my home system, it appears they aren't worth the effort and may even be counter productive.

I say this because my home server faces the world and allows anyone who wants to, to make an attempt to login via ssh on port 22. You may say this is completely insane, but my logs suggest it isn't that bad. The overwhelming majority of all attempts on my system attempt to come straight in as root. As everyone knows, you can very easily disable root login in your sshd.conf file which leaves the person on the other end completely incapable of knowing whether or not they ever got your root password right as the response is the same.

The end result is they make their 10,000+ attempts in a couple hours, then leave and never come back. They might take a few parting shots at other well known account names but they won't get in that way either.

Re:Alternate strategy...

[fisted]

my home server [runs public facing sshd] on port 22. You may say this is completely insane.

Gasp. How extremely uncommon.

Just don't use keys for remote ssh logins.

What? Why?

But based on my experience [...] it appears they [...] may even be counter productive.

And that is why exactly? None of your post explains that or seems to have anything to do with key-based login at all.

As everyone knows, you can very easily disable root login in your sshd.conf file which leaves the person on the other end completely incapable of knowing whether or not they ever got your root password right as the response is the same.

As happens when key-based logins are used. Your point being?

Re:Alternate strategy...

[ColaMan]

Sweet Jesus, at least install Fail2Ban and block an IP for 24 hours after 3 failed attempts.

Re:Alternate strategy...

I prefer sshguard. Way faster and simpler to use.

The good thing about BSD.

[NemoinSpace]

You have to really want BSD on your computer for it to stay there, so it's in no danger of suffering from Linux's fate. Linux started out similarly, but slowly got dumbed down to the point where any corporation could get away with using it as a cheap (as in beer) alternative.
I'm not trying to offer a lame excuse for BSD, but BSD will recover from this in short order. Linux will never regain its roots as a nuts and bolts OS and it will never shed its Communist roots of forced misappropriation of copyright. Linux, quite honestly, is badly aged wine that has turned to vinegar.

Re:The good thing about BSD.

> Communist roots of forced misappropriation of copyright.

Dear Nemoinspace,

Kindly explain.

Many thanks.

Cordially,

Anonymous Coward

Re:The good thing about BSD.

Agree.

Linux has jumped a few sharks

(And the latest is called systemd)
(And before that Debian RNG debacle)
Debian is compromised and is not to be trusted.
This was just tried with freebsd now, caught though.

Re:Random Number Generator Broken

[dbIII]

All of these problems will be solved when systemd integrates Rand

That seems like a perfectly sensible step on their way to world domination.
http://en.wikipedia.org/wiki/R...

Re:But FreeBSD is perfect!

It's funny how the more things change, the more they stay the same...

4.13.6 - I have no floppy or CD-ROM on my machine

Re: But FreeBSD is perfect!

not at all.

with a security box you have additional tools which detect a breach.
not having an issue doesn't mean someone else didn't find a bug
it means the system stayed clean and wasn't infected.

I keep a few windows boxes around just to see what the exploits are that are being deployed to them.

never ever mold what I fnd to my own uses. honest.

Field day

[ZorkZero]

I have never seen a bunch of Linux users get so excited over a bug in a development branch before.

Re:Random Number Generator Broken

[gweihir]

What, it has not done that yet?

This is a DEVDELOPER SNAPSHOT

[gweihir]

As apparently nobody bothered to find out, this is a bleeding-edge developer snapshot, not anything that was in any way "released", hence no normal users are affected.

I do have two questions though:
1. Why was that code touched in the first place?
2. Who touched that code and broke it?

It may be simple incompetence (it usually is), but it may also be a mole in the FreeBSD project. It should be ascertained that the person that did this did so in good faith. Still, some level of shaming is required even then to make people pay attention when they touch security-critical code and keep their fingers off it unless they have the required level of skill and understanding and there is actually a real need to touch that code.

Re:This is a DEVDELOPER SNAPSHOT

There was fear after the snowden leaks about crypto and what can be trusted in FreeBSD. Several people started tinkering with it because they didn't trust Intel's hardware anymore.

I doubt it was intentional, just a mistake. Very few people should actually touch random number generator code because one has to understand it well to confirm it's safe. That requires proving it's correctness.

Re:This is a DEVDELOPER SNAPSHOT

[gweihir]

Well, that is a plausible explanation. And it was caught in time.

Re:This is a DEVDELOPER SNAPSHOT

[Celarent+Darii]

The "code was touched" in order to bring some new features in. Here is the commit for that branch to /dev/random r 273872

This is the much-discussed major upgrade to the random(4) device, known to you all as /dev/random.

This code has had an extensive rewrite and a good series of reviews, both by the author and other parties. This means a lot of code has been simplified. Pluggable structures for high-rate entropy generators are available, and it is most definitely not the case that /dev/random can be driven by only a hardware souce any more. This has been designed out of the device. Hardware sources are stirred into the CSPRNG (Yarrow, Fortuna) like any other entropy source. Pluggable modules may be written by third parties for additional sources.

The harvesting structures and consequently the locking have been simplified. Entropy harvesting is done in a more general way (the documentation for this will follow). There is some GREAT entropy to be had in the UMA allocator, but it is disabled for now as messing with that is likely to annoy many people.

The venerable (but effective) Yarrow algorithm, which is no longer supported by its authors now has an alternative, Fortuna. For now, Yarrow is retained as the default algorithm, but this may be changed using a kernel option. It is intended to make Fortuna the default algorithm for 11.0. Interested parties are encouraged to read ISBN 978-0-470-47424-2 "Cryptography Engineering" By Ferguson, Schneier and Kohno for Fortuna's gory details. Heck, read it anyway.

Many thanks to Arthur Mesh who did early grunt work, and who got caught in the crossfire rather more than he deserved to.

My thanks also to folks who helped me thresh this out on whiteboards and in the odd "Hallway track", or otherwise.

My Nomex pants are on. Let the feedback commence!

You can see the list of those who reviewed and commited the code in the link. They are all longtime contributors.

The problem was:

When the new random adaptor code was brought it in r273872, a call to
randomdev_init_reader to change read_random over to the newly installed
adaptor was missed. This means both read_random and arc4random (seeded
from read_random) were not returning very random data. This also
effects userland arc4random as it is seeded from kernel arc4random.

So there was a problem was that the new adaptor was not 'retro-fitted' to the existing code. A simple thing to miss - I've done this many times in refactoring code. The generated was getting new seeds from the old function and not the new one.

Re:This is a DEVDELOPER SNAPSHOT

[gweihir]

Excellent. This is a completely satisfactory explanation.

I still hope the people involved have learned to be extra careful with /dev/urandom, as it can break so very many things in ways that are not readily obvious. Unfortunately, problems with CPRNGs that break the security of applications and systems have a long history and people working on these need to be reminded time and again of that.

Anyways, thanks for the info!

Shhhhhhhh

[tomxor]

This guy is the low hanging fruit that keeps all those automated attacks from China from developing something more sophisticated :P Not that i'm suggesting security through obscurity is the only way or anything... just an extra line of Darwinian defence.

My D&D Characters all Wrong?!

[tmjva]

Do you mean to say that the tool behind the die roller for my D&D characters is all wrong?

I have to re-roll my characters all over again!