Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Servers' Entropy Pool Too Shallow, Compromising Security

Posted by timothy on from the you-can-borrow-our-spam-file dept.

The BBC reports that Black Hat presenters Bruce Potter and Sasha Woods described at this year's Black Hat Briefings a security flaw in Linux servers: too few events are feeding the entropy pool from which random numbers are drawn, which leaves the systems "more susceptible to well-known attacks." Unfortunately, [Potter] said, the entropy of the data streams on Linux servers was often very low because the machines were not generating enough raw information for them. Also, he said, server security software did little to check whether a data stream had high or low entropy. These pools often ran dry leaving encryption systems struggling to get good seeds for their random number generators, said Mr Potter. This might meant they were easier to guess and more susceptible to a brute force attack because seeds for new numbers were generated far less regularly than was recommended. Update: 08/10 01:05 GMT by T : Please note that Sasha Woods' name was mis-reported as Sasha Moore; that's now been changed in the text above.

5 of 111 comments (clear)

  1. Random by Anonymous Coward · · Score: 5, Funny

    So a random number walks into a bar. The barman says, "I was expecting you"

  2. cat videos for enthropy by Anonymous Coward · · Score: 5, Funny

    Server rooms could have cameras filming cats to generate more entropy from.

    1. Re:cat videos for enthropy by Sponge+Bath · · Score: 3, Funny

      Film Schrödinger's cat. Until someone watches the film the seed will exist in a superposition of states.

  3. Re: For once, Potter or so by Ukab+the+Great · · Score: 4, Funny

    Two points for gryffindoor

  4. We've Been Complaining About That For Years by Greyfox · · Score: 5, Funny
    There's just no more entropy, man! Entropy isn't what it used to be!

    But I have a solution! A good solution! A GREAT solution! Behold! Yes, a banana! As we all know, bananas are radioactive! So all we need to do is attach a particle detector to our computer and put a bunch of bananas right on top! Boom! Bananarand! You'll just need to remember to change your bananas out every so often as their half-life is very short. After about a week your bananas will decay into fruit fly particles (I'm not a nuclear scientist, I just play one on TV.)

    All right fine, if you don't want to use a banana, United Nuclear has some lovely uranium samples for sale at the moment. Pretty sure you get on a list if you actually order one. Possibly if you click on that link. The radioactive Fiestaware they're selling would probably also work. While you're there, check out their selection of EXTREMELY DANGEROUS MAGNETS!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?