New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This thread was so predictable.
Nope, not really. Or, more precisely, yes you are right IF the data are random. often however they are not. DJB in fact did clearly (and reasonably) state that a simple counter is acceptable for a nonce. Which directly leads us to the kind of problems I mentioned with endianess, casted integer arrays passed in as char arrays, etc. And then it can easily happen that the relevant 4 bytes - i.e. the counter for 4 billion packets - gets truncated while the static bytes (changing only slowly and after 4 bln packets) are used as - de facto almost never changing - nonce ... and BANG.
There are other problems too, for example that many prngs are themselves just 32 bits and/or work on a state whose size is not divisible by 12; I don't want to get too technical; suffice it to know that actually used prngs can be cans of worms themselves.
I was hoping that it wouldn't be, but yeah.
Maybe I should apologize for bringing up and discussing this matter instead of writing "funny" one liners about poop or the end or potatoes.
Btw. your post wasn't exactly surprising either but granted we already had indicators for it coming.
Take this as a sign of good will
There should be a middle ground somewhere between these two extremes.
I won't take risk, I voted "debian!".
Excellent choice ! https://schneier.com/blog/archives/2008/05/random_number_b.html
@All
My bad. I apologize. And I mean it. I seriously thought I'd do something good to bring that OpenSSL problem to our communities attention.
Obviously I was wrong and I don't hesitate to recognize and state that. Sorry, guys, won't happen again.
2008 ?
Since shitstemd it's risky and even before that.
https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/
What's the frame of reference here. A hypothetical human being who makes no errors? All I get from your posts @jsg is a projection that you're knowledgeable in the security space, a bit like a certain previously banned poster.
That seems to be the takeaway.
Nice talking theory as other's have implied, if you're capable of more than what the volunteers are doing, do feel free to do the deeds! Seems like you have the framework for making error free code. Either you're a billionaire, a bad salesman or the main arbiter of Project Hard.
ChaCha20 is my favorite disco dance, so I am sincerely shocked and will now either switch to Lambada42 or DiscoFox23.
I recommend KungFu69.
Licking while kicking? Sounds worth a try!
I'm more annoyed of the use of f_cked. Just fucking spell it out, man! You're obviously an adult.
Your rant was very similar to rants from a friend of mine, who could criticize anything and everything. Problem is, when he sits down to solve these problems, he tends to understand the issues and complications a lot better.
Also, there's a difference between whining and complaining and people react differently to each.
I rant like this, too, when I come across preventable stupidity. Just need a Snickers and chill out and the anger goes away.
.ʍou 96 s,ʇı
So furious a response to single security related bug (which had mentioned commits that handle it, anyway)?
I suppose the rest of security-related applications you are using (all those GnuPG and others, tons of them) were working flawlessly until that moment, keeping you secure and calm, save this treacherous and unforgivable bug...
My condolences.