On Tue, May 26, 2015 at 9:50 PM, Simon <[email protected]> wrote: > [...] > > Unless specific cases, I do not think that programmers assume that PID > are especially sequential or not, but merely rely on the hypothesis > that: > > - PID are unguessable, > - PID will not be reused quickly. > > And yes, it seems possible to fulfill these two properties by > providing unguessable and not quickly reusable PID instead of pure > random PID.
But not in 16 bits. To a patient remote attacker, the difference between 2 minutes and 2 days is not significant. 64 bit PIDs anyone? High 16 and low sixteen randomized and the middle 32 backwards sequential, just to really throw the unwary attacker off the trail? ;-/ -- Joel Rees Be careful when you look at conspiracy. Look first in your own heart, and ask yourself if you are not your own worst enemy. Arm yourself with knowledge of yourself, as well.
