On Wed, 2011-09-07 at 19:57 -0400, Neil Horman wrote:
> On Wed, Sep 07, 2011 at 04:56:49PM -0400, Steve Grubb wrote:
> > On Wednesday, September 07, 2011 04:37:57 PM Sasha Levin wrote:
> > > Anyway, it won't happen fast enough to actually not block.
> > >
> > > Writing 1TB of urandom into a disk
Jarod Wilson wrote:
> Ted Ts'o wrote:
>> Yeah, but there are userspace programs that depend on urandom not
>> blocking... so your proposed change would break them.
>> ...
> But only if you've set the sysctl to a non-zero value, ...
>
> But again, I want to stress that out of the box, there's ab
On Wed, Sep 07, 2011 at 04:56:49PM -0400, Steve Grubb wrote:
> On Wednesday, September 07, 2011 04:37:57 PM Sasha Levin wrote:
> > On Wed, 2011-09-07 at 16:30 -0400, Steve Grubb wrote:
> > > On Wednesday, September 07, 2011 04:23:13 PM Sasha Levin wrote:
> > > > On Wed, 2011-09-07 at 16:02 -0400, S
On Wed, 7 Sep 2011, Steve Grubb wrote:
> On Wednesday, September 07, 2011 05:35:18 PM Jarod Wilson wrote:
> > Another proposal that has been kicked around: a 3rd random chardev,
> > which implements this functionality, leaving urandom unscathed. Some
> > udev magic or a driver param could move/d
On Wednesday, September 07, 2011 05:35:18 PM Jarod Wilson wrote:
> Another proposal that has been kicked around: a 3rd random chardev,
> which implements this functionality, leaving urandom unscathed. Some
> udev magic or a driver param could move/disable/whatever urandom and put
> this alternat
On Wed, 2011-09-07 at 17:28 -0400, Steve Grubb wrote:
> On Wednesday, September 07, 2011 05:10:27 PM Sasha Levin wrote:
> > > > > > Something similar probably happens for getting junk on disks before
> > > > > > creating an encrypted filesystem on top of them.
> > > > >
> > > > > During system ins
On Wed, Sep 07, 2011 at 11:27:12PM +0200, Stephan Mueller wrote:
>
> And exactly that is the concern from organizations like BSI. Their
> cryptographer's concern is that due to the volume of data that you can
> extract from /dev/urandom, you may find cycles or patterns that increase
> the probabil
Sasha Levin wrote:
On Wed, 2011-09-07 at 16:56 -0400, Steve Grubb wrote:
On Wednesday, September 07, 2011 04:37:57 PM Sasha Levin wrote:
On Wed, 2011-09-07 at 16:30 -0400, Steve Grubb wrote:
On Wednesday, September 07, 2011 04:23:13 PM Sasha Levin wrote:
On Wed, 2011-09-07 at 16:02 -0400, Ste
On Wednesday, September 07, 2011 05:10:27 PM Sasha Levin wrote:
> > > > > Something similar probably happens for getting junk on disks before
> > > > > creating an encrypted filesystem on top of them.
> > > >
> > > > During system install, this sysctl is not likely to be applied.
> > >
> > > It m
On 07.09.2011 23:18:58, +0200, Ted Ts'o wrote:
Hi Ted,
> On Wed, Sep 07, 2011 at 04:02:24PM -0400, Steve Grubb wrote:
>>
>> When a system is underattack, do you really want to be using a PRNG
>> for anything like seeding openssl? Because a PRNG is what urandom
>> degrades into when its attacked
On 09/07/2011 10:02 PM, Steve Grubb wrote:
When a system is underattack, do you really want to be using a PRNG
for anything like seeding openssl? Because a PRNG is what urandom
degrades into when its attacked.
Using a PRNG is not a problem. Making sure it is well seeded and no
input from the a
On Wed, Sep 07, 2011 at 04:02:24PM -0400, Steve Grubb wrote:
>
> When a system is underattack, do you really want to be using a PRNG
> for anything like seeding openssl? Because a PRNG is what urandom
> degrades into when its attacked.
This is not technically true. urandom degrades into a CRNG
On Wed, 2011-09-07 at 16:56 -0400, Steve Grubb wrote:
> On Wednesday, September 07, 2011 04:37:57 PM Sasha Levin wrote:
> > On Wed, 2011-09-07 at 16:30 -0400, Steve Grubb wrote:
> > > On Wednesday, September 07, 2011 04:23:13 PM Sasha Levin wrote:
> > > > On Wed, 2011-09-07 at 16:02 -0400, Steve Gr
On Wednesday, September 07, 2011 04:37:57 PM Sasha Levin wrote:
> On Wed, 2011-09-07 at 16:30 -0400, Steve Grubb wrote:
> > On Wednesday, September 07, 2011 04:23:13 PM Sasha Levin wrote:
> > > On Wed, 2011-09-07 at 16:02 -0400, Steve Grubb wrote:
> > > > On Wednesday, September 07, 2011 03:27:37 P
On Wednesday, September 07, 2011 04:33:05 PM Neil Horman wrote:
> On Wed, Sep 07, 2011 at 04:02:24PM -0400, Steve Grubb wrote:
> > On Wednesday, September 07, 2011 03:27:37 PM Ted Ts'o wrote:
> > > On Wed, Sep 07, 2011 at 02:26:35PM -0400, Jarod Wilson wrote:
> > > > We're looking for a generic sol
On Wed, 2011-09-07 at 16:30 -0400, Steve Grubb wrote:
> On Wednesday, September 07, 2011 04:23:13 PM Sasha Levin wrote:
> > On Wed, 2011-09-07 at 16:02 -0400, Steve Grubb wrote:
> > > On Wednesday, September 07, 2011 03:27:37 PM Ted Ts'o wrote:
> > > > On Wed, Sep 07, 2011 at 02:26:35PM -0400, Jaro
On Wed, Sep 07, 2011 at 04:02:24PM -0400, Steve Grubb wrote:
> On Wednesday, September 07, 2011 03:27:37 PM Ted Ts'o wrote:
> > On Wed, Sep 07, 2011 at 02:26:35PM -0400, Jarod Wilson wrote:
> > > We're looking for a generic solution here that doesn't require
> > > re-educating every single piece of
On Wednesday, September 07, 2011 04:23:13 PM Sasha Levin wrote:
> On Wed, 2011-09-07 at 16:02 -0400, Steve Grubb wrote:
> > On Wednesday, September 07, 2011 03:27:37 PM Ted Ts'o wrote:
> > > On Wed, Sep 07, 2011 at 02:26:35PM -0400, Jarod Wilson wrote:
> > > > We're looking for a generic solution h
On Wed, 2011-09-07 at 16:02 -0400, Steve Grubb wrote:
> On Wednesday, September 07, 2011 03:27:37 PM Ted Ts'o wrote:
> > On Wed, Sep 07, 2011 at 02:26:35PM -0400, Jarod Wilson wrote:
> > > We're looking for a generic solution here that doesn't require
> > > re-educating every single piece of usersp
On Wednesday, September 07, 2011 03:27:37 PM Ted Ts'o wrote:
> On Wed, Sep 07, 2011 at 02:26:35PM -0400, Jarod Wilson wrote:
> > We're looking for a generic solution here that doesn't require
> > re-educating every single piece of userspace. And anything done in
> > userspace is going to be full of
Hello Dmitry,
Was there supposed to be part 1/3 for this patch set. At least I
didn't see it also it doesn't show in mailing list archives.
I also don't see it in mailing list archives at
http://marc.info/?l=linux-security-module&r=1&b=201109&w=2
Can you resend it?
-Sam
--
To unsubscribe from t
On Wed, 2011-09-07 at 15:30 -0400, Jarod Wilson wrote:
> Sasha Levin wrote:
> > On Wed, 2011-09-07 at 14:26 -0400, Jarod Wilson wrote:
> >> Sasha Levin wrote:
> >> [..] And anything done in
> >> userspace is going to be full of possible holes [..]
> >
> > Such as? Is there an example of a case whic
From: "Ted Ts'o"
Date: Wed, 7 Sep 2011 15:27:37 -0400
> On Wed, Sep 07, 2011 at 02:26:35PM -0400, Jarod Wilson wrote:
>> We're looking for a generic solution here that doesn't require
>> re-educating every single piece of userspace. And anything done in
>> userspace is going to be full of possibl
Ted Ts'o wrote:
On Wed, Sep 07, 2011 at 02:26:35PM -0400, Jarod Wilson wrote:
We're looking for a generic solution here that doesn't require
re-educating every single piece of userspace. And anything done in
userspace is going to be full of possible holes -- there needs to be
something in place
On Wed, Sep 07, 2011 at 10:05:30PM +0300, Sasha Levin wrote:
> On Wed, 2011-09-07 at 14:26 -0400, Jarod Wilson wrote:
> > Sasha Levin wrote:
> > > On Wed, 2011-09-07 at 13:38 -0400, Jarod Wilson wrote:
> > >> Certain security-related certifications and their respective review
> > >> bodies have sai
Sasha Levin wrote:
On Wed, 2011-09-07 at 14:26 -0400, Jarod Wilson wrote:
Sasha Levin wrote:
On Wed, 2011-09-07 at 13:38 -0400, Jarod Wilson wrote:
Certain security-related certifications and their respective review
bodies have said that they find use of /dev/urandom for certain
functions, suc
On Wed, Sep 07, 2011 at 02:26:35PM -0400, Jarod Wilson wrote:
> We're looking for a generic solution here that doesn't require
> re-educating every single piece of userspace. And anything done in
> userspace is going to be full of possible holes -- there needs to be
> something in place that actual
On Wed, 2011-09-07 at 14:26 -0400, Jarod Wilson wrote:
> Sasha Levin wrote:
> > On Wed, 2011-09-07 at 13:38 -0400, Jarod Wilson wrote:
> >> Certain security-related certifications and their respective review
> >> bodies have said that they find use of /dev/urandom for certain
> >> functions, such a
Sasha Levin wrote:
On Wed, 2011-09-07 at 13:38 -0400, Jarod Wilson wrote:
Certain security-related certifications and their respective review
bodies have said that they find use of /dev/urandom for certain
functions, such as setting up ssh connections, is acceptable, but if and
only if /dev/uran
On Wed, 2011-09-07 at 13:38 -0400, Jarod Wilson wrote:
> Certain security-related certifications and their respective review
> bodies have said that they find use of /dev/urandom for certain
> functions, such as setting up ssh connections, is acceptable, but if and
> only if /dev/urandom can block
Certain security-related certifications and their respective review
bodies have said that they find use of /dev/urandom for certain
functions, such as setting up ssh connections, is acceptable, but if and
only if /dev/urandom can block after a certain threshold of bytes have
been read from it with
31 matches
Mail list logo
