Linux RNG Fail, Facebook Fake Clear, SQL Concurrency
grarpamp
grarpamp at gmail.com
Sun May 6 22:32:32 PDT 2018
On Sun, May 6, 2018 at 9:18 PM, CANNON <cannon at cannon-ciota.info> wrote:
> What is the details of Linux RNG Fail?
https://bugs.chromium.org/p/project-zero/issues/detail?id=1559
Which takes you to a pile of commits on kernel.org.
There also be a CVE-2018-1108.
> Does this mean that PGP keys generated on a linux system years ago is pwned?
Most of the recent RNG bugs seem to have been
bootup and blocking issues. The further back, the more
bugs might apply, including RNG choices themselves.
> How can I test my key?
Maybe search for some weak pgp key test tools.
But 'years ago' says 'test for what' exactly.
Just migrate to new key, quit using the old key.
Make a new one, on a current OS release, after
the box being on and used for a few hours.
Then figure if a compromise still matters.
Analyzing that could be hard / time consuming / expensive / private.
> And assuming the OS is still intact exactly the way it was when key was generated, how can this be checked if affected?
Find its exact kernel commit / version, then search
the entire commit history since then for stuff like
rng
random number generator
/dev/random
/dev/urandom
and see what it says. See what the OS vendor update
notes say. Same for gnupg and any other parts of
the whole stack.
Better to just stay up to date, revoke keys on a schedule,
and defend in depth.
Without use case, no one can help much.
More information about the cypherpunks
mailing list