I would like to get the point of the developers related to the PRNG issue wich was discovered last year.
Back then OpenBSD developers said OpenBSD is not affected but now I read a Slashdot-Article wich links to informations wich say the total opposite. http://it.slashdot.org/it/08/02/10/0136236.shtml leads to: http://readlist.com/lists/securityfocus.com/bugtraq/4/22004.html So could somebody finaly tell me what's the status about it? And please no "oBSD rocks" or "OpenBSD sucks" or "We're l33t and unbreakable ubercoders" talks. I think the informations provided are pretty "omg" and bad PR too :-/ "OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world." So I would be happy about a technical explantation why so many (even BSD projects) think it's a problem but OpenBSD does not. Another "omg" comment: "Interestingly enough, OpenBSD uses a flavor of this PRNG for another field, this time the IP fragmentation ID, part of the OpenBSD kernel network stack. The analysis carries out quite similarly to show that OpenBSD's IP ID is predictable as well, which gives way to O/S fingerprinting, idle-scanning, host alias detection, traffic analysis, and in some cases, even to TCP blind data injection." That doesn't sound like "Theory" but like a PoC wich lays arround somewhere.... Sebastian p.s. I hate registrations (even if I may have used fake data) so: http://www.trusteer.com/docs/DNS_Poisoning_paper.pdf
