Re: [Full-disclosure] Ubuntu: reseed(8), random.org, and HTTP request

[coderman]

On Tue, Jul 5, 2011 at 9:04 PM, Jeffrey Walton noloa...@gmail.com wrote:
 Ubuntu's reseed(8) can be used to seed the PRNG state of a host. The
 script is run when the package installed, and anytime su executes the
 script.

... someone thought this was a good idea.
 [an entropy pool remotely biased by MitM attacker, maybe?]


 reseed(8) performs a unsecured HTTP request to random.org for its
 bits, despite random.org offering HTTPS services.

https doesn't help if your host entropy pool is poorly seeded.
 [SSL/TLS needs entropy for authenticity/privacy.]


 The Ubuntu Security Team took no interest when contacted by email (no
 reply); the point of contact listed in the man pages took no interest
 when contacted by email (no reply); and a launcher bug report was not
 acted upon (https://bugs.launchpad.net/ubuntu/+source/reseed/+bug/804594).

you're surprised?
 [you must be new around here!]

Re: [Full-disclosure] 0day: PDF pwns Windows

[coderman]

On 9/20/07, Crispin Cowan [EMAIL PROTECTED] wrote:
 ...
 Rather, I just treat 0day as a synonym for new vulnerability

0day is a perspective; if it came out of nowhere and pwnd your ass it is 0day.


[that is, where you are on that clunky chain of disclosure process you
describe...]