Hey Libtech,
Hot on the heels of last week's Bitcoin wallet for Android heist, Google has
confirmed that this was due to a critical crypto flaw in Android, which could
affect security in thousands of apps according to Ars Technica:
"Google developers have confirmed a cryptographic vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/15/2013 12:07 AM, Nadim Kobeissi wrote:
> Hot on the heels of last week's Bitcoin wallet for Android heist,
> Google has confirmed that this was due to a critical crypto flaw in
> Android, which could affect security in thousands of apps accordin
On 2013-08-15, at 6:14 AM, Nathan of Guardian
wrote:
> Signed PGP part
> On 08/15/2013 12:07 AM, Nadim Kobeissi wrote:
> > Hot on the heels of last week's Bitcoin wallet for Android heist,
> > Google has confirmed that this was due to a critical crypto flaw in
> > Android, which could affect se
Il 8/15/13 6:07 AM, Nadim Kobeissi ha scritto:
> Hey Libtech,
> Hot on the heels of last week's Bitcoin wallet for Android heist,
> Google has confirmed that this was due to a critical crypto flaw in
> Android
All Mobile Security Applications should not rely on standard RNG of the
OS but fetch pre
On Thu, Aug 15, 2013 at 7:14 AM, Nathan of Guardian
wrote:
> The only silver lining from their post was that HTTP/SSL connections
> were not affected, so this only really affects apps that are
> generating keys at the Java layer, which include apps like Android
> Privacy Guard (APG) and our own Gi
On Thu, Aug 15, 2013 at 11:11 AM, Nadim Kobeissi wrote:
> Cryptocat had its own RNG fiasco recently as well, which was documented in
> this excellent blog post by Sophos Labs:
> http://nakedsecurity.sophos.com/2013/07/09/anatomy-of-a-pseudorandom-number-generator-visualising-cryptocats-buggy-prng
On 08/15/2013 06:24 AM, Fabio Pietrosanti (naif) wrote:
> All Mobile Security Applications should not rely on standard RNG of the
> OS but fetch precious and better source of randomness available on those
> devices:
> - Microphone Audio Sample
>
> On a commercial product i worked on in past the RN
On 08/15/2013 06:29 AM, Maxim Kammerer wrote:
> I have a hard time trying to figure out from Alex Klyubin's blog post
> [1] just what the problem in affected Android class libraries was. Did
> they forget to include a urandom-backed SecureRandom provider? Or set
> it as one with highest priority? O
On Thu, Aug 15, 2013 at 2:34 PM, Nathan of Guardian
wrote:
> The best description is here:
> http://armoredbarista.blogspot.ch/2013/03/randomly-failed-weaknesses-in-java.html
Unbelievable… It seems that PRNG implementers suffer from NIH
syndrome. If you are going to use /dev/urandom, then use it
..on Thu, Aug 15, 2013 at 03:38:56PM +0300, Maxim Kammerer wrote:
> On Thu, Aug 15, 2013 at 2:34 PM, Nathan of Guardian
> wrote:
> > The best description is here:
> > http://armoredbarista.blogspot.ch/2013/03/randomly-failed-weaknesses-in-java.html
>
> Unbelievable… It seems that PRNG implementer
On Thu, Aug 15, 2013 at 8:38 AM, Maxim Kammerer wrote:
> "...and rely on code that's reviewed and maintained by thousands of
> kernel people..."
>
Are you really saying THOUSANDS have reviewed and maintain the RNG? For
real?
--
Liberationtech is a public list whose archives are searchable on Go
On Thu, Aug 15, 2013 at 7:33 PM, Doug Chamberlin
wrote:
> Are you really saying THOUSANDS have reviewed and maintain the RNG? For
> real?
You are right — I didn't take the possibility of useless
tongue-in-cheek remarks into account when using that expression in
order to support a technical argume
$ git log --pretty=format:"%an" drivers/char/random.c | sort | uniq | wc
The number of committers to random.c is 41.
You missed having a lame joke by just one committer.
On Thu, Aug 15, 2013 at 10:23 AM, Maxim Kammerer wrote:
> On Thu, Aug 15, 2013 at 7:33 PM, Doug Chamberlin
> wrote:
> > Ar
On Thu, Aug 15, 2013 at 1:23 PM, Maxim Kammerer wrote:
> On Thu, Aug 15, 2013 at 7:33 PM, Doug Chamberlin
> wrote:
> > Are you really saying THOUSANDS have reviewed and maintain the RNG? For
> > real?
>
> You are right — I didn't take the possibility of useless
> tongue-in-cheek remarks into acc
On Thu, Aug 15, 2013 at 8:39 PM, Steve Weis wrote:
> $ git log --pretty=format:"%an" drivers/char/random.c | sort | uniq | wc
Guys, I assumed you knew that kernel history was reset a few times. If
you want to approach it thoroughly, you start with all names at [1]
since 2010. Then, download the .
Maxim Kammerer wrote:
>In any case, I find this bikeshedding of side remarks pretty annoying,
>it is quite pointless.
Well, I see it as practical proof of the value of open-source, the need to
avoid reinventing the crypto wheel, and that no amount of money buys you
perfect code. Only time, co
On Thu, Aug 15, 2013 at 7:58 PM, Nathan of Guardian <
nat...@guardianproject.info> wrote:
>
>
> Maxim Kammerer wrote:
> >In any case, I find this bikeshedding of side remarks pretty annoying,
> >it is quite pointless.
>
> Well, I see it as practical proof of the value of open-source, the need to
On Thu, Aug 15, 2013 at 3:38 PM, Maxim Kammerer wrote:
> On Thu, Aug 15, 2013 at 2:34 PM, Nathan of Guardian
> wrote:
>> The best description is here:
>> http://armoredbarista.blogspot.ch/2013/03/randomly-failed-weaknesses-in-java.html
>
> Unbelievable… It seems that PRNG implementers suffer from
18 matches
Mail list logo