HERE IS AN IDEA HOW TO GET RICH VERY EASY:
1. Grab the kernel sources.
2. Fake random.c, so that it is using an deterministic algorithm for
generation of random numbers, which is *very well* know by
You, instead of the strong random number generater.
3. Sell it as often as You can.
This is why the GPL on the Linux kernel is so important. Since the ISP
will have to provide source with his kernel, it will be possible for
someone to notice his duplicity. Remember, it only takes one person to
notice, so the more successful the ISP is at "selling" his Linux, the
more likely someone will be to notice that he's hacked /dev/random.
Even if someone doesn't provide source to their /dev/random
implementation (random.c is available under either the GPL or a
BSD-style license), keep in mind that two graduate students from
Berkeley were able reverse engineered Netscape's stupid random number
generator without any access to source, thus earning them a lot of fame
and Netscape a lot of embarassment --- a front page story on the Wall
Street Journal. If a company did this deliberately, the liability that
they would suffer if they were found out would be immense.
You are the student of pure mathematics with some interrest in
cryptography and Montecarlo methods for numerical solving of integral
equations......
YOU USE: /dev/random.
You are a stupid graduate student who should have been flunked out,
because you don't know the first thing about Monte Carlo methods. For
Monte Carlo methods, you don't need cryptographically random numbers.
You need statistically random numbers --- and there's a difference.
/dev/random is used in places where you need cryptographic random
numbers. This occurs in random key generation, and there is also a
related use in generating secure TCP initial sequence numbers, which
will help prevent some cookbook TCP connection hijacking attacks.
If you start looking at the future, especially with how much excitement
electronic commerce is starting to raise, it would be really, really
nice for Linux to have built-in support for the cryptography needed to
support electronic commerce applications. /dev/random is necessary for
that. Besides, wouldn't it be nice if Netscape's random number
generator was something that we could audit and improve (because it's in
the Linux kernel) instead of assuming that the people in Netscape will
get it right?
My Linux box at home is compleatly secure from any carcking, even without
any kind of random number generator. Im simply not wired. And I
suppose that I'm not the only one.
You never connect to the Internet? (How are you reading e-mail, then?)
You're never going to use PGP to secure your e-mail? (I have patches to
allow PGP to use /dev/random) You mean you never use the Web? You're
never going to purchase anything electronically?
Then you're part of the past, not the future.
ps. I really didn't intend to offend anybody. This wasn't a statement about
the code quality of random.c. But it was a statement about the usefullness
of it. The arguments presented above are quite lazy formulated but they are
serious.
Has it ever occured to you that because your arguments are lazily
formulated, they might just be out-and-out wrong? Think about it.
- Ted