Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re^2: Your random numbers are not that random (UtS,L)

by davies (Vicar)
on Jul 21, 2012 at 23:06 UTC ( #983023=note: print w/ replies, xml ) Need Help??


in reply to Re: Your random numbers are not that random (UtS,L)
in thread Your random numbers are not that random

Thanks. I'll look into that on the working and non-working cards and report back with an update. I hadn't heard of perldiag before, but even if I had, it wouldn't have helped me as C (I'm assuming it's C) is a language I don't speak and the code you have shown is, I'm sorry to say, incomprehensible to me. But I can see that copying files would not have copied environment variables and that this is not only something I can do but something likely to work.

Thanks again and regards,

John Davies

Update as promised: All the environment variables I could find, whether in Linux or Perl, were the same on both cards. The Perl ones seemed to be straight copies of the Linux ones. I was looking in %ENV. Are there other places that Perl environment variables are kept?


Comment on Re^2: Your random numbers are not that random (UtS,L)
Re^3: Your random numbers are not that random (UtS,L)
by Anonymous Monk on Jul 22, 2012 at 09:11 UTC

    The C code calls Drand01() to initialise the hash seed. However, it is returning 0 for some reason. Drand01 is a frontend macro to the system random number generator -- which one, I have no clue. You could look at Perl's configure output to figure that one out.

    This method is only for randomising the hash seed. It might not be critical for the installation. If you plan to make Perl user-accessible (e.g. a web service), you might run into a denial of service attack at worst. And, indeed, you can "fix" that with the aforementioned environment variable.

      A simple denial-of-service vulnerability is far from the worst-case scenario... If the code has any sort of cryptographic functionality, if it generates random passwords, or anything of that sort, then weak random numbers can lead to far worse than that, as they'll give an attacker a much better chance of guessing any randomly-generated values (such as session keys or random passwords).

      Of course, if you're doing anything along those lines, I sincerely hope that you'd be using a properly-installed perl rather than one copied onto an SD card, so this is unlikely to be an issue in practice.

        I'm not clear on the distinction between "properly installed" and on an SD card. The Pi boots off an SD card, and while it is possible to put stuff onto a USB hard drive, it's rather complicated for the OS stuff. So the system Perl is certainly on a card, as are most things Pi related. All the cards I'm trying to create are bootable and intended to be used to boot Pis. Am I missing something?

        Regards,

        John Davies

        I ran on the assumption that it is the random number generator failing only for the hash seeding code -- hence downplaying the problem. I have no idea which RNG the actual rand() function uses, but password/session key generation can be made reasonably secure even with a nonfunctional RNG.

        To the OP: What sort of results do you get if you run perl -le 'print rand() for 1..10' on the faulty boards? If you run it twice, will the same sequence repeat? What about on the working boards?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://983023]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (6)
As of 2014-12-22 03:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (110 votes), past polls