1 comment

[ 0.19 ms ] story [ 19.6 ms ] thread
Besides how great this blog post is, I really can't get over what the author of srandom did. Two weeks ago an issue was opened that pointed out xor-shift was not a secure PRNG. The srandom author replied by saying "prove it" and closed the issue. They also updated the readme to say that srandom is "probably the most secure PRNG available."[0]

I don't know if it was the github issue or the readme update that pushed Sc00bz over the edge to actually demonstrate the vulnerabilities. Maybe next time wait until after you've gotten an evaluation from a cryptographer before claiming "probably the most secure PRNG available."

[0]: https://github.com/josenk/srandom/commit/55e2ec76238111121b0...