Recent Events for foo.be MainPageDiary (Blog)

Page Collection for ^2008-06

2008-06-15 Internet Liberties Still In Danger

Everything started when government tried to limit the liberties on Internet, the first major case was the Communications Decency Act. The famous blue ribbon campaign of the EFF started due to that legal non-sense in 1996. We thought that we were safe from such stupid regulation in the cyberspace when the US supreme court admitted that the Communications Decency Act was mainly unconstitutional. But the history proven the opposite, governments are continuously trying to limit civil liberties on Internet (and not only in China). It's a fact and seeing such intensity from government to limit our rights in a space where freedom is there by nature, I really have a confirmation (by repeating so many times so many legal trick to achieve a complete on control on Internet) that's an intended purpose to limit our freedom space.

Hopefully there are still an active (from scientific to citizen) community where interesting paper came such as : Cassell, Justine, and Meg Cramer. “High Tech or High Risk: Moral Panics about Girls Online." Digital Youth, Innovation, and the Unexpected. An interesting part is the comparison with telegraph and telephone. The conclusion of the paper also showed the danger of the "moral panic" for women : 

And in each case that we have examined, from the telegraph to today, the result of the 
moral panic has been a restriction on girls’ use of technology. As we have described above, 
the telegraph, the telephone, and then the internet were all touted for how easy they were for 
young women to use, and how appropriate it was for young women to use them. Ineluctably, 
in each case, that ease of use and appropriateness became forgotten in a panic about how 
inappropriate the young women’s use of these technologies was, and how dangerous the 
women’s use was to the societal order as a whole. 
In the current case, the panic over girls’ use of technology has taken the form of believing 
in an increased presence of child predators online. But, as we have shown, there has been 
no such increase in predatory behavior; on the contrary, the number of young women who 
have been preyed on by strangers has decreased, both in the online and offline worlds.

Finally, as with uses of communication technologies by women in the past, it is clear 
that participation in social networking sites can fulfill some key developmental imperatives 
for young women, such as forming their own social networks outside of the family, and 
exploring alternate identities. Girls in particular may thrive online where they may be more 
likely to rise to positions of authority than in the physical world, more likely to be able 
to explore alternate identities without the dangers associated with venturing outside of their 
homes alone, more likely to be able to safely explore their budding sexuality, and more likely 
to openly demonstrate technological prowess, without the social dangers associated with the 
term “geek.” And yet, when moral panics about potential predators take up all the available 
airtime, the importance of the online world for girls is likely to be obscured, as are other 
inequalities equally important to contemplate.

But obviously, I'm still very affected by the continuous flow of bad law (like the recent one from France) or action like blocking Usenet. Do they want to turn Internet into an useless medium where free speech is banned ? and an Internet where so many technical restriction implemented, it becomes impossible to use it.

http://upload.wikimedia.org/wikipedia/commons/e/ee/Blue_Ribbon_Campaign_banner.png

Tags :

2008-06-23 Hardware Random Number Generator Useful

If you have a system machine generating various cryptographic keys, you really need a non predictable state in your entropy pool. To reach a satisfied level of unpredictability, the Linux kernel gathers environmental information in order to feed this famous entropy pool. Of course gathering enough unpredictable information from a deterministic system, it's not a trivial task.

In such condition having an independent random source is very useful to improve unpredictability of the random pool by feeding it continuously. That's also avoid to have your favourite cryptographic software stopping because lacking of entropy (it's often better to stop than generating guessable keys). In the graph below you can clearly see the improvement of the entropy availability. On an idle system, it is difficult for the kernel random generator to gather noise environment as the system is going in a deterministic way while doing "near" nothing. Here the hardware-based random generator is feeding regularly the entropy pool (starting end of Week 24) independently of the system load/use.

If you are the lucky owner of a decent Intel motherboard, you should have the famous Intel FWH 82802AB/AC including a hardware random generator (based on thermal noise). You can use tool like rngd to feed in secure way the Linux kernel entropy pool. In a secure way, I mean really feeding the pool with "unpredictable" data by continuously testing the data with the existing FIPS tests.

That's the bright side of life but I would close this quick post with something from the FAQ from OpenSSL :

1. Why do I get a "PRNG not seeded" error message?
... [some confusing information]
All OpenSSL versions try to use /dev/urandom by default; 
starting with version 0.9.7, OpenSSL also tries /dev/random 
if /dev/urandom is not available.
... [more confusing information]

If I understood the FAQ, by default OpenSSL is using /dev/urandom and not /dev/random first? If your entropy pool is empty or your hardware random generator is not active, OpenSSL will use the unlimited /dev/urandom version and could use information that could be predictable. Something to remember if your software is still relying on OpenSSL.

Update on 03/08/2008 :

Following a comment on news.ycombinator.com, I tend to agree with him that my statement "/dev/urandom is predictable" is wrong but that was a shortcut to urge people to use their hardware random generator. But for key generation (OpenSSL is often used for that purpose), the authors of the random generator (as stated in section "Exported interfaces —- output") also recommend to use /dev/random (and not urandom) when high randomness is required.

That's true when you are running out of entropy, you are only depending of the SHA algorithm strength but if you are continuously feeding the one-way hashing function with a "regular pattern" (another shortcut). You could start to find problem like the one in the linear congruential generator when the seed is one character… But that's true the SHA algorithm is still pretty secure. So why taking an additional (additional because maybe the hardware random generator is already broken ;-) risk to use /dev/urandom if you have already a high-speed hardware random generator that could feed nicely /dev/random?

The effect of introducing a hardware random generator in an entropy pool

Tags:

Recent Events for foo.be MainPageDiary (Blog)
Administration

[FSF Associate Member] Librarything profile for adulau XFN Friendly
if not specified on the wiki page, Copyright © Alexandre (adulau) Dulaunoy. This work is licensed to you under version 2 of the GNU General Public License. Alternatively, you may choose to receive this work under any other license that grants the right to use, copy, modify, and/or distribute the work, as long as that license imposes the restriction that derivative works have to grant the same rights and impose the same restriction. For example, you may choose to receive this work under the GNU Free Documentation License, the CreativeCommons ShareAlike License, the XEmacs manual license, or similar free licenses.