Add specific warnings about IoT & random number generation #6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dan Petro Dan and Allan Cecil's 2021 report [You're Doing IoT RNG]([https://labs.bishopfox.com/tech-blog/youre-doing-iot-rng]) at DEF CON 29 showed that Internet of Things (IoT) devices have a *VERY* serious problem in that they often don't securely generate random numbers, leading to vulnerabilities. They estimate about 35 billion IoT devices have this problem. We already talk about ignoring return codes & correctly generating random numbers, but this is such a common & huge problem that I think it's important to specifically emphasize it. We don't need to change quizzes or anything, it's already clearly in scope of some relevant sections, but it's good to especially emphasize it. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Errors are *especially* likely for hardware RNGs because they are typically very rate-limited. That's one reason why this particular failing so often leads to problems. Too many people call hardware RNGs "True RNGs" and then think that hardware RNG is automatically wonderful. That's absurd, of course. Noting the rate-limiting will help people understand their limits, and why using CSPRNG with hardware inputs is what they should be doing instead. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
mrybczyn
reviewed
Aug 17, 2021
mrybczyn
reviewed
Aug 17, 2021
mrybczyn
reviewed
Aug 17, 2021
mrybczyn
reviewed
Aug 17, 2021
mrybczyn
reviewed
Aug 17, 2021
|
@mrybczyn - thanks for your great feedback! I'm about to post an update. |
Implement lots of improvements thanks to Marta Rybczynska (@mrybczyn). THANK YOU Marta! Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Anyone can predict, the question is, can you predict with an accuracy better than random chance? Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
We cite Petro & Cecil in two adjacent paragraphs, even though it's pretty obvious it's the same source. Just cite it once for simplicity. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
|
Reviewed the new version and it looks good to me. |
|
@ mrybczyn - great! Thanks for all your time! |
david-a-wheeler
added a commit
that referenced
this pull request
Apr 14, 2022
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dan Petro Dan and Allan Cecil's 2021 report
You're Doing IoT RNG
at DEF CON 29 showed that Internet of Things (IoT)
devices have a VERY serious problem
in that they often don't securely generate random numbers,
leading to vulnerabilities.
They estimate about 35 billion IoT devices have this problem.
We already talk about ignoring return codes & correctly generating
random numbers, but this is such a common & huge problem that I think
it's important to specifically emphasize it. We don't need to change
quizzes or anything, it's already clearly in scope of some relevant
sections, but it's good to especially emphasize it.
Signed-off-by: David A. Wheeler dwheeler@dwheeler.com