Date: Tue, 1 May 2001 11:31:48 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Terry Lambert <tlambert@primenet.com> Cc: Kris Kennaway <kris@obsecurity.org>, Jason Smethers <jason@smethers.net>, chat@FreeBSD.ORG Subject: Re: BSD libc for Linux? Message-ID: <20010501113148.A9444@xor.obsecurity.org> In-Reply-To: <200105011820.LAA17496@usr01.primenet.com>; from tlambert@primenet.com on Tue, May 01, 2001 at 06:20:34PM %2B0000 References: <20010501104324.D7834@xor.obsecurity.org> <200105011820.LAA17496@usr01.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 01, 2001 at 06:20:34PM +0000, Terry Lambert wrote: > > > The statistical differences may be a result of your programs > > > use of the rand() family. Linux's GNU libc decided not to > > > implement these functions for backwards compatibility. Instead > > > it aliases these functions to the random() family. > >=20 > > which is a legitimate thing to do according to the standards. > > FreeBSD fixed its rand() in -current too; anyone using the old version > > for simulations is likely to be getting sorely skewed data out because > > the algorithm is so non-random. >=20 > FreeBSD _broke_ its random number generator. >=20 > I wish the non-scientists who keep claiming that it is > legitimate to break this code, and who think that when you > multiply two random numbers that the result is "even more > random than before the multiply", and who think randomness > is more important than pseudo randomness... I'm a physicist by day. I can think of few things worse than having a lengthy simulation ruined by the poor statistical properties of the old rand() algorithm. > would take a frigging 600 level college course in algorithms, > and read: >=20 > The Art Of Computer Programming > Volume 2: Seminumerical Algorithms > Donald Knuth > Addison-Wesley >=20 > In particular, they should read all of: >=20 > Chapter 3 -- Random Numbers >=20 > In particular, section 3.2.1.3 discusses /potentcy/, while > section 3.2.2 discusses other methods. >=20 > See also the "spectral test" in section 3.3.4 for the definition > of "acceptably random". AFAIK, the "improved" FreeBSD code has > not yet passed this test, which is currently the strongest test > known. Last time this came up we established you had no idea about the actual algorithm in use by rand(), and you still haven't shown that you actually understand its properties and why they needed to be fixed. Tell me, please, Terry, have YOU run that spectral test on the old rand()? > The purpose of rand() is to provide a sound mathematical basis > from which real work can be accomplished, not to make it so some Right. *Now*, it does this. > jackass can protect his password file with security through > obscurity, without having to get off their duff and expend any > effort. And this of course requires completely different mathematical properties which is why rand() or random() is not used for seeding password hash functions. Kris --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE67wETWry0BWjoQKURAkg6AJ9HM7z2Bxmg9/aAMde+YOU0/Q2BMQCeMqAx Sjut0/4zOCnff5EcKKaeegA= =MC65 -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010501113148.A9444>