[talk] [nycbug-talk] FreeBSD abandoning hardware randomness

Brian Callahan bcallah at devio.us
Mon Nov 3 00:58:48 EST 2014 

On 11/02/14 23:37, Isaac (.ike) Levy wrote:
> On Sun, 02 Nov 2014 23:12:00 -0500
> Brian Callahan <bcallah at devio.us> wrote:
>
>> On 11/02/14 21:13, Isaac (.ike) Levy wrote:
>>> On Sun, 2 Nov 2014 20:34:34 -0500
>>>
>>>> TrueRNG – Hardware Random Number Generator USB
>>>> http://ubld.it/products/truerng-hardware-random-number-generator/
>>>>
>>>> I'm excited to see this, what do people think?  $47 feels a bit
>>>> high though...
>>>>
>>>> Rocket-
>>>> .ike
>>> And, as I continued looking for info online, came across another:
>>>
>>> "OneRNG" - totally open spec,
>>> http://moonbaseotago.com/onerng/
>>>
>> Hmm... a couple things come to mind:
>> First, TrueRNG seems to be a black box. So that's pretty much a
>> non-starter.
> Hrm.  I think I agree with you there- since the point is to do better
> with this problem than software, (a lot better), it could be argued to
> be a particularly un-kosher place for blackbox hardware.
>
>> Looks like OneRNG is only for Linux (atm); it requires udev to talk
>> to the kernel... someone would need to write the necessary software.
> Interesting...
>
>> But I'm not sure the problem these devices are trying to solve are
>> problems for the BSDs, at least OpenBSD.
> ;) I can see where that line of reasoning goes.
>
> Yet, I'd say we can *always* use better HW entropy sources,
> (particularly ones which are cheap and replacable if they are
> compromised- like these USB sticks).
>
> Where can my headless, microphone-less head-less servers get their
> entropy?  What if I even disabled entropy seeding/harvesting in the NIC
> because it doesn't really do any good with my app/use?
>
> If you know a good way out of these issues without hardware interfaces
> to the "real and random" world, I'm all ears!
>

Yes ok, but I know you're also not the type of person who will plug it 
in and believe that you're all good. And I think that really matters. If 
you really had a machine that had no way to gather entropy (I'm slightly 
sceptical that such a machine really exists, but let's say it does) then 
sure, one of these things would be a cheap, throw away if compromised, 
way to accomplish what you need. But again, I don't think you'd be the 
type to just plug it in and assume all is well.

I always imagine these things being used on $random_laptop by 
$random_user and marketed for that purpose. And in that case there is 
concern over the "plug it in and I'm good" mentality. People not knowing 
how to recognize a compromised stick (or worse, not knowing that they 
can be compromised).

I still think for your everyday laptop not having one of these keys is 
the way to go (perhaps though one should use an OS that does the random 
thing well ;-) ).

Anyhow, these things aren't a solution to anything without proper software.

More information about the talk mailing list