[erlang-questions] Yaws security alert - Yaws 1.93

Wed Jun 20 23:17:52 CEST 2012

On 06/20/2012 11:10 PM, Geoff Cant wrote:
> Hi Klake,
>
> Is the problem related to predictable seeding of random (set to {A,B,C} =
> erlang:now() at some point) or is it a bigger break in taking a series of
> outputs from random:uniform and working out the internal state from that?
> Just trying to figure out if kallez's attack is a brute force discovery of a
> weak seed, or if it's a more complete break of the generator itself given an
> unknown seed.
>
> Cheers,

It's not, Yaws was using the seed as in

     {X,Y,Z} = seed(),

...

  seed() ->
     case (catch list_to_binary(
                   os:cmd("dd if=/dev/urandom ibs=12 count=1 2>/dev/null"))) of
         <<X:32, Y:32, Z:32>> ->
             {X, Y, Z};
         _ ->
             now()
     end.

The problem is much deeper, it's the random algorithm itself. It's said that
it's cryptographically weak - now I've seen how weak. Very weak.

/klacke