Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re^4: A better rand() for Win32

by pKai (Priest)
on Jul 31, 2007 at 12:26 UTC ( #629813=note: print w/replies, xml ) Need Help??


in reply to Re^3: A better rand() for Win32
in thread A better rand() for Win32

If you are still interested in capicom.dll, this download link might work for you: CAPICOM Download the update

Since it is a security update, there is no "Genuine Windows" authentification needed. Or at least so it seems to me.

Replies are listed 'Best First'.
Re^5: A better rand() for Win32
by BrowserUk (Pope) on Jul 31, 2007 at 17:50 UTC

    Offline, pKai asked me the following question, which I reproduce here with his permission.

    Sorry, I don't get it. Every major subsystem of Windows has been subject to priority 1 security patches in the past. If you are concerned that this has been patched, shouldn't you abandon Win as a platform then?

    The problem is not that it has been patched. Timely or not, that indicates it is maintained at least.

    The problem is the idea of a library intended for cryptographic uses that even permits the potential for 'remote code execution', never mind has an exploitable vulnerability. It's like fitting a really expensive, sophisticated front door lock and then hanging the key on a piece of string inside the letterbox.

    Nothing I do is particularly secret. No lives will be lost if it is exposed and I don't keep or use financial data on my general purpose PC. My security needs are therefore minimal and 'best efforts' are good enough for my purposes. None the less, it would be inconvenient and upset me greatly to risk the contents of my harddrive to every random oik on the net, so I take a sensible level of precaution to that end.

    That leaves my main use for random being for simulations and the like. To that end, I don't see the point in installing a CSPRNG, that potentially breaches the security of my machine by exposing net visible, 'remote code execution interface' in order to seed a non-cryptographically secure PRNG. Does that make sense to you? Why not just use the CSPRNG once you've installed it?

    As for abandoning Win:Why? The simplest answer to 95% of the exposures that Win has been subject to, is don't run the code. Hence, I don't use IE, or Exchange or Word or Excel. I have turned off nearly 80% of the services that are started by default and mostly sit there doing nothing 99% of the time, except exposing vulnerabilities and consuming memory. When I need to use a service, I turn it on temporarially and then disable it again.

    Does it mean I'm 100% secure. Obviously not. There is no such thing. Not even with other OSs.


    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.
Re^5: A better rand() for Win32
by BrowserUk (Pope) on Jul 31, 2007 at 12:33 UTC

    Many thanks pKai.

    However, given the reason that update exists:

    A remote code execution vulnerability exists in Cryptographic API Component Object Model (CAPICOM) that allows an attacker who successfully exploits this vulnerability to take complete control of an affected system.

    I think it knocks the whole "required for secure cryptographics purposes" idea on the head. I'll stick with Math::Random::MT and my own mechanism for seeding it :)


    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://629813]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (3)
As of 2021-04-10 14:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?