Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
, 8 tweets, 2 min read Read on Twitter
1/ So people, I struggle with this problem and I'd like your help on solving it. As far as I can tell, there is no "just use...." answer to this problem, and I've spent a long time looking for one.
2/ 'getrandom()' is based on a system call that didn't appear until Linux/3.17. However, Linux/3.16 kernels are still common. For example, one of my test systems is an Odroid-C2 which has Ubuntu 18 on a Linux kernel 3.16. Yes, userland and kernel are widely different.
3/ This is a 'new' Odroid-C2, mind you. In the ARM world, hardware supports whichever kernel is newest when they ship and almost never change the kernel version, even as userland is updated.
4/ getrandom() uses /dev/urandom, which uses a CSPRNG based on an entropy seed, rather than based purely on entropy. This is proper, but some idiots think that /dev/random is better because it's got more entropy. However...
5/ However, at startup, there isn't yet enough entropy to seed /dev/urandom or getrandom(), so it they can block. You sometimes want your program to startup fast and not block, so you may grab RDRAND yourself to get entropy.
6/ Portable code doesn't have getrandom() (that's a Linux thing), and as mentioned above, older kernels don't have it either. /dev/urandom is portable though, but unfortunately, often isn't available inside containers. So you end up having to solve this problem yourself.
7/ If you look across the world of open-source projects, you find a lot of fixes for this. They generally grab arc4random from OpenBSD as the CSPRNG and scavaning entropy themselves to seed it with.
8/ There are lots of places to grab entropy. One sneaky way is to grab the ASLR locations of code/data. While time() gives very few bits of entropy, clock_gettime() with microsecond precision gets a lot more. Walking parts of the filesystem getting file names/timestamps gets more
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵇᵉᵗᵒ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
1/ This is a good example of how journalists like @bmelley wildly distort cybersecurity/hacking facts in order to create a story. "Tracking software" is not something that exists, "tracking images" do, but they don't have the importance the story ascribes to them.
2/ When emails arrive formatted with HTML, the images displayed can be included in the email itself, or loaded externally from servers, aka "remote content". When loaded remotely from servers, the servers can track when you open the emails, of course.
3/ Such tracking images are used everywhere where somebody blasts out emails -- such as political campaigns. I donate $5 to a wide variety of political campaigns to track their tracking. Here is a good example from AOC.
Read 8 tweets
Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
1/ While this may be a funny joke, no, it's not a testament to "American bigotry", but is instead an example social media polarization. For one thing, the term "Arabic numerals" is ambiguous. For another, "ignorance" is not the same as "bigotry".
2/ Yes, we often call our digits 1,2,3,4... "Arabic" numerals, but they aren't the same as the numerals Arabs use. When you say "Arabic numerals", are you refering to these digits used in Europe and most of the world? Or specifically the form Arabs use?
3/ Our digits actually come from India, through the Arabs. They are better described as "Hindu-Arabic Numerals". Just look at our digits and you can see they are closer to what the ancient Hindus used than what Arabs use today.
Read 7 tweets
Profile picture
Robᵇᵉᵗᵒ Graham
@ErrataRob
The indictment for Daniel Hale leaking to Jeremy Scahill at The Intercept is below. I thought I'd mention a few things about it.
justice.gov/usao-edva/pres…
It starts with Hale looking up Scahill on Google from this work computer. This is the problem for leakers: They start by planning NOT to leak, and thus leave traces like this behind. By the time they change their mind and decide to leak, they've left a trail like this behind.
This is why you should just get into the habit of "incognito" browsing, using Tor, and using Signal for messaging, for everyday things. If you only use crypto when your life depends upon it, you are already hosed. You should use them when your life doesn't depend on them.
Read 10 tweets

Related threads

Profile picture
NoMan2000
@_NoMan2000
Time for a full thread on Nathan Phillips. I do not know whether or not he was a Marine. Without a FOIA, this will not be possible. I do know that his claim that he is a Marine combat vet during Vietnam is false though.
Phillips made very specific claims, although tracking each individual source down is difficult. I will try to collect them here.
1: Did Phillips claim to be a Vietnam veteran?

newsmaven.io/indiancountryt…

"I was in Vietnam times and when I was in the Marine Corps times, that's what I was. I was expendable. "

I was in Vietnam. Seems straight forward.
Read 53 tweets
Profile picture
po ✨
@yoonminiest
Sugar daddy au with a twist where Yoongi is a producer just starting out, and while he's happy he took the risk, he's struggling to make ends meet, often having to rely on his friends for help. They really don't mind since it's never anything much, food mostly, and they love him.
But Yoongi's unhappy with it, doesn't like mooching off his friends, so one night when he's been sulky after having to share Hoseok's dinner instead of buying his own again, Hobi's trying to cheer him up and jokes about how Yoongi should just become a sugar baby.
And Yoongi laughs, because that's ridiculous, he doesn't feel comfortable sharing his body for money and honestly would prefer to be the daddy if he had the money to do something like that anyway.
Read 571 tweets
Profile picture
Matthew Cogdeill
@Matthewcogdeill
📢#RETWEET 📢
Facts & Oaths of Affirmation evidently don't mean anything to liberal Democrats

HILLARY clinton & "Party" indictments have begun

If #TheResistance want to #Resist these FACTS, they will join your #Resistance leader in Prison

#mondaymotivation
#KeepAmericaGreat
📢#RETWEET 📢
🚨#BreakingNews 🚨

Hillary Clinton AND "Party" Are Officially being Charged

#QAnon First called this with Great accuracy #DrainThe

I'm helping #TheResistance to #Resist The #Resistance Brainwashing with these #Facts 👇This is REAL👇
@TeamTrump @DiamondandSilk @DonaldJTrumpJr @RealCandaceO @PrisonPlanet @wikileaks @BBCBreaking @MileyCyrus @TheEllenShow @MichelleObama 📢#RETWEET 📢
🚨#BreakingNews 🚨

@realDonaldTrump is the ONLY @POTUS who actually kept his promise of moving the 🇺🇸 Embassy to Jerusalem!

✅Donald J Trump
🚫Bill Clinton
🚫George Bush Sr
🚫George Bush Jr
🚫Barack Obama

#Gaza
#Jerusalem #MondayMotivation
#KeepAmericaGreat
Read 198 tweets
Profile picture
Taylor Pearson
@TaylorPearsonMe
1/ Where is their alpha left in markets?
2/ This is one of the questions @EpsilonTheory talked with @Patrick_Oshag about. - investorfieldguide.com/hunt/
3/ One of the answers that Ben gave was legal private information.
Read 18 tweets
Profile picture
#DestroyTheAadhaar #BanDigitalElections #DefeatCIA
@Stupidosaur
One important thing about Aadhaar or any centralized system,particularly connected to money, which I have not said so far, is how it completely destroys any security by obscurity which we have enjoyed so far. Take the example of mobile OTP.
Aadhaar uses SMS One Time Password (OTP) to secure Aadhaar transactions. But we have seen how process to update mobile for Aadhaar itself is hopeless destroy-the-aadhaar.blogspot.in/2017/12/regist…
It is hopeless in terms of security as well as frustrations experienced by the user. Some of the security risks can be fixed if UIDAI is more transparent about the process, as we have seen in that article. Some frustrations also may reduced if Aadhaar centres more nearby. But...
Read 84 tweets
Profile picture
Eketi Edima Ette
@eketiette
Are you one of those people who's looked back on 2017 and convinced yourself that you haven't achieved anything? Worried about catching up with your mates who seem to have done much better?

Let me tell you a story about #time.

A thread 👇
A long #time ago, back when I was about twelve or thirteen years old, my parents travelled to Uyo.

Before leaving, my mother asked me to prepare Edikang ikong soup so she and my father would eat when they returned.
When I was finished with the soup, it was supposed to look something like this:

*photo credit: waiter foodies.
Read 32 tweets

Trending hashtags

#Duginist #Rodina #Triggers #compassion #stories #Istanbul #Dugin #children #NewJersey #Opposition #therapist #histpsych #Protecting #SunTzu #FakeNews #Norton #Erdoğan #AdnanKhashoggi #Blumenthal #Anderson #graywashed #SaturdayMotivation #Embassy #WashingtonPost #Religiously
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!