Win XP also prone to random number bug
Not hard to guess
Customer Success Testimonial: Recovery is Everything
Microsoft has conceded that the pseudo-random number generator used by Windows XP suffers the same security shortcomings as Windows 2000.
Israeli researchers researchers recently discovered it was possible to predict the output of random-number generator built into Windows 2000, after first determining the internal state of the generator. Random numbers are a critical sub-component of cryptography functions, such as the generation of keys used for SSL exchanges.
Win XP - but not Windows Vista - are subject to the same problem, Microsoft admits. However the software giant has no plans to release a fix until Windows XP Service Pack 3 in the first half of 2008.
Microsoft said that to pull off the attack an attacker would need to have gained ownership of a machine, after which worries about random number would be the least of a user's worries. "Because administrator rights are required for the attack to be successful, and by design, administrators can access all files and resources on a system, this is not inappropriate disclosure of information," a company spokesperson told Computerworld. "If an attacker has already compromised a victim machine, a theoretical attack could occur on Windows XP." ®
COMMENTS
This is a potential security hole
Admittedly, if someone has admin access to your box, you're in all sorts of trouble. But one possible security hole due to this exploit does spring to mind: if the random number generator has been used to generate, say, information used in a cryptographic application, manipulation and/or knowledge of internal state might possibly permit a replay attack against data secured before the attacker elevated himself to admin level. It's a reach, I admit.
As John von Neumann said, "Anyone who considers arithmetic methods of producing random digits is, of course, in a state of sin." One nice way of getting real random bits is back-biasing a CMOS junction into avalanche and then feeding TTL-level edges to pin 10 (NACK) on the parallel port. Count the time between edges and you get a damn good source of truly random data.
Linux good; Micro$oft bad.
Okay, okay, Linux is better.
Real world is, make product for intellectually disadvantaged end users.
Challenge, if your windows version is buggy then you must hack the sucker until you own it.
Hey, I'm still using a stable ME on one of my machines (and you can well believe it was not stable out of the box.)
That being said; I have pretty well given up on Vista; I mean, get real.
Not even my boss (who sometimes expects applications to be able to make cheese sandwiches in the cd drives) asks for that one.
In any case, everyone uses the same damn pseudo random algorithm and has for years; it's what is taught in school and if you don't use it you were flipping fries (chips for you Brits.)
Coin tosses - can be a bit predictable
I have found that I can predict better than 50/50 at the result of tossing a coin. I did this over a fairly lengthy period (waiting for Windows to boot up).
So although it's not scientifically/statistically accurate, it's useful for a better chance of winning "heads you buy the round or tails I do" scenarios.
What I do is place the coin (say) heads up all the time on my thumbnail, do the flip/tossing, catch and put it on the back of my hand - as you do.
Generally, I find that if it is a "clean" catch - slap in the palm of your hand, it mostly comes up heads - or whatever side you chose upwards to start with.
(Do I hear the sound of 1000's of coins being flipped at the moment? That'll cause a butterfly in Asia to flap it's wings or something I reckon)
IT infrastructure monitoring strategies
What you need to know about cloud backup
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Customer Success Testimonial: Recovery is Everything
