

A good idea with bad usage: /dev/urandom  - throwaway2048
http://insanecoding.blogspot.ca/2014/05/a-good-idea-with-bad-usage-devurandom.html

======
Tomte
Suffice it to say that the author is mistaken when he claims that "The former
is pretty much raw entropy, while the latter is the output of a CSPRNG
function"

/dev/random ist not "pretty much raw entropy", it is _the exact same_ output
of the kernel's CSPRNG as /dev/urandom is giving out.

See [http://www.2uo.de/myths-about-
urandom/#structure](http://www.2uo.de/myths-about-urandom/#structure)

------
nimbs
> Using poor sources of entropy like /dev/urandom on Linux, or worse,
> gettimeofday(), and using them to generate long-lived keys.

He missed the point, people complained because he claimed urandom was a poor
source of entropy. That post is about using urandom securely, and he even
shows that he doesn't know the difference between random and urandom.

~~~
smn35
I think you missed what he was saying. He phrased it a few different ways in
the blog and the comments, the clearest probably being: "(/dev/urandom ||
gettimeofday()) is a very poor source of entropy".

He was complaining about a particular usage he was seeing in the wild, not
random and urandom, as he explicitly says a few times.

------
annnnd
Not wanting to nitpick, but if attacker manages to unlink("/dev/urandom") then
you have bigger problems than just not trusting this one file. Nothing
application developer can do will make this system more secure.

