

Linus Torvalds: Remove RdRand from /dev/random - signa11
http://www.change.org/en-GB/petitions/linus-torvalds-remove-rdrand-from-dev-random-4

======
beedogs
Linus's response is pretty angry, as usual:

“Where do I start a petition to raise the IQ and kernel knowledge of people?
Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally,
come back here and admit to the world that you were wrong. Short answer: we
actually know what we are doing. You don't. Long answer: we use rdrand as
_one_ of many inputs into the random pool, and we use it as a way to _improve_
that random pool. So even if rdrand were to be back-doored by the NSA, our use
of rdrand actually improves the quality of the random numbers you get from
/dev/random. Really short answer: you're ignorant.”

~~~
jdiez17
To be honest, he is right. Not only what he said is correct, but cryptography
is one of those strange fields where saying "I know more than you about this
and I am right" is an acceptable thing to do.

~~~
dingaling
I'll be the fool here since I'm not mathematical: how is it sustainable to mix
any potentially flawed source into the entropy pool?

For example if my RNG just outputs a series of 5s, surely that would weaken
the pool even if the other nine sources were lovely lovely entropy? What is
the 'threshold' for tolerable degradation?

The patch that was finally accepted for the Linux kernel was to mix-in RdRand
but not to increment the entropy counter. To me as a layman that suggests that
if the other inputs are weak at any time ( e.g. soon after boot ) then RdRand
will be dominant.

~~~
jn7
You don't mention that you have read random.c or anything about the SHA mixing
that goes on. There's a fairly self explanatory comment that is worth reading.
If you ignore the delivery, Linus' advice was pretty clear.

------
holyjaw
> "UPDATE: It appears I got #rekt, petition closed."

What does it mean to be '#rekt'? Is it the phonetic spelling of "wrecked"?

~~~
L4mppu
That seems to be the case. You see it a lot on 4chan as of late.

------
nextweek2
I am not being funny but that whole website should be shut down. It's clearly
hindering democracy.

If you want to affect change, write a letter to your local representative.

Do not spend 60 seconds putting your email address into a random website on
the Internet that no politician is ever going to take note of that site since
it doesn't represent their constituents. People think they are making things
better by putting their name against something or liking something, but it
means nothing.

