Not Even Pseudo

I’ve only seen a few episodes of The Big Bang Theory on cross-country airline flights, so I can’t say for sure whether "Pseudo-Random Number Generator" is a phrase that’s ever appeared in one of its scripts. It does seem like the kind of thing a screenplay writer would use as archetypal nerd-speak, but I don’t think I’ve even heard it on Numb3rs. (With these two shows added to its CSI franchise, is CBS committed to owning the whole nerd TV audience? Then again, does that audience actually include anyone, any more, who is not a member of my own nuclear family? Sorry, I digress.)

What brings the eye-glazing "PRNG" term to the top of my stack is this month’s claim that the PRNG in Windows may be seriously flawed: vulnerable to "severe and efficient" attacks that don’t need Administrator access to determine a substantial chunk of the generator’s present and future state.

I’ve often used the security of "secret-in-public" protocols, such as the Diffie-Hellman key exchange, to calm the fears of people who believe that doing things over the wire is inherently dangerous. I continue to believe that the risks of "roll your own" IT are generally larger than most people realize, compared to the practical level of risk involved in what are mostly theoretical Net vulnerabilities. This new report is a useful reminder, though, that one can execute the form of security while failing to provide the substance. A key exchange using a poor random generator is a card game with a marked deck.

This is just one example of a more general point about security, or any other aspect of meeting IT performance metrics. Conformance with a standard or protocol is merely a starting point: competence, determined by often-costly scrutiny, is at least as crucial. In particular, the difference between a product and a service includes the difference between building something that makes security possible, and operating something in a way that makes security real.

November 12, 2007