John Darrow <John.P.Darrow@wheaton.edu> writes:
> Has a "poisoning the entropy pool via the network" attack ever been
> demonstrated in a non-degenerate case (i.e. a system running more
> processes than simply the one being attacked, on a network with more
> traffic than just the attacker)?

Absence of evidence is not evidence of absence. There are many things
that people aren't comfortable with that have never actually had a
worked example performed.

> (And, yes, it does seem, as mentioned in another reply, that there
> might be machines where the _only_ available source of entropy is the
> network, e.g. diskless headless machines.)
> 
> We're only providing rope here, and it isn't turned on by default,
> either.

We might want to be a lot more careful about how the rope is labeled
at the very least.

--
Perry E. Metzger		perry@wasabisystems.com
--
NetBSD Development, Support & CDs. http://www.wasabisystems.com/