Steven M. Bellovin wrote:
> In message <20060219155115.GA29962@panix.com>, Thor Lancelot Simon writes:
> 
>> A major problem with our /dev/random implementation is that it obscures
>> the actual input data while doing no testing at all to ensure that it is
>> actually random.  It is a very bad idea to leave known-questionable
>> sources -- particularly ones with high data rates -- connected to it!
> 
> Some random number generators have a self-test mode that verifies that 
> the device is working to at least some extent.  Does this one?
> 
> That said, the page you cite indicates that Linux (and possibly 
> FreeBSD) run a FIPS randomness test on what they find.  That's a very 
> good idea in any event.

The thing about running a FIPS test is news to me :)  Perhaps they are 
thinking of the kernel module I did (based on Jason Wright's user-mode 
test code) that interposes a FIPS tester between the entropy source and 
the PRNG.  That's optional but can be used to continuously validate 
and/or monitor uncertain entropy sources for goodness--not that FIPS 
tests are any great shakes in doing it but...

BTW the kernel module yields some interesting results for various h/w 
RNG's (which is why I originally did it).

	Sam