antipaucity

fighting the lack of good ideas

improve your entropy pool in linux

A few years ago, I ran into a known issue with one of the products I use that manifests when the Red Hat Linux server it’s running on has a low entropy pool. And, as highlighted in that question, the steps I found 5 years ago didn’t work for me (turns out modifying the t parameter from ‘1’ to ‘.1’ did work (rngd -r /dev/urandom -o /dev/random -f -t .1), but I digress (and it’s no longer correct in CentOS 7 (the ‘t’ option, that is))).

In playing around with the Mozilla-provided SSL configurator, I noticed a line in the example SSL config that referenced “truerand”. After a little Googling, I found an opensource implementation called “twuewand“.

And a little more Googling about adding entropy, and I came across this interesting tutorial from Digital Ocean for “haveged” (which, interestingly-enough, allowed me to answer a 6-month-old question on Server Fault about CloudLinux).

Haveged “is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.”

And twuewand “is software that creates hardware-generated random data. It accomplishes this by exploiting the fact that the CPU clock and the RTC (real-time clock) are physically separate, and that time and work are not linked.”

For workloads that require lots of entropy (generating SSL keys, SSH keys, PGP keys, and pretty much anything else that wants lots of random (or strong pseudorandom) seeding), the very real problem of running out of entropy (especially on headless boxes or virtual machines) is something you can face quite easily / frequently.

Enter solutions like OpenRNG which are hardware entropy generators (that one is a USB dongle (see also this skh-tec post)). Those are awesome – unless you’re running in cloud space somewhere, or even just a “traditional” virtual machine.

One of the funny things about getting “random” data is that it’s actually very very hard to get. It’s easy to describe, but generating “truly” random data is incredibly difficult. (If you want to have an aneurysm (or you’re like me and think this stuff is unendingly fascinating), go read the Wikipedia entry on “Cryptographically Secure Pseudo Random Number Generator“.)

If you’re in a situation, though, like I was (and still am), where you need to maintain a relatively high quantity of fairly decent entropy (probably close to CSPRNG level), use haveged. And run twuewand occasionally – at the very least when starting Apache (at least if you’re running HTTPS – which you should be, since it’s so easy now).

ghosts in the fog by samantha seiple

For much of my life I have been interested in WWII – my grandpa Myers was in the Navy in the Pacific theater on a mine sweeper. My dad read extensively on the war, largely because of his father, and passed along an interest in military history  – the navy in particular – and intriguing stories of battles that rarely get headlines. Everyone knows about Pearl Harbor, D-Day, Guadalcanal, Midway, George Patton, Chester Nimitz, Eisenhower, The Desert Fox, etc etc.

But not many people realize that the Japanese did, in fact, attack American-owned soil beyond just Pearl Harbor: they launched balloon bombs at the Pacific Northwest, there is a large (though never completed) gun emplacement above San Francisco to guard the Golden Gate, the Japanese developed carrier subs to try to attack the Panama Canal, and there was a relatively long naval, ground, and air war around, in, and over the Aleutian Islands in Alaska – wherin the Japanese even occupied American soil for part of the war.

One weather report given during that campaign indicated that all aircraft were to be grounded because the crosswinds were near 100mph – and fog made visibility too low to takeoff, navigate, and land (fwiw, I don’t know how you get fog and 100mph winds – but it happens in the Bering Sea)!

Samantha Seiple’s book Ghosts in the Fog spends a little under 200 pages addressing the history of that story in a readily-accessible format (aimed dominantly at the pre-teen/teen market). Characterized by an approachable and engaging series of narratives, it well describes this second ‘forgotten war’ in American history (some would say that the Spanish-American War was the first, and that the Korean War (third on my list) was “The Forgotten War” – but this aspect of WWII is certainly not well-enough known). Covering a spectrum of intelligence, operations, and geographical data, Ms Seiple gives a solid showing in this work.

The Japanese first bombed Dutch Harbor – more commonly-known in current pop culture as the base from which crabbing boats operate on Discovery’s Deadliest Catch – which surprised the theater commander who believed that cryptographic intercepts supplied to him were intentionally-false messages on the part of the Japanese trying to lure him away from their real destination. Unfortunately for Admiral Theobald, and the natives and soldiers who called that part of the world home, the intelligence provided which indicated the Japanese were aiming at Dutch Harbor was correct – and he was hundreds of miles east and south of the region when they struck.

I hope more people become aware of this ‘forgotten’ aspect of World War II, as the lives of the airmen, sailors, and soldiers who fought and died (on both sides) should be remembered.