On the insecurity of math.random and it’s siblings

During code reviews we often see developers using weak RNGs like math.random() to generate cryptographic secrets. We think it is commonly known that weak random number generators (RNG) must not be used for any kind of secret and recommend using secure alternatives. I explicitly did not state a specific language yet, because basically every language offers both weak and strong RNGs.

So I asked myself: What if I use a weak RNG to generate a secret? Is it possible to recover the secret from some derived value, like a hash?

Continue reading “On the insecurity of math.random and it’s siblings”

Continue reading

Research Diary: IP-Cameras

As you probably know we perform research on a regular basis at ERNW. This post is the first entry on our – Benjamin’s and Pascal’s – research diary. You might already have seen Oliver’s post on setting up an research environment or Brian’s posts on IoT botnets (here and here). With that in mind we want to take a look at one of the market leaders for network camera equipment: AXIS.

Continue reading “Research Diary: IP-Cameras”

Continue reading

Solving sound issues when using WebEx with Linux and Firefox

Hello everybody,

Some of you might use WebEx in their daily life. And some of you might use Linux (as I and many of us do). However, this combination often results in issues with your PC’s sound or microphone use in a WebEx session.

The problem here is that WebEx won’t run as intended with Firefox and JRE x64. But the solution is quite easy! Use the x86-versions of each.

Probably you don’t want to replace your x64 versions of either of them — and neither do I. So I wrote a little script which helps you to quickly switch to the x86 versions, while you still have the x64 versions installed. And here is how to do it:

Continue reading “Solving sound issues when using WebEx with Linux and Firefox”

Continue reading