The first criticism, while valid, is an anachronism as there wasn't Web Crypto when this RNG was written. The other criticisms are fully valid though and should at least make everyone do a double take whether this is fine for their needs or not.
It is snake oil crypto. It is not safe for cryptographic use. I didn't see them claim that it can be used for cryptographic use on OP's page but they do claim it is a CSPRNG in the header in their js implementation: https://www.grc.com/js/uheprng.js
>This is GRC's cryptographically strong PRNG (pseudo-random number generator)
Don't use it for security or crypto. A CSPRNG should not allow the internal state to be determined from observing the output. The hash function Mash() they use is not one-way and this break can reverse it. It does not provide prediction resistance or backtracking resistance.
Forget "ShieldsUp!" This is the guy who still sells SpinRite for $90 when it hasn't seen an update since 2004. It's old enough to vote at this point and Steve Gibson is always spouting off blatant lies about how it's great for recovering SSDs. He's claimed that it can magically read uncorrectable sectors on modern drives (SATA, not SAS, no SCSI READ LONG here and no ancient IDE drives that still supported READ LONG for ATA) and compare results to figure out what the original data was. He claims that it's data recovery software and that people should run it on a failing hard drive before trying to copy data off of it with a real data recovery program! That piece of garbage doesn't even support writing data to a separate disk, the only thing it can do is write the data the drive was able to read back to the failing drive itself.
The technical documentation claims stuff like that it disables bad sector allocation. That's actually a thing, but if you read the man page for some reputable software like hdparm you'll see a nice little note:
> Control of this feature via the -D option is not supported for most modern drives since ATA-4; thus this command may fail.
ATA-4 was standardized in 1998. It can probably actually disable write caching, but it's not like that's unique to SpinRite in the slightest. It's even trivial to change that on Windows which is otherwise horrible for anything low level involving disks. SpinRite doesn't even use LBA48 addressing so if your drive can't address the full capacity in ye olde CHS then too bad, but SpinRite will try to spin that as a problem with your BIOS, a problem with your SATA controller, etc.
I don't see why anyone respects anything he says given his long history of selling snake oil and other shyster tactics. Even the Wikipedia page for SpinRite looks astroturfed and the talk section has a bunch of responses from an unregistered user that all seem to have a similar tone and be suspiciously supportive of some of SpinRite's dubious claims.
If Steve Gibson told me that the sky was blue I think I'd have to go outside and check.
Doesn't sound like you have used Spinrite, but if you don't think it's worth the money don't buy it. Not sure what makes you think a developer has to reduce the price of their software, just because it's old. Adobe has done no such thing. The software still does what it did when it was first made. If you have a bug report, file it, my guess is that you don't.
And I doubt you've ever bought the Brooklyn Bridge but that doesn't mean you can't call out the con artist trying to sell it. The price of the snake oil isn't the problem. The problem is that he's scamming people out of money making a bunch of claims that fundamentally do not apply to modern drives. If you have a MFM hard drive that still spins after all this time and you want to do whatever low level interleave Spinrite supports on it then sure, it probably works just as well as it did back when that hardware didn't qualify as antique. Most people getting suckered into buying Spinrite aren't going to have anything that ancient and for what Spinrite can actually do on somewhat modern drives, you might as well just use ddrescue, it'll do a better job.
> If you have a bug report, file it, my guess is that you don't.
This is extra hilarious in light of the fact that there have been plenty of bug reports against 6.0 reported well over a decade ago. Steve promised they'll be fixed in 6.1 which is totally coming out any day now.
I don't know if there's anything wrong with Sheildsup (other than my recollection of it being a pretty run of the mill tool for reporting open ports), but the guy who makes Shieldsup is, in my opinion, basically a charlatan. He writes loads and loads of technical-sounding blather on his website that is very transparently designed to make him look like an expert on security to people who don't know any better. He's made a career out of selling tools people don't need but which are hyped up to make them sound critically important.
Here's an example of some hype I just found about a device he "invented" that is supposed to really put home routers through their paces, because he's the only one looking out for us. [1] Of course, it maybe doesn't exist, and his claims of what it's going to do sound far-fetched and misguided, but it sure does seem aimed to make him sound like a real security expert. Not sure if he ever made any claims about having evaluated any routers with it.
I feel like what you're describing is just marketing, in the sense of exaggerating the necessity of a product that works but which you really can do without. Or do you mean Gibson's products don't really work?
Sure, it's "just marketing," but it's particularly egregious marketing because it relies heavily on fear and borderline lies about his expertise. And he puts out baloney like the "CSPRNG" in the OP that's not even sound. You may note that it's been 5 years since he was notified of the flaws in it, but it's still promoted in exactly the same irresponsible way.
One of his most infamous crusades was how he yelled about Windows XP raw sockets -- a fake problem that he hyped up as if the sky was falling -- well after Windows XP was EOL'd.
My apologies for misstating this. According to the internet archive, he stopped complaining about this problem sometime in 2008, a mere four years after the raw sockets restrictions were added to XP.
Do keep in mind, however, that his entire reason for continuing to publicize this was because it allowed him to continue making foolish claims like "Microsoft Does Not Understand Security," and to pretend that the eventual restrictions (not removal) of raw sockets in XP were proof that he was right. They were not.
In fact, the entire issue was over his own misunderstanding of security. You can't secure a network by asking client operating systems to restrict their own behavior on some kind of honor system (guess what: the bad guys' computers will not have these restrictions). The use of raw sockets did not disappear and the internet still exists. The claim that this was "a tremendous threat to the global Internet" basically amounted to "the sky is falling and only I can see it because none of the other security experts 'get it' like I do." Which is entirely bogus.
I always imagine all the Gibson haters are still stuck on this drama from the XP days. Not sure why it was so polarizing, but for what it's worth I don't think "Microsoft understands security." It's not any one person or one thing, it's the culture. It's the laissez-faire attitude. It's the lack of investment. And the ubiquity of their software compounds all of it.
> I always imagine all the Gibson haters are still stuck on this drama from the XP days.
Has he done anything of note since? I mean, other than the extremely timely spinrite podcast? Honest question; I browsed through the website and it still seems to be mostly filled with questionable security alarmism from the 200x era.
SQRL and SpinRite are current, and his main works. SpinRite has a new version on the horizon supporting UEFI.
Shields Up is timeless, but doesn't do IPv6 and probably never will. There are some smaller apps that were done recently, less notably. Security Now podcast is ongoing.
I've always been curious why people so fervently dislike Gibson. I think the most genuine criticism is that Spin-Rite is not a backup solution and people may rely on it as such. Ideally, no one should need it since all data should be replicated and backed up. Any drive can fail at any time for any reason and it may be totally unrecoverable.
[Side Note: He also once claimed in a "testimonial" that a special ops team recovered data off of a hard drive during a mission in which they hit a terrorist with a computer.]
That being said, he produces a free security podcast which is quite good. He knows his stuff.
> Any drive can fail at any time for any reason and it may be totally unrecoverable.
While in principle this is true, I have been using hard drives for more than 30 years now in PCs and I have never had one fail. I still back things up to separate drives since there's always a first time, but I've never used SpinRite or any other extra "protection" over and above what my OS provided.
There are stats on failure rates and bathtub curves. Consumer hard drives these days have an AFT of ~1.41%. Never used SpinRite and I don't know if there is evidence for it but I suggest you backup your data.
The podcast is great. Provides great information and is more than happy to provide corrections when some calls him on it. Takes a very scientific approach to issues.
I agree. Not sure why all the hate. I’ve used SpinRite to recover some bad drives of mine and friends/family over the years and it’s worked quite well. Had one Windows box that was failing to boot before the login screen, ran SpinRite and it found / fixed some issues. Rebooted and the machine was fine. At least fine enough to copy everything to a new drive and ditch the old one. Haven’t tried it on an SSD though.
You can take or leave the relevance of this "old" information, but there are dozens of pages on his current website that speak for themselves.
Most of it is just self-aggrandizing technobabble trying to appear authoritative and "educate" people on security issues with hilariously dumb content like the page that recommends checking Facebook's cert hash on his site before trusting it. His number one goal appears to be to convince people he is an "influential voice" in the security community (he uses that phrase to describe himself repeatedly). I just find it sad when I encounter people who buy it. Luckily, it mostly seems to appeal to a certain kind of misinformed enthusiast that I rarely encounter these days.
Note that this isn't to say all his info is bad. I particularly like stuff like his explanation of how NAT works. That's great content. If it wasn't mixed in with the chicken little snake oil stuff, I'd actually refer people to it.
Yep, that's what it does. A person can just use whatever DNS is provided by their ISP, which is the fastest in some cases. Or they can test and find out for sure.
Sorry to belabor something lots of readers already know: The long key may (or may not) be packed with entropy. But a pseudo-random number generator at best preserves the entropy in the key.
Very well put and worth reinforcing by thinking of PRNGs as entropy reduction functions on the original seeds, that ideally loose as little entropy as possible per generation cycle.
> Latin Squares are ‘n’x‘n’ grids containing exactly one of each of ‘n’ symbols in every horizontal row and vertical column [...]
> Although mathematicians have been unable to determine how many different 26x26 [Latin] Squares can be created, they have been able to determine that the number is at least 9.337 x 10^426, or approximately 2^1418
Seems surprising that the number hasn't been calculated exactly. I'd have guessed it's a mechanically solvable but tedious combinatorics problem, but obviously not.
It’s mechanically solvable but not in any practical timescale. A naive approach would be to check every square with no repeats in the rows, which requires (26!)^26 attempts, or roughly 5e691. Obviously you can improve that by exploiting symmetry, shifts, etc, but that only gets you a few orders of magnitude. There are much cleverer techniques, but when your baseline is so ludicrously impossible you need a real breakthrough to make any progress.
Something about using a PRNG with a large internal state just to generate an output in a large space of possibilities feels wrong to me. If you have enough entropy to fill a high entropy RNG, why not use all that entropy to generate the output in the first place?
Also I'm curious how they generate the latin squares, their claims require a uniform distribution of some kind, which is interesting.
The issue is that you cannot directly pick one of the outputs using the entropy, you have to use some kind of probabilistic algorithm to traverse the state space and find valid output. When the PRNG's cycle is smaller than the output space then the output distribution is obviously non-uniform. This might seem like inconsequential observation with CSPRNG, but depending on how exactly the state traversal works, such constructions can have real output spaces that are several orders of magnitude smaller than cycle of the used RNG. (to the extent that when used with (CS)PRNG with 128b state the output bias is observable from practical amount of outputs)
> If you have enough entropy to fill a high entropy RNG, why not use all that entropy to generate the output in the first place?
Problem is the entropy generation rate. PRNG even with large space typically is running at 10 or better Gbit/sec. PCG with 256/64bit could generate decent numbers at 50Gbit/sec
That's not entropy that is data. You fundamentally can't increase entropy, hence why they wanted to use a PRNG with a big internal state so they can put more entropy in.
So if your argument is that you want a big entropy PRNG to get more possible outputs then the generation rate can't be the problem because that's entirely dependent on you being able to generate a big enough seed.
Pure software can't actually generate mathematically-provable random numbers unless given purely random data to start with.
So pseudo removes total dependency on physical events.
Why you don't want to be dependent on physical events:
- You never know if physical events are truly random unless you test them. Your physical RNG source may be broken or compromised.
- A good strategy is to use multiple physical sources of randomness, and this can be any number of things, including modern CPUs with RDRAND (if you trust them), USB attached devices, sampling ADC noise on your sound card, timing network events, etc. Any/all of that has to be combined somehow anyway. Getting data from some of these may be slow.
- So if an operating system needs random numbers quickly, for SSL key generation, UUIDs, nonces, etc. it should use properly seeded pseduorandom numbers.
I'd also emphasise that fortunately most modern cryptography (outside of one time pads) does not rely on truly random numbers. So long as the sequence is unpredictable enough it's fine (i.e. you can't use known values to more reliably guess unknown values).
The PRNG in the linked page isn't very good but in general PRNGs are super useful in the real world even if they aren't truly random, just so long as they have some source of entropy to occasionally mix into the PRNG.
I welcome the opportunity to be enlightened. I can see people are mad about something, but usually that's the extent of it. Someone complained that there are no discounts on spinrite, even though it's old. Some people talk about how much salt you take Steve's words with.
I have yet to read anything that explains the haters that come out of the woodwork with the shit posts any time he pops up.
The first criticism, while valid, is an anachronism as there wasn't Web Crypto when this RNG was written. The other criticisms are fully valid though and should at least make everyone do a double take whether this is fine for their needs or not.