(littlemaninmyhead.wordpress.com)

108 points rurban | 1 comments | 31 Aug 25 18:49 UTC | HN request time: 0s | source

Show context

NooneAtAll3 ◴[04 Sep 25 13:02 UTC] No.45126799[source]▶

looking at the CVE report itself, Math.random() not being crypto-level seems to be known? - and vulnerability comes from Node.js using it for some crypto purpose

so OP simply did a good exercise for himself recreating exact weakness of it

replies(1): >>45126831 #

tptacek ◴[04 Sep 25 13:06 UTC] No.45126831[source]▶

>>45126799 #

No, the post takes the attack from 5 observations down to 3.

replies(1): >>45141945 #

NooneAtAll3 ◴[05 Sep 25 18:29 UTC] No.45141945[source]▶

>>45126831 #

no, the post takes a shoddy quickly-made implementation of an attack and improves it to its own better implementation of an attack

neither are professional frontline research, because said frontline work has already been done long loong ago when Xorshift was popularized and definitely when it became javascript's *default* rng

this is recreational cryptography, don't over-present it

replies(3): >>45143051 #>>45146945 #>>45148015 #

1. tptacek ◴[05 Sep 25 20:09 UTC] No.45143051[source]▶

>>45141945 #

Please tell me more about what does and doesn't qualify as recreational cryptography.

↑

Inverting the Xorshift128 random number generator