Month: January 2006

Microsoft: Only signed drivers for Windows Vista x64

According to this Microsoft page and this Golem-Article (German), Microsoft is going to make driver signatures from Microsoft mandatory for any driver running in kernel space in Windows Vista x64. They claim security reason for this.While (faulty) drivers definitely can lead to serious (security) problems under Windows, they sometimes fulfill cruitial parts, especially in windows file system monitoring, for which there are many legitimate reasons. Having to go through the WHQL for every driver (and every minor patch) seems a little costly and time consuming to me…

Well, after all, for me it seems to be three things:

  • Additional money through additional drivers going through WHQL,
  • Anti Open-Source projects,
  • Building up the infrastructure for an (almost unbreakable) Digital Rights Management system.

Update 2007-01-23: I have to revise most points of this, as I now learned something new about it. Vista x64 will accept digitally signed drivers, but they do not necessarily be signed by Microsoft. Read more in my updated article.

Out of /dev/random?

Ever happened to run out of random numbers?

Well, if you are using Apache together with mod_ssl you can easily run into the situation that after starting up Apache, requests to it will block up to several minutes or time out. This happenes, if Apache is configured to use /dev/random as a source for random numbers which are required in the initialisation of mod_ssl and similar, if you have to few entropy information left for the generation of more secure random numbers.
As suggested in a Gentoo Forums article, you can emerge the tool sys-apps/rng-tools, which provides you with rngd, a daemon collecting entropy from hardware random number generators and feeds /dev/random with this data.

If you happen (like me) to not having a hardware random number generator on your server’s mainbord, rngd will use /dev/urandom as a source of entropy and mix it with entropy collected from your system. While this will indeed result in a certain drop of “randomness” of /dev/random, it still has major advantages by reducing the startup time of apache to several seconds, as /dev/random will not block any more.

Don’t forget to add rngd to your server’s default runlevel (rc-update add rngd default).