The first criticism, while valid, is an anachronism as there wasn't Web Crypto when this RNG was written. The other criticisms are fully valid though and should at least make everyone do a double take whether this is fine for their needs or not.
>This is GRC's cryptographically strong PRNG (pseudo-random number generator)
Don't use it for security or crypto. A CSPRNG should not allow the internal state to be determined from observing the output. The hash function Mash() they use is not one-way and this break can reverse it. It does not provide prediction resistance or backtracking resistance.
The technical documentation claims stuff like that it disables bad sector allocation. That's actually a thing, but if you read the man page for some reputable software like hdparm you'll see a nice little note:
> Control of this feature via the -D option is not supported for most modern drives since ATA-4; thus this command may fail.
ATA-4 was standardized in 1998. It can probably actually disable write caching, but it's not like that's unique to SpinRite in the slightest. It's even trivial to change that on Windows which is otherwise horrible for anything low level involving disks. SpinRite doesn't even use LBA48 addressing so if your drive can't address the full capacity in ye olde CHS then too bad, but SpinRite will try to spin that as a problem with your BIOS, a problem with your SATA controller, etc.
I don't see why anyone respects anything he says given his long history of selling snake oil and other shyster tactics. Even the Wikipedia page for SpinRite looks astroturfed and the talk section has a bunch of responses from an unregistered user that all seem to have a similar tone and be suspiciously supportive of some of SpinRite's dubious claims.
If Steve Gibson told me that the sky was blue I think I'd have to go outside and check.
Here's an example of some hype I just found about a device he "invented" that is supposed to really put home routers through their paces, because he's the only one looking out for us. [1] Of course, it maybe doesn't exist, and his claims of what it's going to do sound far-fetched and misguided, but it sure does seem aimed to make him sound like a real security expert. Not sure if he ever made any claims about having evaluated any routers with it.
> Although mathematicians have been unable to determine how many different 26x26 [Latin] Squares can be created, they have been able to determine that the number is at least 9.337 x 10^426, or approximately 2^1418
Seems surprising that the number hasn't been calculated exactly. I'd have guessed it's a mechanically solvable but tedious combinatorics problem, but obviously not.
Also I'm curious how they generate the latin squares, their claims require a uniform distribution of some kind, which is interesting.
Problem is the entropy generation rate. PRNG even with large space typically is running at 10 or better Gbit/sec. PCG with 256/64bit could generate decent numbers at 50Gbit/sec
So if your argument is that you want a big entropy PRNG to get more possible outputs then the generation rate can't be the problem because that's entirely dependent on you being able to generate a big enough seed.
Computing the cryptographic hash of a 1536-bit counter will have better properties (and less handwaving) than this function.
Like, I'm thinking of e.g. the Cloudflare lava lamp thing, and like, isn't that better in every way?
So pseudo removes total dependency on physical events.
Why you don't want to be dependent on physical events:
- You never know if physical events are truly random unless you test them. Your physical RNG source may be broken or compromised.
- A good strategy is to use multiple physical sources of randomness, and this can be any number of things, including modern CPUs with RDRAND (if you trust them), USB attached devices, sampling ADC noise on your sound card, timing network events, etc. Any/all of that has to be combined somehow anyway. Getting data from some of these may be slow.
- So if an operating system needs random numbers quickly, for SSL key generation, UUIDs, nonces, etc. it should use properly seeded pseduorandom numbers.
The PRNG in the linked page isn't very good but in general PRNGs are super useful in the real world even if they aren't truly random, just so long as they have some source of entropy to occasionally mix into the PRNG.
> If you have a bug report, file it, my guess is that you don't.
This is extra hilarious in light of the fact that there have been plenty of bug reports against 6.0 reported well over a decade ago. Steve promised they'll be fixed in 6.1 which is totally coming out any day now.
I have yet to read anything that explains the haters that come out of the woodwork with the shit posts any time he pops up.
There are other tools, but it is not as important as it used to be.
At least. I remember finding his site back in 2004 and it felt long in the tooth then. Complete with blink tags.
He brought it up in 2001, the year XP was released[1]. Microsoft fixed it three years later in SP2. XP was EOL'ed in 2009[2].
[1] https://en.wikipedia.org/wiki/Steve_Gibson_(computer_program...
He only sells one product, Spin-Rite which actually works pretty well for its purpose, tho it’s becoming less important as we move more towards SSD.
It sounds like you’re spreading misinformation just for the hell of it.
[Side Note: He also once claimed in a "testimonial" that a special ops team recovered data off of a hard drive during a mission in which they hit a terrorist with a computer.]
That being said, he produces a free security podcast which is quite good. He knows his stuff.
While in principle this is true, I have been using hard drives for more than 30 years now in PCs and I have never had one fail. I still back things up to separate drives since there's always a first time, but I've never used SpinRite or any other extra "protection" over and above what my OS provided.
Most of it is just self-aggrandizing technobabble trying to appear authoritative and "educate" people on security issues with hilariously dumb content like the page that recommends checking Facebook's cert hash on his site before trusting it. His number one goal appears to be to convince people he is an "influential voice" in the security community (he uses that phrase to describe himself repeatedly). I just find it sad when I encounter people who buy it. Luckily, it mostly seems to appeal to a certain kind of misinformed enthusiast that I rarely encounter these days.
Note that this isn't to say all his info is bad. I particularly like stuff like his explanation of how NAT works. That's great content. If it wasn't mixed in with the chicken little snake oil stuff, I'd actually refer people to it.
https://www.backblaze.com/blog/backblaze-drive-stats-for-q3-...
Do keep in mind, however, that his entire reason for continuing to publicize this was because it allowed him to continue making foolish claims like "Microsoft Does Not Understand Security," and to pretend that the eventual restrictions (not removal) of raw sockets in XP were proof that he was right. They were not.
In fact, the entire issue was over his own misunderstanding of security. You can't secure a network by asking client operating systems to restrict their own behavior on some kind of honor system (guess what: the bad guys' computers will not have these restrictions). The use of raw sockets did not disappear and the internet still exists. The claim that this was "a tremendous threat to the global Internet" basically amounted to "the sky is falling and only I can see it because none of the other security experts 'get it' like I do." Which is entirely bogus.
Has he done anything of note since? I mean, other than the extremely timely spinrite podcast? Honest question; I browsed through the website and it still seems to be mostly filled with questionable security alarmism from the 200x era.
Shields Up is timeless, but doesn't do IPv6 and probably never will. There are some smaller apps that were done recently, less notably. Security Now podcast is ongoing.