[Mailman-Developers] Possible yahoogroups problem.

[Barry Warsaw]

On Thu, 2003-07-10 at 15:35, Paul Hoffman / IMC wrote:

> - Can random.random() run out of randomness? That is, if you bombard 
> the machine with requests that call random.random(), will it start 
> sending out predictable responses?

Any pseudo random number generate can, right?  Python 2.2's RNG has 45
bits of randomness, Python 2.3's 53 bits.  The latter uses the Mersenne
Twister algorithm which I'm told is the state of the art.

> - What is the granularity of the server's current time? If it is 
> "seconds", this is becomes easily predictable to an attacker. Even if 
> it is "hundredths of seconds", that only means that the attacker has 
> to send one or two hundred attempts for each confirmation. Unless 
> Mailman notes "failed attempt to confirm a subscription", this could 
> be lost in the noise.

Depends on the server OS.  We probably only care about *nix systems, but
I'm sure there's variability even within that family.  On Linux, I
believe there is a 1us resolution for time.time() which uses
gettimeofday().

> - How many bits of the hash are used? I ask because many programs 
> that use hashes will not use the whole hash.

We use all 160 bits of the sha hash.

-Barry