Experiments with Randomness

In software, the amount of randomness collected by an Operating System is called entropy. I have recently been messing about with entropy on my Linux boxes. This happened because I was fiddling with https (SSL/TLS) and cryptography relies on a good source of random numbers. The random numbers need to come from somewhere.

On most Linux machines, you can see how much entropy your system has by looking at the value in /proc/sys/kernel/random/entropy_avail.

If your machine runs low on entropy, it means that any cryptographic calculations will either have to use a weak source of random numbers (and therefore be less secure) or will block until there is more entropy (meaning that things on your system might appear to slow down).

So out of curiosity I decided to experiment with this. I took my CPU monitoring webserver and adapted it to watch the entropy available rather than the CPU use. If you're really interested, the code can be found on GitHub here.

NOTE: you probably won't want to install the entropy monitoring webserver on your machine, because you would not want to tell the outside world how much entropy your system has available. I am only using it for experimentation and learning.

But ... here are some experiments that I did:

  • Driver Activity

    On Linux, the system uses various sources of entropy. Some of the entropy comes from drivers - including the keyboard and mouse drivers. This is why a VM or perhaps even a 'headless' machine might struggle to generate good quality random numbers - because it is unlikey to see the same type of driver activity. The following experiment demonstrated the effect of mouse movements on the amount of entropy available in a VM:

    You can see the entropy increasing much more rapidly when the mouse moves.

  • Process Activity

    Starting a process on Linux consumes entropy. So you can try running some commands in a terminal window to see the impact on your entropy:

    It's interesting to see the entropy drop as I'm running simple commands. I believe that a new process consumes entropy because it will use random numbers for the Address Space Layout Randomization.

It was reasonably interesting to do those experiments. There is some useful further reading about random numbers and cryptography here. I also found some work that has been done locally here in Cambridge at this blog which was interesting ... and also involves the Raspberry Pi.

Using https with stunnel and ssl_wrapper

Whilst randomly wandering around GitHub a few weeks ago, I noticed ssl_wrapper, which I thought was interesting. Actually, I quite liked the idea of moving the https stuff into a seperate module. It means that any vulnerabilities found in the SSL/TLS stuff could be patched without having to do anything to the actual web server. I am also a fan of the philosophy of smaller pieces of code which can be well tested independently. I suppose this is just the Unix philosophy. But whatever you call it; I liked the idea.

So I had a bit of a play with ssl_wrapper, and even forked the repository to make the basic instructions a bit easier for me to follow, including the creation of a certificate for testing.

So I tried it out by running my own CPU Monitoring webserver over an https connection. However, in Chrome, I noticed that Google considers it to be using 'obsolete cryptography', like this:

I know that Chrome says this about a lot of existing sites, but I thought that it would be a good idea to try and make that message go away. But so far, I have not managed to do that with ssl_wrapper. In the meantime, I have logged an issue on GitHub.

UPDATE: this has now been fixed (but not by me, by the original authors). You can use ssl_wrapper and Chrome will say you're using 'modern cryptography'.

But since I was now interested in all this stuff, I decided to go and look and see if there are alternatives. Indeed there are, and a good one is stunnel. On my Ubuntu box installing it was a breeze, like this:

sudo apt-get install stunnel4

NOTE: I found that it is sometimes important to refer to stunnel4 with the '4' at the end, because your machine might already have an older version.

I was able to take the same certificate I was using with ssl_wrapper and set it up in stunnel. But straight away I found that Chrome was happier, and declared that I was using modern cryptography, like this.

Nice! Another advantage of stunnel is that there has been more recent activity on maintaining the code, which is somewhat comforting.

So, I am now setting up a seperate GitHub repository to help me to test stunnel on various Linux boxes (I have yet to try it on my Rasperry Pi, for example). It means I can be lazy and do this:

sudo apt-get install stunnel4
git clone https://github.com/davidsblog/stunnel4_config
cd stunnel4_config
sudo make

Which is a pretty painless way to test it out on different machines.

FSV, or "this is a Unix System... I know this"

In this months (June, issue 16) Linux Voice magazine, they mentioned that the 3D File System Visualizer like the one used in the original Jurassic Park movie has been ported to modern Linux machines. It was just too tempting, so I went and tried it out. I managed to get it running on my laptop, this is how it looked:

That video clip was recorded in realtime, so considering this was done on a 5 year old laptop I was quite impressed. I was doing that on Elementary OS (Freya) and these were the commands (I hope that I noted them all down correctly):

git clone https://github.com/mcuelenaere/fsv
sudo apt-get install autogen
sudo apt-get install autoconf
sudo apt-get install libtool
sudo apt-get update
sudo apt-get install libgtk2.0-dev libgl1-mesa-dev libgtkgl2.0-dev
sudo apt-get install libglu1-mesa-dev
cd fsv
sudo make install

Then you should find the fsv program in your /usr/local/bin directory. You just need to run it.

Although in the end, it was not really as exciting as I expected ... (perhaps that's because there weren't any Velociraptors) but it was a cool thing to do. Apparently, the version used in the Jurassic Park movie was called FSN and was made for IRIX systems.

Supracafe in Santa Cruz de La Palma

Well, it would not be unusual for me to mention a good place to get coffee in the Canary Islands. We've recently returned from the island of La Palma, which is a fantastic place. We were walking along the main street of the captial, Santa Cruz and noticed this place called 'Supracafe' (on Calle O'Daly, the main shopping street):

It looked tempting, and the views were pretty nice:

Anyway, we had coffee and cake ... and it was the best:

If you go there, then we'd recommend it. You can recognise the cafe by the mural on their wall:

Both the cake and the coffee were delicious. The coffee was like a mini Flat White or a large Cortado. The Chocolate cake contained a fantastic chocolate and hazelnut mousse and was not too heavy despite the fact that we were given a massive slice.

Apart from that, it was just nice to sit on the street, take a break and watch the world go by...