20 May 2008

Random Fail

I just found a fairly amusing/depressing (depending on what OS you're using) article about how Windows sucks at generating random numbers. First, we might as well all take a moment to laugh at Debian, as has become the custom every time random number generation is mentioned:



Now that that's out of the way. It appears Windows too fails at randomness, and the test of it is actually really simple. The author of the source article wrote a short PHP script that sets each pixel of a generated image based on the results from the rand() function. Since PHP uses the system libraries for this, it's equivalent to testing the OS. I ran his script on two of my machines, one running LAMP and one WAMP. Guess which is which:





The worst part, and I'm not really clear if this is a PHP problem or Windows, is the image doesn't change under Windows. PHP is supposed to auto-seed the RNG (somehow), but on Windows the image doesn't change unless I add an explicit call to srand(). This doesn't fix the problem, but at least then I get different non-random images. I considered writing "Random Fail" over the one image, but I like the glaring wrongness by itself.

And this is one of the big differences between Windows and Linux. When the OpenSSH vulnerability came out -- and it really depresses me that it took 2 years for somebody to notice, especially with sites like GitHub noticing multiple users with the same SSH key. But anyway, when the OpenSSH vulnerability came out, I got about 6 updates over the next 24 hours, presumably 1 to fix the problem and 5 more to convince me they were sorry. I'm fairly sure this problem will never be fixed (I ran the WAMP test on Vista).

EDIT: There's a nice in-depth exploration of this on Codifies that looked through PHP's source code and determined this is actually PHP's fault, not Windows'. Nonetheless, I maintain that the above paragraph would be true if this were Windows' fault.

No comments: