Leaderboard

I have been using WordPress for this blog for several years and always thought my setup was reasonably secure. Turns out that there is something called the WordPress REST API which allows to get quite a lot information about the installation without any security at all. Read on in the blog post.

Anyone know how to detect specific update version in compiler defines. I'm already doing {$IF CompilerVersion >= 25.0} but I need to detect compiling under 10.2.2 vs 10.2.3 etc

You are right. The code I posted in this thread is indeed useless. You can't trust RDRAND to return some random values. It was a bad idea. It is never used as unique source of entropy in mORMot. Just as part of a lot of entropy gathering. Here is the documentation of mORMot about the initialization of our cryprographic AES-based PRNG: /// retrieve some entropy bytes from the Operating System // - entropy comes from CryptGenRandom API on Windows, and /dev/urandom or // /dev/random on Linux/POSIX // - this system-supplied entropy is then XORed with the output of a SHA-3 // cryptographic SHAKE-256 generator in XOF mode, of several entropy sources // (timestamp, thread and system information, SynCommons.Random32 function) // unless SystemOnly is TRUE // - depending on the system, entropy may not be true randomness: if you need // some truly random values, use TAESPRNG.Main.FillRandom() or TAESPRNG.Fill() // methods, NOT this class function (which will be much slower, BTW) class function GetEntropy(Len: integer; SystemOnly: boolean=false): RawByteString; virtual; https://github.com/synopse/mORMot/blob/ecc375adc96e5b78d63dd58a88418874a0f622d8/SynCrypto.pas#L1114 And about RDRAND, when mORMot checks the CPUID, it also runs RDRAND and if it fails to return random values, it unset its internal flag, and it will never be used, and not used as entropy. It is even worse on AMD, which can have CF=1 but always return 0 or -1 !!! So in practice, mORMot seems to follow your wise suggestions. My answer in this thread, and my RDRAND use was confusing, for sure. 🙂

I don't see how enabling basic authentication would make the web site more secure. The password is sent as plain in the headers, just base-64 encoded, so there is no benefit. If just adding a password would make something more secure... it would have been used everywhere. The best security advice, which is not on your blog post, is to maintain your WP installation up-to-date, with all the security fixes.

Guess what? The new GExperts release is here. There are lots of bug fixes and a few new features in the new version. https://blog.dummzeuch.de/2020/10/23/gexperts-1-3-17-experimental-twm-2020-10-23-released/

You don't need to call Release in Delphi code. The compiler manages that for you.

Most of them. You're scaling a 31-bit integer value in the approximate range 0..X-1 to the range 0..2^64-1 A lot of things wasn't mentioned. For example here's my solution which satisfies all the criteria that was mentioned: The result is 64-bit unsigned. It's cross platform. It compiles with FPC. It's random (for a large enough sample size). and as a bonus It's super fast. function SuperRandom: UInt64; begin Result := 1; end; (sorry - it's Friday)