[39431] in Cypherpunks
Re: NYT on Netscape Crack
daemon@ATHENA.MIT.EDU (Mike McNally)
Tue Sep 19 08:41:43 1995
From: m5@dev.tivoli.com (Mike McNally)
Date: Tue, 19 Sep 1995 07:38:39 -0500
To: Eric Young <eay@mincom.oz.au>
Cc: cypherpunks@toad.com
In-Reply-To: <Pine.SOL.3.91.950919185921.17727B-100000@orb>
Eric Young writes:
> > Sigh. For your information the security code for 1.x versions of
> > netscape was not even written by someone from NCSA. The current
> > security team (which does not include the person who did the 1.x
> > version) also does not include anyone from NCSA. While I can't
>
> I will defend Netscapes code on the point about the RNG even though I
> have not seen any. I assume the Netscape code is quite large and each
> release would have to pass various fuctionality tests. How can you test
> that the RND seeding is wrong?
The seeding isn't "wrong"; it's a design flaw. (At least that's my
understanding; maybe I missed something.)
> You have to actually look at the code, the number coming out are
> still random.
Two words: "design review".
> This sort of error can only be checked by reading the code and
> specifically looking at critical routines like this the RNG seeding
> routines.
Uhh... OK. Sounds like a plan to me. For critical pieces of code
like that, having repeated exhaustive design/implementation reviews
should be a matter of course.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) |
| stand there and flap your arms like a fish. | Tivoli Systems, Austin TX |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
