[39713] in Cypherpunks
Re: NSA and Netscape Crack
daemon@ATHENA.MIT.EDU (Jeff Weinstein)
Thu Sep 21 01:07:15 1995
To: cypherpunks@toad.com
From: jsw@neon.netscape.com (Jeff Weinstein)
Date: 21 Sep 1995 05:04:58 GMT
In article <ac85fa9f010210046fb1@DialupEudora>, norm@netcom.com (Norman Hardy) writes:
> At 3:46 PM 9/19/95, Jim Ray wrote:
> ....
> >I don't expect to know NSA's specific brute-force capability, but
> >does anyone know if the NSA has *ever* found a glaring weakness in
> >software and then told its author(s) or owner(s) about it? Do "we"
> >perform the "COMSEC" role Tim was speaking of better than the NSA?
> >JMR
> ....
> Once upon a time NSA would find weeknesses in friends' crypto systems and
> tell them about it -- depending, of course, on the situation. It was a
> reciprocal practice. We don't know that NSA didn't tell Netscape.
As far as I know the NSA did not tell Netscape anything about this
RNG vulnerability. If they had we would have fixed it immediately and
put up a patch. Believe it or not we don't like being trashed for
being stupid all over the net, print media, and TV. As far as I know
the NSA have not given us any advice about how to make our system
stronger. I've heard rumors that they were quite upset when they
learned that SSLs 40-bit RC4 was actually 40-bit secret and 88-bit salt.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
