[2301] in bugtraq
Re: Netscape problems (again)...
daemon@ATHENA.MIT.EDU (Frank Stuart)
Wed Oct 11 21:28:25 1995
Date: Wed, 11 Oct 1995 11:30:07 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Frank Stuart <fstuart@vetmed.auburn.edu>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
>I'm suprised someone else hasn't noticed this one.
>
>On the Netscape 1.12 and 2.0 info pages, it talks about how the RNG has
>been much improved. Among other things, it mentions that the truly
>paranoid can add stuff to their environment before starting Netscape, and
>since it uses the environment to help seed the RNG, this will improve
>security.
>
>On SunOS, at least, you can see the complete environment of ANY program
>running on the system... I use: ps -auxgwwwe
>
>Granted, that's not damning in itself, but it doesn't help much...
As I understand it, the environment variable in question is the name of
a file containing "random" data rather than the "random" data itself. So,
as long as no one else has read permission, or the environment variable is
set to an appropriate "/dev/random", this shouldn't help an attacker.
| (Douglas) Hofstadter's Law:
Frank Stuart | It always takes longer than you expect, even
fstuart@vetmed.auburn.edu | when you take into account Hofstadter's Law.
