[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NYT on Netscape Crack




Eric Young writes:
 > >   Sigh.  For your information the security code for 1.x versions of
 > > netscape was not even written by someone from NCSA.  The current
 > > security team (which does not include the person who did the 1.x
 > > version) also does not include anyone from NCSA.  While I can't
 > 
 > I will defend Netscapes code on the point about the RNG even though I 
 > have not seen any.  I assume the Netscape code is quite large and each 
 > release would have to pass various fuctionality tests.  How can you test 
 > that the RND seeding is wrong?

The seeding isn't "wrong"; it's a design flaw.  (At least that's my
understanding; maybe I missed something.)

 > You have to actually look at the code, the  number coming out are
 > still random.

Two words: "design review".

 > This sort of error can only be checked by reading the code and
 > specifically looking at critical routines like this the RNG seeding
 > routines.

Uhh... OK.  Sounds like a plan to me.  For critical pieces of code
like that, having repeated exhaustive design/implementation reviews
should be a matter of course.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Nobody's going to listen to you if you just | Mike McNally ([email protected]) |
| stand there and flap your arms like a fish. | Tivoli Systems, Austin TX    |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~