[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Netscape "random" number seed generator code available
[email protected] said:
> More on the RNG stuff. On Unix systems we look for ~/.pgp/
> randseed.bin, and feed it through the RNG hash. On Unix and PC
> systems we feed the environment through the hash, so that would be a
> good place for a concerned user to put some random stuff of their
> own.
For UNIX, including the environment is pretty useless for determining a seed.
On BSD-style machines, try a ps -uxeww. The environment is known by anyone who
has access to the machine when the seed is generated, and possibly to many
others, since some machines have SNMP daemons that will give out the process
table, or may have the systat "service" turned on.
The later two may not include the environment on most machines, but I believe
it concievably could, and may be implimentation specific from UNIX to UNIX.
I greatly applaud Netscape for "going public" with this information, and
remaining open to suggestions despite the bad publicity it has been getting.
One of the large corporations I work with is looking to do an electronic
commerce with some pretty amazing $ amounts soon (at least, amazing to me),
and I know I'm going to be asked about the security breaks. I feel confident
that I can tell them exactly what is wrong, and what Netscape is doing to fix
it, and that I don't think it should be a matter for great concern. I'm not
sure I could have done that had Netscape done nothing but issue the press
release and weather the bad press in silence.
Bob