[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: netscape bug



In article <[email protected]> you write:
> 
> none of the articles mention that the cracker must have login access
> to the computer that the random numbers are generated on. is this true?
> does the code require knowledge of the PID etc. that can only be obtained
> by a login to the system that the netscape session is running on?
> 

No, the time, pid, and ppid often leak to a remote adversary too.
The attack probably requires a bit more sophistication when the
cracker doesn't have login access, but I believe it's still possible.

See my recent post to sci.crypt for some comments from Ian & I
about this.