[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NYT on Netscape Crack




Markoff's article in the Times says:
>    Netscape officials said today that they would strengthen
>    the system, by making it significantly harder to determine
>    the random number at the heart of their coding system. They
>    said they would no longer disclose what data would be used
>    to generate the random numbers.

Not, of course, that they disclosed it before -- it was found by
reverse engineering the distributed executable. Not, of course, that
they have a choice in the matter of whether to disclose it -- they
will be "disclosing" how its done as soon as they release the
code. Not, of course, that security through obscurity does any good --
it just magnifies the pain.

I suspect that there are far more flaws in Netscape. String buffer
overflows are another good guess here -- they are probably rampant
through the code both for the browser and the commerce server they
sell. I can't prove it myself, of course, given that I don't have the
time to rip the thing apart, but the same folks never seemed to learn
their lesson in release after release when they worked at NCSA, and
the only thing thats probably keeping their dignity here is the lack
of distributed source code.

I'll pay for the "I broke Netscape's Security" T-Shirt for the
enterprising person that takes the time to find them in the object
code. (See Sameer's page on the shirts he's developing as prizes for
the Netscape flaw finders.)

Two "I broke Netscape's Security" T-Shirts to that daring soul at
Netscape who finds the next flaw and has the balls to mention it in
public instead of sweeping it under the carpet -- even if the person
is Marc Andreessen.

Perry