Re: NSA and Netscape Crack

[jsw@neon.netscape.com (Jeff Weinstein)]

In article <ac85fa9f010210046fb1@DialupEudora>, norm@netcom.com (Norman Hardy) writes:
> At 3:46 PM 9/19/95, Jim Ray wrote:
> ....
> >I don't expect to know NSA's specific brute-force capability, but
> >does anyone know if the NSA has *ever* found a glaring weakness in
> >software and then told its author(s) or owner(s) about it? Do "we"
> >perform the "COMSEC" role Tim was speaking of better than the NSA?
> >JMR
> ....
> Once upon a time NSA would find weeknesses in friends' crypto systems and
> tell them about it -- depending, of course, on the situation. It was a
> reciprocal practice. We don't know that NSA didn't tell Netscape.

  As far as I know the NSA did not tell Netscape anything about this
RNG vulnerability.  If they had we would have fixed it immediately and
put up a patch.  Believe it or not we don't like being trashed for
being stupid all over the net, print media, and TV.  As far as I know
the NSA have not given us any advice about how to make our system
stronger.  I've heard rumors that they were quite upset when they
learned that SSLs 40-bit RC4 was actually 40-bit secret and 88-bit salt.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.