Re: Netscape "random" number seed generator code available

[Bob Snyder <rsnyder@janet.advsys.com>]

jsw@neon.netscape.com said:
>   More on the RNG stuff.  On Unix systems we look for ~/.pgp/
> randseed.bin, and feed it through the RNG hash.  On Unix and PC 
> systems we feed the environment through the hash, so that would be a 
> good place for a concerned user to put some random stuff of their 
> own. 

For UNIX, including the environment is pretty useless for determining a seed. 
On BSD-style machines, try a ps -uxeww. The environment is known by anyone who 
has access to the machine when the seed is generated, and possibly to many 
others, since some machines have SNMP daemons that will give out the process 
table, or may have the systat "service" turned on.

The later two may not include the environment on most machines, but I believe 
it concievably could, and may be implimentation specific from UNIX to UNIX.

I greatly applaud Netscape for "going public" with this information, and 
remaining open to suggestions despite the bad publicity it has been getting. 
One of the large corporations I work with is looking to do an electronic 
commerce with some pretty amazing $ amounts soon (at least, amazing to me), 
and I know I'm going to be asked about the security breaks. I feel confident 
that I can tell them exactly what is wrong, and what Netscape is doing to fix 
it, and that I don't think it should be a matter for great concern. I'm not 
sure I could have done that had Netscape done nothing but issue the press 
release and weather the bad press in silence.

Bob