clearly the netscape engineers did not practice "safe crypto programming", but I question the seriousness of the crack. none of the articles mention that the cracker must have login access to the computer that the random numbers are generated on. is this true? does the code require knowledge of the PID etc. that can only be obtained by a login to the system that the netscape session is running on? if this is true (i.e. login access required) this bug is by far not as serious as some of the hyperbole is suggesting. I agree it is still very insecure but the most dangerous crypto bugs are those where you can determine keys from data alone.. physical penetration into a machine is another level of security.. furthermore, I would like to commend Netscape for their fast response to the problem and apparent commitment to establishing safeguards that avoid it in the future. cypherpunks have an easy time ridiculing someone who slit their throat on writing some crypto functions, but geez, cut them some slack: crypto stuff has so many pitfalls and bugaboos that even the world-class experts make mistakes. where else can not properly "burning" stack registers (function parameters) and environment variables be considered "lethal"??? PGP errors have been reported on numerous occasions, some in the randomizer code. do people call for Zimmermann's head on a stick and call him "incompetent"? often when cryptographers say something is "broken" it can still mean that it is not necessarily unsafe in practice. there are many shades of "broken", some requiring a Cray and other's requiring a PC. I am really surprised how much people here consider "broken is broken". this is only the extreme theoretical perspective. granted I am not advocating that people *not*fix* bad crypto functions, I'm only saying that maybe its not in everyone's best interest to run around and say "the sky is falling" and lambaste companies for minor difficulties.. Netscape is a world class product, and it's *free*. on this cypherpunks list, I have seen no end to the venemous criticisms that people level at *free* products, which IMHO is quite tasteless at times. Netscape has done far more for the cypherpunk cause than many, many companies just by including RC4 in their product. they have taken some heat for their decisions & code, but they are on the front lines of battle. now instead of our vague claims about how the world can benefit from good crypto, how it is immensely valuable and important to cyberspatial financial transactions, to promote the cypherpunk cause, we now have something *popular*, *physical*, and *tangible* to point to: netscape!! this is *not* vaporware. this is not some cpunk saying, "all one needs is [x] algorithm running on [y] network and you have a world class infrastructure". the amount of work to get something like Netscape into the world is quite daunting and herculean. we owe a great debt to netscape and their accomplishments for furthering our own agenda!!! please do not trivialize what they have accomplished!! Netscape is here, it works, and it is cyberspatial crypto that Joe Sixpack can understand and *use*!! it is not a toy remailer, it is not some PGP front end, it is not some mailer script, *this* is the format in which Joe Sixpack will be using crypto in the future, the format which will bring "crypto to the unwashed masses"!! Netscape may very well be the chief vehicle that puts on *concrete pressure* on our government to relax crypto export laws. I see this happening *right now* with them going to a 64 bit key from a 40 bit one, and the world starting to realize the importance of crypto and the idiocy of the export laws. I am really amazed at how few seem to be supporting Netscape here and considering them the *premiere ally* in our current battle. it reminds me of how much people here rant at Microsoft when virtually no other company on the planet could pull off what they make look easy (ah, that's another story I've filled up other posts with). please do *not* take an adversarial relationship with the companies who are helping advance the cutting edge of cyberspace!! do *not* ridicule them. rather, help them to understand their problems. I think you will find that most companies are *not* hostile to improving their software, and will readily admit it when it needs fixing (intel has been humbled by their pentium glitch, and I doubt any company again will ever be so obstinate and belligerent..) . I am willing to bet that the netscape bug would have been fixed quickly if it had been quietly brought to their attention, without the blaring media lights (I enjoy the media circus as much as the next guy, but on the other hand, doing some things quietly may actually advance the cypherpunk cause further than by making a noisy hullaballoo in cyberspace). once again I commend Netscape for their fine software and willingness to perfect it. netscape is at the cutting edge of advancing key cyberspace technologies and it is not surprising that they make some minor mistakes with the code in these early phases. cyberspace is very young!! give designers a bit of time to get it right. be patient!! do not accuse them of incompetence!! netscape is tens of thousands of lines of world-class code. only in programming can a few moments of total, rapt attention lead to bugs that get blared on the front page of new york times and affect your stock price!! good lord, give the guys a break. cpunks: when Netscape has some serious competitors, they will get their act together. but at the moment they are the only game in town, and it will pay off to be nice to them, and try to support them, instead of kicking them in the teeth and wringing them every time they make a mistake. few in the world are as knowledgeable or paranoid as we are about security, and its going to be a gradual process to get to even a fraction of the expertise here penetrating the mainstream software industry. be patient!! -- P.M. notes that anywhere there is a data-driven buffer overflow (which he suspects are all over netscape) he can get code to execute anything he wants. this reminds me of the Morris internet worm that ran exactly the same way. it used a bug in the finger demon that caused a string buffer overwrite (via strcpy, instead of strncpy) to execute customized code. my question: I have not seen the specifics of how this works. does this require specialized knowledge of the native machine language on the host machine? or is it just used to cause something like a core dump to get a command line or something like that? --Vlad Nuri