I just glanced at the new Netscape RNG source. I don't really see anything bad, but I haven't analyzed it. However, I'm curious as to why variables like the username or the language locality are used as sources of entropy. These seem to provide almost nil. The username is going to be pretty much constant. In fact, even the current directory which is used as a seed can't provide more than a few bits of entropy. In all probability, the user name will usually be the same, and so will the current directory (and how many directories are there? 65,000 would only give you 16 bits of entropy, assuming you get a directory listing from the machine) I'm thinking from the standpoint of someone gathering data on someone or some server to mount a specific attack. a "most common directories on the macintosh" file for instance could be used to attack the current directory method. Using those sources probably can't hurt, they just seemed like odd choices, "grasping for straws" so to speak. Nevertheless, I would like to commend Netscape for releasing the source code for public review. You guys are clearly an intelligent company, in both your current developments, but also the way you have handled this bad press. -Ray p.s. i hope you guys do a good internal review of your code to remove buffer overflow bugs