Not, of course, that they disclosed it before -- it was found by reverse engineering the distributed executable. Not, of course, that they have a choice in the matter of whether to disclose it -- they will be "disclosing" how its done as soon as they release the code. Not, of course, that security through obscurity does any good -- it just magnifies the pain.
Once netscape is patched with a stronger PRNG if someone can crack -that- one too, then they will get a T-shirt as well. Perhaps I should offer the t-shirt for just revealing the algorithim used w/o actually cracking it, just to deal with that statement from "Netscape officials". I emphasized in my conversation with the SFChronicle today that 'security by obscurity' doesn't work. Hopefully that will be reflected in the article. -- sameer Voice: 510-601-9777 Network Administrator FAX: 510-601-9734 Community ConneXion: The NEXUS-Berkeley Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org