Re: NSA and Netscape Crack
At 3:46 PM 9/19/95, Jim Ray wrote: ....
I don't expect to know NSA's specific brute-force capability, but does anyone know if the NSA has *ever* found a glaring weakness in software and then told its author(s) or owner(s) about it? Do "we" perform the "COMSEC" role Tim was speaking of better than the NSA? JMR .... Once upon a time NSA would find weeknesses in friends' crypto systems and tell them about it -- depending, of course, on the situation. It was a reciprocal practice. We don't know that NSA didn't tell Netscape.
In article <ac85fa9f010210046fb1@DialupEudora>, norm@netcom.com (Norman Hardy) writes:
At 3:46 PM 9/19/95, Jim Ray wrote: ....
I don't expect to know NSA's specific brute-force capability, but does anyone know if the NSA has *ever* found a glaring weakness in software and then told its author(s) or owner(s) about it? Do "we" perform the "COMSEC" role Tim was speaking of better than the NSA? JMR .... Once upon a time NSA would find weeknesses in friends' crypto systems and tell them about it -- depending, of course, on the situation. It was a reciprocal practice. We don't know that NSA didn't tell Netscape.
As far as I know the NSA did not tell Netscape anything about this RNG vulnerability. If they had we would have fixed it immediately and put up a patch. Believe it or not we don't like being trashed for being stupid all over the net, print media, and TV. As far as I know the NSA have not given us any advice about how to make our system stronger. I've heard rumors that they were quite upset when they learned that SSLs 40-bit RC4 was actually 40-bit secret and 88-bit salt. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
| Believe it or not we don't like being trashed for | being stupid all over the net, print media, and TV. As far as I know | the NSA have not given us any advice about how to make our system | stronger. I've heard rumors that they were quite upset when they | learned that SSLs 40-bit RC4 was actually 40-bit secret and 88-bit salt. It is dangerous that the general reaction is that of 'them being stupid', since that will prevent others from stepping forward and reveal their own 'holes'. I decree that 'all holes look stupid once located'. But 'any non-trivially large program is bound to have holes' => 'all programmers are stupid' (except me, because I found the hole?) Jeff, your and Netscape prompt response to this is what counts - holes will always be uncovered, it's the time before they are patched that really matters. /Christian
participants (3)
-
Christian Wettergren -
jsw@neon.netscape.com -
norm@netcom.com