From: jsw@neon.netscape.com (Jeff Weinstein)
Date: Mon, 25 Sep 95 00:32:57 PDT
To: cypherpunks@toad.com
Subject: Re: New Netscape RNG
In-Reply-To: <199509250649.CAA27099@clark.net>
Message-ID: <445lti$hej@tera.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain


In article <199509250649.CAA27099@clark.net>, rjc@clark.net (Ray Cromwell) writes:
>  I'm thinking from the standpoint of someone gathering data on someone
> or some server to mount a specific attack. a "most common directories
> on the macintosh" file for instance could be used to attack the
> current directory method.
> 
>   Using those sources probably can't hurt, they just seemed
> like odd choices, "grasping for straws" so to speak.

  I'd rather think of it as a "kitchen sink" approach :-). We are looking
for bits wherever we can find them.  We are not experts in the internals
of all of our supported systems, so any suggestions people could provide
for more high quality sources on specific systems would be appreciated.

>   Nevertheless, I would like to commend Netscape for releasing
> the source code for public review. You guys are clearly an intelligent
> company, in both your current developments, but also the way
> you have handled this bad press.

  I'd like to add that management has been very supportive of this
idea.  Barksdale was in the cellular industry when their security
through obscurity measures failed, so he knew exactly what we
were talking about.

> p.s. i hope you guys do a good internal review of your code to remove
> buffer overflow bugs

  We have had code reviews.  We will be fixing several of this sort
of bug in the upcoming patch.
 
	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.