1995-09-21 - Re: NSA and Netscape Crack

Header Data

From: jsw@neon.netscape.com (Jeff Weinstein)
To: cypherpunks@toad.com
Message Hash: f4f1b1e09e4c160c811152791d17f1ead77f9bdd0f2884aa2bfb0fa43eb591f5
Message ID: <43qrpq$gd5@tera.mcom.com>
Reply To: <ac85fa9f010210046fb1@DialupEudora>
UTC Datetime: 1995-09-21 05:05:54 UTC
Raw Date: Wed, 20 Sep 95 22:05:54 PDT

Raw message

From: jsw@neon.netscape.com (Jeff Weinstein)
Date: Wed, 20 Sep 95 22:05:54 PDT
To: cypherpunks@toad.com
Subject: Re: NSA and Netscape Crack
In-Reply-To: <ac85fa9f010210046fb1@DialupEudora>
Message-ID: <43qrpq$gd5@tera.mcom.com>
MIME-Version: 1.0
Content-Type: text/plain


In article <ac85fa9f010210046fb1@DialupEudora>, norm@netcom.com (Norman Hardy) writes:
> At 3:46 PM 9/19/95, Jim Ray wrote:
> ....
> >I don't expect to know NSA's specific brute-force capability, but
> >does anyone know if the NSA has *ever* found a glaring weakness in
> >software and then told its author(s) or owner(s) about it? Do "we"
> >perform the "COMSEC" role Tim was speaking of better than the NSA?
> >JMR
> ....
> Once upon a time NSA would find weeknesses in friends' crypto systems and
> tell them about it -- depending, of course, on the situation. It was a
> reciprocal practice. We don't know that NSA didn't tell Netscape.

  As far as I know the NSA did not tell Netscape anything about this
RNG vulnerability.  If they had we would have fixed it immediately and
put up a patch.  Believe it or not we don't like being trashed for
being stupid all over the net, print media, and TV.  As far as I know
the NSA have not given us any advice about how to make our system
stronger.  I've heard rumors that they were quite upset when they
learned that SSLs 40-bit RC4 was actually 40-bit secret and 88-bit salt.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.





Thread