From: pcw@access.digex.net (Peter Wayner)
Date: Tue, 12 Dec 1995 05:45:55 +0800
To: cypherpunks@toad.com
Subject: Re: NSA rigs Crypto machines according to Balto Sun
Message-ID: <v02130504acf220191b61@[199.125.128.5]>
MIME-Version: 1.0
Content-Type: text/plain


At 11:14 AM 12/11/95, hallam@w3.org wrote:

>>So, is this what happened at Crypto AG? Is this what happened at
>>Netscape? We may never no for certain, but there is a final
>>warning for the folks at Netscape that is buried the Sun's
>>article about Crypto AG:
>
>No it is nothing like what happened at Netscape which was a common or
>garden cock up. It was simply the result of miscommunication between
>two groups of people being the original and new security team. Taher
>et al thought that the random number seed was OK because they discovered
>a design document describing it. Unfortunately the code had not been
>written to implement that design.
>
>        Phill

Thanks for the deeper insight. Sure it was probably a mistake. But someone
made the decision to write code that didn't conform to that design document.
That person was probably saying, "Random number generator. Cool. I can use
the standard C library." or whatever. But that person could have been saying,
"Hey, if I slip this in then I'll be able to snag the session
keys with impunity."
We'll never know for sure.

-Peter