Netscape's purported RNG

• To: www-security@ns2.rutgers.edu
• Subject: Netscape's purported RNG
• From: zurko@osf.org (Mary Ellen Zurko)
• Date: Thu, 21 Sep 95 9:06:00 EDT
• Cc: zurko@osf.org (Mez)
• Mailer: Elm [revision: 70.85]

> The announcement they have on their WWW server implies that they only
> discovered the bug by reading USENET.
> 
> Whatever happened to code reviews and diligent SQA?

Code reviews with experienced sw engineers are good at catching coding
errors (like allowing stack overflow). Even with security-saavy
people, they will not find all bugs (along with design reviews, they
should find the obvious ones). I worked on an A1 OS; I know. SQA folks
tend to have experience in the same sorts of bugs that engineers have
(trying long strings in arguments). The process problem instead seems
to be, as pointed out in earlier mail, that they had no expertise in
the issues of implementing cryptography, and didn't go out of house
for help. For the fix, they're getting help from RSA.

	Mez

• Re: Netscape's purported RNG
• From: Rick Smith <smith@sctc.com>

• Previous: Re: Netscape's purported RNG
• Next: SCO Unix and Security Installation
• Index(es):
  • Index
  • Thread