Perhaps Dr. Fred fails to realise that some people *aren't* speaking for their entire company every time they write e-mail. [see fc.all.net-- i always enjoy pronouncing that nearly phonetically]
I thought all Netscape and Sun communications come from their PR departments. You can't have it both ways. Your position seems to be: If employees make statements that work out, it's OK. If their statements don't work out, you disclaim them. This is baloney. When you work for Netscape or Sun and speak about your company's products, you are representing the company whether you disclaim it or not. ...
To have some slight cpunks relevance, I will weigh in on the side of `It's not X's responsibility to ensure that Y's software isn't broken.' {for all X, Y in {software developers}} Why? For the same reason that I'm not generally held accountable for, say, Gary Jeffer's opinions or Tim May's: because I don't have any control over them.
So your claim is that Unix is perfectly secure for networking, because without inetd, sendmail, ident daemon, HTTP daemons, syslogd, and all those other add-on software pieces, if your users act perfectly and nobody ever makes a mistake, you are safe from known attacks. I think this is ridiculous. When sendmail has a bug, most Unix systems become insecure. When syslog has a bug, most Unix systems become insecure. These are commonly called Unix insecurities. When Postscript allows writing to files, most Web browsers become insecure - including Netscape, including HotJava. If the only commonly available postscript programs are insecure, the products have hooks designed to allow postscript to be used automatically to interpret programs from over the net, and servers commonly provide information in postscript format, the enabling technology (i.e., Netscape and Hot Java) is responsible for the vulnerability. If it only worked under Unix, people would call it a Unix vulnerability, but since it works under Windows and OS/2 and every other system that runs Netscape or HotJava, it is a Netscape and HotJava vulnerability. I would also call it a postscript vulnerability, EXCEPT that HotJava and Netscape ALSO provide hooks to command interpreters and other insecure software, so we can't just pin it on the add-ons. The common thread is the Web browser, and that's where the blame belongs. Not with the millions of users, not with the tens of add-ons, not with the various operating environment, but with the one common thread, the Web browser. -- -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236