On Fri, 13 Oct 1995, Rob L wrote:
Actually, it is not jeapordy that they get from doing so, but some of the best bug finders and security experts on the planet.. for close to free.
Actually, this is a very dangerous game to play, because realistically Netscape gets both, foe and friend. And they risk not only the entire company by taking this action, but they also pose risk to the public They might get someone who responsibly tries to point out an incredibly poor design methodology within ALL of Netscape's code -- the existing installed code base as well as the new beta code. Someone who points out this fatal design flaw to the public and not only to Netscape. Or they might confront someone who announces that numerous pointers have been placed in roulette programs making the Web under Netscape a little more like playing Russian Roulette, rather than safe, fun entertainment. Netscape clients might face a customized plexus, one that delivers dynamic documents. One time in six (if you're running CURRENT Netscape release software) it deletes your WIN.INI. Some machine in Bucharest reaches right out, and wipes you clean. Or maybe it just downloads all of your Quicken files. Netscape is clearly not thinking clearly, here. The issue here isn't "Bugs" and Netscape's so-called Bugs Bounty program. It's a broader question of design methodology and of design process. Does Netscape have a product that has any worth and utility?? Does Netscape have a product which can go through a "Product Evaluation" and then a "Certification Evaluation" as set out in the US Department of Defence's Orange Book?? Or does Netscape's product fail the giggle test.
If hackers can find 10 bugs before final release, it means there is a good chance that they will fix those bugs before final release.
Think of it this way.. you practice a new task until you are competent at it.. beta code is the same.. it is the practice or scratch code that may be refined into the final product.
I'll beg to differ on this one. This is not about hackers, nor is this about crackers. We are not talking about some shareware game program here. Nor are we talking about a word processor, spreadsheet, or draw program. We are talking about a program that has a different mission profile. The standard here is different. A bug in code that makes your system freeze is different than a sloppy design methodology that allows someone to literally take complete control of your machine from any other machine in the world, whether that machine is foreign or domestic. Code which seeks to secure a public network connection, calls for a different programming altitude, than writing common PC code. The tolerances are different, the expectations are different, and the challenge (which was summarized most cogently by a UK friend) distills to a single basic issue. How do you invite a few billion people into your home without having one of them nick the silver?? Evaluation of technical computer security effectiveness is not accomplished by the release of "practice code". It has to start from the ground up. And it is certainly not assisted by having a corporate communications policy that is geared to NOT opening a communications pipe with someone who has attempted to offer constructive technical criticism. Let me make this absolutely clear. It should not be up to non-US citizens like myself to safe-guard US economic security, and protect vital national interests. It is not my job and certainly not my responsibility to protect the international public and Fortune 500 companies from poor security. When that attempt is made however, the effort should not be stymied by Netscape's thinly veiled attempt at information free-loading through public-relations puffery. From this vantage point, Netscape's press releases have the stench of some two-bit penny stock hustler -- something I'd expect from some Vancouver Stock Exchange promoter, rather than the standard expected of a company with a Two Billion USD ($2,000,000,000) market capitalization. After emailing the company more than two days ago, I would hope that a communications channel would have been opened, or alternatively I would have held out a hope that someone from Sun or Netscape might have made an official comment here or publically. I would have expected something other than a stone-walling silence. My Friday the Thirteenth post obviously has people shaken. Clearly, Friday was not the day to comment about this serious problem. There was no utility in causing panic and disrupting trading in Netscape stock, especially in a market that can only be characterized as frothy. But now here we stand, many hours and days later, with the questions raised remaining unaddressed, and with my copyright restriction on my Friday post hereby, and herein explicitly waived. The question is no longer simply a question of whether Netscape can produce quality code, but a new question rises on the horizon. Does Netscape have the management depth and experience to meet daily corporate requirements?? And is the promise of Internet commerce whether put forward by Netscape, Microsoft or AT&T simply a pipe dream. A very risky game, they like to play ... Or since I had already spoken of Dominick Dunne on Friday, perhaps a turn this Sunday to Johnnie Cochrane and his fine choice of words: "Whom will I trust as I will adders fang'd They bear the mandate; they must sweep my way, And marshall me to knavery. Let it work; For tis the sport to have the engineer Hoist with his own petar: and 't shall go hard ..." Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E.