Dr. Frederick B. Cohen wrote:
Dr. Frederick B. Cohen wrote:
I respectfully disagree. Netscape claims to be "secure" - hence it is Netscape's
job to
be secure - regardless of the user's use of their product. Otherwise, the ads should read:
"Netscape can be used securely by sufficiently knowledgeable users who have emasculated their postscript interpreters before using them to view files of unknown origin, and who have removed all other known, unknown, and/or undisclosed security holes from their systems. Otherwise, Netscape is insecure and should not be trusted."
Err... If software companies were to follow your line of logic, software boxes (all sorts of software) would become covered with fine print. As would ads for the software. Although I'm sure industry lawyers would welcome that, personally I think it would be quite sad.
The point is, Netscape CLAIMS to provide security - Miscrosoft doesn't.
Here is a quote from Microsoft's Internet Explorer 2.0 Beta announcement, which can be found at http://www.microsoft.com/windows/pr/sept2895.htm: Internet Explorer 2.0 also provides users with a secure environment. Complete support for Secure Sockets Layer (SSL) and RSA encryption allows integration with secure sites. In addition, Internet Explorer 2.0 will support Private Communication Technology (PCT), which is an efficient and secure upgrade to the SSL protocol. Internet Explorer will also support Secure Transaction Technology (STT), an electronic payment technology jointly developed by Microsoft and Visa International, as soon as it is available. There is that pesky word "secure", five times in one paragraph.
A stupid example: I can replace copy on your machine so that it does a delete instead. Does that mean that the OS manufacturer has to warn a user about this?
On my machine, if you replace copy with delete, it will be detected before it does the delete, and, unless you are very skilled, when I tell it to copy, the corruption will be automatically corrected. This is because I use an "integrity shell" - something you guys at Netscape probably never heard of.
What if they replace your "integrity shell"?
There's a point at which one has to hand off the assessment to the buyer.
The point I have been trying to make that many on this list seem to ignore again and again, is that Netscape makes the security claims. If you don't provide effective protection, don't make the claim. If you want to make the claim back it up with something other than media hype.
We are working on clarifying our security claims. Here is an example from the San Jose Mercury news on Aug. 17, 1995: "We have said for a long time that given the right amount of computer power, that a 40-bit key encrypted message could be decrypted," said Mike Homer, Netscape's vice president of marketing.
This is my own opinion and also that of anyone who agrees with me. I'm reading this group because it's very interesting for me personally. There.
All of our opinions are our own, and my opinion is that Netscape (not you) is:
- making inadequately supported claims about a nebulous thing called "security".
Here is one definition of the word "security" from the Webster's New World Dictionary, Third Edition: protection or defense against attack, espionage, etc. Note that I make no claims that this is Netscape's definition of security in our products.
- using it as a basis to get people to invest millions (billions?) of dollars.
Billions of dollars have not been invested in Netscape. An examination of the prospectus and the current stock price will bear this out. Here is a quote from the Netscape prospectus: The Company has included in its products an implementation of the Secure Sockets Layer ("SSL"), a security protocol which operates in conjunction with encryption and authentication technology licensed from RSA Data Security, Inc. ("RSA"). Despite the existence of these technologies, the Company's products may be vulnerable to break-ins and similar disruptive problems caused by Internet users. Such computer break-ins and other disruptions would jeopardize the security of information stored in and transmitted through the computer systems of end users of the Company's products... Of course anyone who is interested in investing in Netscape's stock should get and read the entire prospectus.
- plans to use it to move millions, and eventually billions of dollars over the Internet, potentially placing a fair chunk of the world economy (I'm mot kidding) as well as individual privacy (and thus freedom) at risk.
It would have to be many billions of dollars before it becomes "a fair chunk of the world economy", and I think that even the most optimistic projections of internet commerce put that many years in the future.
- may succeed unless people who do understand the implications find a way to fix the thing.
These things concern me, so I will stand my ground regardless of the flames and ask, yet again, for someone at Netscape to tell us what you mean by "security" when you make claims about it (I won't repost my questions from a few days ago since you have already ignored them) and why your claims are strong enough for a big chunk of the world economy to rest on it.
I don't think that it is reasonable to expect that everyone who asks for an official company position on some random mailing list will get a response. The people who make such statements are not usually on such lists, and the have other forums for making public statements. Perhaps you should call our PR department for a statement. You are certainly free to "stand your ground", but I am also free to not respond to you. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.