:I've deleted the rest of your content-free rant. Instead of alluding to :some "flawed algorithm", why not tell us about the hole you say you've :found in netscape?
OK, Netscape functions by DESIGN as an enhanced delivery vehicle. Is that a sufficient explanation of the hole?? or is more detail necessary (which follows): Netscape blindly trusts any and all ports on all servers. On the basis of this trust, it begins a negotiation with a server that might well have a dynamic deliverability capability. The client then examines a Content-type header, trusts the content-type to decide what application it should launch, and then launches and processes the data block it is fed, all on good faith. It even trusts the server to redirect it to any arbitrary destination which it automatically loads and then executes. Is this enough of an explanation?? Or should I paraphrase: Netscape is a gateway that permits an untrustworthy server to take complete control of a client's machine. The server can tell the client where it should go, what it should load and how often, and what applications to execute on the client machine, as though this arbitrary server were its master. Does this help to underscore the problem?? The Netscape Navigator client was DESIGNED to be controlled remotely from any machine on the Internet. This is the "flawed algorithm". W3 was meant to be hypertext ... not a gateway that permits a server to deliver customized byte bombs down a clearcut path by remote-control. If people don't know that you don't let another person (or machine) take control of your machine and run programs on it ... well, like I said in the past.
"Let me make this absolutely clear.
It should not be up to non-US citizens like myself to safe-guard US economic security, and protect vital national interests. It is not my job and certainly not my responsibility to protect the international public and Fortune 500 companies from poor security."
So without giving out another "exploitation algorithm" to the Internet, without extending a helping hand to Japan to retaliate against the US for the American Japanese auto surveillance, I will simply quote from two sources which are "public record" and mentioned in the FAQ.
From the "Orange Book", one of the volumes of the Department of Defence's "Rainbow Series" more commonly known as TCSEC (Trusted Computer System Evaluation Criteria) and available from:
U.S. Government Printing Office INFOSEC Awareness Office Superintendent of Documents - or - National Computer Security Centre Washington, DC 20402 9800 Savage Road Fort George G. Meade, MD 20755-6000 which stipulates that: "... it is required that ADP (Automated Data Processing) systems that "process, store, or use classified data and produce classified information will, with reasonable dependability, prevent: a. Deliberate or inadvertent access to classified material by unauthorized persons, and b. Unauthorized manipulation of the computer and its associated peripheral devices." The above quoted reference is public information. And, since Netscape is making "no-comment" I will quote Netscape's public information.
NETSCAPE CLIENT APIS (NCAPIS) 2.0 The NCAPIs are designed to allow third-party applications to remotely control the Netscape Navigator client. They are platform specific, utilizing the platform's native method of interprocess communication (IPC). These APIs are not final and may change with the release of version 1.1 of Netscape Navigator (they do not work with Netscape Navigator 1.0).
Herein is the "flawed algorithm" which is just a fancy way of saying that it's a flawed idea. And this isn't new ... it's been there for a long time. Generally, we don't routinely trust every other computer, foreign or domestic on the Internet to manipulate us by remote control. This is as basic as the idea that we don't give out our PIN numbers with our banking cards to anyone who asks us. If someone tries to suggest differently, then they are a fool. Let's recall that Version 1.1 of Navigator was released long ago, and trusts every machine on the Internet to do just that. It trusts every other machine on the Internet to be "trustworthy". Whether that machine is foreign or domestic. We are not speaking about the new and improved -- feature added -- "beta" 2.0 software, we are speaking of the software that AT&T is using internally and is selling to its customers as we speak as a "co-branded" product. Software which AT&T security "approved" of in direct contravention of the most basic of basic security principles. Let me reiterate this. Netscape's current existing software was designed in direct contravention of the US Department of Defence's evaluation criteria for Trusted Computer Systems, the TCSEC. It also contravenes the ITSEC (Information Technology Security Evaluation Criteria) which is a document developed by the British, German, French, and Netherlands governments. (Anyone can get a free copy of ITSEC by writing to the Commission of the European Communities in Brussels.) Netscape forgot one thing about trust. If you "trust everyone" ... even if you always trust everyone, you always cut the cards. And when you're playing poker at these stakes ... well ... 'nuff said. Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. Please don't shoot the messenger. C. S. U. M. O. C. L. U. N. E. P.P.S If this is confusing to anyone, please direct your comments to one or all of the following newsgroups: alt.2600 alt.security comp.security.announce comp.security.misc comp.virus