2-23-96. WSJ: "H-P Acquires Most of Internet Security Firm." SecureWare technology is used by the Pentagon to safeguard transmission of military secrets. The firm's team of about 40 programmers is "a substantial fraction of the hired guns available in the on-line security world" who snake oil an extra virgin security that not even hackers can cross. Hackers would question that; they have a remarkable history of eventually figuring out ways to get past advances in faked chastity. "Netscape Will Issue Fix for Flaw Found In Browser System." The company confirmed that Princeton researchers found a security flaw in the "applets" created with Java, but said the flaw was minor and that the company will issue a software fix for it next week. Jeff Treuhaft said exploiting the flaw would require extremely skilled hacking. Marianne Mueller, Java security engineer, also said the chances of such hacking occurring are "remote." REM_ote
John Young writes:
2-23-96. WSJ:
"H-P Acquires Most of Internet Security Firm."
SecureWare technology is used by the Pentagon to safeguard transmission of military secrets. The firm's team of about 40 programmers is "a substantial fraction of the hired guns available in the on-line security world" who snake oil an extra virgin security that not even hackers can cross. Hackers would question that; they have a remarkable history of eventually figuring out ways to get past advances in faked chastity.
For the record, this includes me (Yes, I work for HP now). Please note that most of the story content is, if not wrong, at least poorly stated -- so what else is new? Also, the specific quotes there -- including the "hired gun" quote above -- are from an "industry analyst" not from anyone at either HP or SecureWare. -- Jeff (Hired gun? I guess so. But who isn't?)
Marianne Mueller, Java security engineer, also said the chances of such hacking occurring are "remote."
This is the sort of bullshit that gets companies in trouble. Netscape has a good record of responding to and fixing security problems. Why should they feel the need to do spin control? This borders on lying. If the hole is there, hackers will distribute toolkits that will let even comparitively unskilled people exploit it. Here in Chicago, there is a group of hackers that teaches organized classes on how to break into systems, and they give their students toolkits. Anything you can do with a computer can be automated. If there's a difficult way to hack into a machine, someone can put it in a box that makes it easy.
Alex Strasheim wrote:
Marianne Mueller, Java security engineer, also said the chances of such hacking occurring are "remote."
This is the sort of bullshit that gets companies in trouble. Netscape has a good record of responding to and fixing security problems. Why should they feel the need to do spin control?
Marianne Mueller is a Sun employee, not a Netscape employee. The original quote did not make that clear. PK -- Philip L. Karlton karlton@netscape.com Principal Curmudgeon http://www.netscape.com/people/karlton Netscape Communications They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin
Marianne Mueller is a Sun employee, not a Netscape employee. The original quote did not make that clear.
Again, I apologize to Ms. Meuller and to Netscape. In my opinion Netscape has a great track record of addressing concerns and problems with its software. Other companies would do well to use Netscape's policy of addressing and correcting proven security problems, instead of denying and downplaying them, as a model.
I'm going to disagree. Netscape needs to add configurability if they are going to sell proprietary standards that people employ in offering information. I recently wrote a proposal for 2 "Netscape stations," machines which would not be networked, but be available for use with Netscape 2. Sort of a shame to use dialup modems in place of the high speed internet connection, but security concerns stemming from an inability to guarantee Java & Javascript are not running cause me to feel that this would be the best solution. Until there's security oriented configurability, I can't say Netscape has anything better than an acceptable record. They do a decent job of fixing the bugs, but only if you can enfore deployment of a new version, and ensure that old, bad features are not used. Adam | > Marianne Mueller is a Sun employee, not a Netscape employee. The | > original quote did not make that clear. | | Again, I apologize to Ms. Meuller and to Netscape. | | In my opinion Netscape has a great track record of addressing concerns and | problems with its software. Other companies would do well to use | Netscape's policy of addressing and correcting proven security problems, | instead of denying and downplaying them, as a model. | -- "It is seldom that liberty of any kind is lost all at once." -Hume
Until there's security oriented configurability, I can't say Netscape has anything better than an acceptable record. They do a decent job of fixing the bugs, but only if you can enfore deployment of a new version, and ensure that old, bad features are not used.
I guess that I have confidence in Netscape because they have a history of responding to concerns posted here and elsewhere. Security oriented configurability will be a good test -- I would be surprised if it doesn't come out soon. What are we talking about specifically when we talk about security oriented configurability? Rather than just turning java(script) on and off, wouldn't it be useful to piggyback off of the X.509 system that's already in place? For every CA's or server's cert, they'd just have to add two checkboxes: whether or not to run java applets or javascript code from servers vouched for by those certs. Is that what people mean when they talk about configurability, or just the ability to shut down java*script) all together?
Alex Strasheim wrote:
Marianne Mueller, Java security engineer, also said the chances of such hacking occurring are "remote."
This is the sort of bullshit that gets companies in trouble. Netscape has a good record of responding to and fixing security problems. Why should they feel the need to do spin control? This borders on lying.
I won't comment on this other than to point out that Marianne is a "Java security engineer" at Sun Microsystems, not at Netscape. John's excerpt didn't make that clear. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
participants (6)
-
Adam Shostack -
Alex Strasheim -
Jeff Barber -
Jeff Weinstein -
John Young -
Phil Karlton