Jeff Weinstein <jsw@netscape.com> wrote:

David A Wagner wrote:

...

I do think their ``bug bounty'' system is an improvement -- at least they're showing some concern for security, and beginning to admit that outside review of security-critical code is...well...critical.

The whole bug bounty thing is an experiment. We have no idea how valuable it will be, but we thought it would be worth trying. As we gain more experience with it, we will probably evolve it.

Mr, Weinstein: Is your comment about the "Bugs Bounty" program an official comment, that you have "no idea how valuable" it will be?? Shall I give you a clue, as to how valuable the discovery of a flawed algorithm might be?? How valuable do you think the ability to download an entire geo-physical company's 3-D seismic data base is, while some company temp is looking at a pretty picture of Moo Goo Gai pan, or downloading a recipe for goat-cheese salad with ginger and macadamia nuts?? Why not admit that the whole Bugs Bounty program was a sham. Nothing more than a quickly slapped together public-relations program, that tried to create an appearance that Netscape had a pro-active business plan. Is it because there WAS no plan, whatsoever?? Why not admit that you were forced to take action and show that you were "doing something" following the crack of the Netscape browser that was supposed to protect sensitive information such as credit-card transactions. And why not admit that what you did was raid a couple of left over press kits, and take out some shirts and cups and throw together a damage control program. Your so-called "Bugs Bounty" program. Is it because, a program that says that anyone who reports a "bug" in your two billion dollar software wouldn't be rewarded -- no, they would be entered into a draw where they _might_ could get a chance to win a cup or a shirt?? Or they might receive a $1,000 reward as long as they agree to a waiver of all their rights, and agree that by reporting the problem to Netscape and entering the "Bugs Bounty" contest, that their report would: "become Netscape's property to be used at Netscape's sole discretion" Is it because, this simply doesn't pass the giggle test?? And is demonstrative of such a cavalier internal attitude and approach to security that it can only be characterized as the grossest of misconduct? I'm certain that even the marketing people must have burst into peals of laughter at that one. Why not admit that Netscape never thought that anyone would find anything at all?? Why not admit that Netscape thought that they could weasal out of the Berkeley crack, with a nice little pat on the head to the kids who found it?? Why not admit that not only did Netscape not have an action plan for "bugs" prior to the "Berkeley crack", but doesn't have any action plan following it. Why not admit that none of the cocky boys at Netscape had even considered what would be done if there was an easily exploitable critical design flaw in the algorithm. And now that someone took Netscape up on its challenge, and simply said that the emperor has no clothes, now that someone hasn't just discovered a "bug" like the "Berkeley crack" but has demonstrated that the Netscape algorithm is fatally flawed, by posting the exploitation algorithm, now what?? Good God, I asked for clarification from Netscape last Thursday, and Netscape hasn't bothered to even return my email from almost a week ago. And, after posting the exploitation algorithm last week -- on Friday the Thirteenth -- there has been nothing but public relations huff-and-puff. Clearly, no one performed adequate top-down / bottom-up analysis at Netscape. And both the internal and external review process were woefully inadequate. Or to steal a line from Jonathan Swift, in Gulliver's Travels. Are you, "a most ingenious Architect who had contrived a new Method for building Houses, by beginning at the Roof, and working downwards to the Foundation ..." and then done nothing else, but issue press-releases to hype and promote Netscape stock in some self-centered attempt to help out your "friends" on Wall Street.

...

Still, I do agree that they really oughta be employing true experts to carefully evaluate their system, if they wanna claim anything about its security.

We are doing that to. We are paying outside consultants to review everything related to security.

Oh yep, I bet you're paying them. I wonder ... are you paying them in shirts or migs, for their white-wash review?? And will the report from the external review become "Netscape's sole property to be used at the sole discretion of Netscape". Which consultants are you going to get, Mister (unofficial, off the record speaking personally, not speaking for the Company) Netscape spokesperson?? Who? AT&T?? AT&T has security people. The phone company, has very good security people. And the phone company is supposed to have good quality control, (ISO-9000 or TQM or something ...) yet AT&T's own internal security review missed this gaping gash in Netscape browser software. Even now, AT&T is using this software internally within its business units and is ACTIVELY recommending a co-branded version of it to its worldwide customers. Has Netscape informed AT&T about this?? I'm sure that Netscape has piled their best people into their Falcon and are busily jetting them around the world signing confidentiality agreements and retaining every possible outside consultant. Entering into agency agreements to keep the lid on the biggest international news story since the Tylenol or Perrier poisoning. I wonder who Netscape will get to sign?? Who's going to lend their name, so that Netscape can say that "we're working closely with Jerry Lewis" or something similar to solve our security problems. But Mr.Lewis can't go public with what he knows, can he?? Even if he knows that Netscape is fatally flawed. Mr. Lewis will be a Netscape agent at that point, won't he?? And he'll be bound by the terms of his confidentiality agreement, even if the company is actively strategically misrepresenting his confidential report. Who's going to be left after Netscape hires all these outside consultants?? Who do you hire?? Euro-Mickey, Minny and Donald Duck?? Captain Kangaroo?? Alice de 'nonymous ... ...just another one of those... P.S. This post is in the public domain. C. S. U. M. O. C. L. U. N. E.