I keep telling you people.. if you keep giving Fred the attention, he is never going to go away. Its blindingly obvious that he doesn't know his ass from a hole in the ground, but if you keep telling him that, its just going to encourage to post more, post more frequently, and make a bigger fool of himself then he already has. Just ignore everything he says. Make a proc-mail script to send his mails to /dev/null or sends them through the text-to-hick filter. But whatever you do, do *not* send him money, do *not* feed him, and *never* *ever* no matter how much he begs, nt matter how much he pleads, *NEVER* reply to this man's messages. We need one of those little posters like the "Do not takes checks from this man" ones in the grocery store. Christopher

...

3. Postscript considered dangerous: (insert-smiley)

As for the question of someone invoking a postscript interpreter via a browser and thus opening up their system to some rogue postscript file: I think it would be great if either of these two things were to magically happen:

1) people would stop putting postscript docs on web pages because it's the wrong technology for WWW - it wastes bandwidth - it's hard to view & hence often ugly - everyone just prints it out anyway and then complains because there is no one "standard" implementation of postscript printing worldwide and there are dozens of minor problems

2) someone could implement a secure postscript previewer (whatever that means!)

I doubt either of those two things will happen. The average Jo on the internet needs to understand that when s/he downloads binary files over the internet and run them from insecure programs on their local computer, well, s/he runs some risk. This risk might be tiny, but it's impossible to quantify loss. If I lose a poem that I'm writing, to me that's priceless, so I do not intend to imply that loss of data isn't tragic for the person who loses it. If you have data you can't bear to lose, be sure to practice safe computing. Perform backups regularly, and use judgement about which interpreters and executable programs you allow to run on your PC.

Marianne

It seems clear from this that Netscape, or at least Marianne who seems to speak for Netscpe, doesn't understand the protection issues that my clients face. I will nevertheless forward this official Netscape line to them so they can better understand why I tell them it is insecure.

-- -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

Frederick B. Cohen writes:

This is baloney. When you work for Netscape or Sun and speak about your company's products, you are representing the company whether you disclaim it or not.

Baloney. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Nobody's going to listen to you if you just | Mike McNally (m5@tivoli.com) | | stand there and flap your arms like a fish. | Tivoli Systems, Austin TX | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Perhaps Dr. Fred fails to realise that some people *aren't* speaking for their entire company every time they write e-mail. [see fc.all.net-- i always enjoy pronouncing that nearly phonetically]

I thought all Netscape and Sun communications come from their PR departments. You can't have it both ways. Your position seems to be: If employees make statements that work out, it's OK. If their statements don't work out, you disclaim them. This is baloney. When you work for Netscape or Sun and speak about your company's products, you are representing the company whether you disclaim it or not. ...

To have some slight cpunks relevance, I will weigh in on the side of `It's not X's responsibility to ensure that Y's software isn't broken.' {for all X, Y in {software developers}} Why? For the same reason that I'm not generally held accountable for, say, Gary Jeffer's opinions or Tim May's: because I don't have any control over them.

So your claim is that Unix is perfectly secure for networking, because without inetd, sendmail, ident daemon, HTTP daemons, syslogd, and all those other add-on software pieces, if your users act perfectly and nobody ever makes a mistake, you are safe from known attacks. I think this is ridiculous. When sendmail has a bug, most Unix systems become insecure. When syslog has a bug, most Unix systems become insecure. These are commonly called Unix insecurities. When Postscript allows writing to files, most Web browsers become insecure - including Netscape, including HotJava. If the only commonly available postscript programs are insecure, the products have hooks designed to allow postscript to be used automatically to interpret programs from over the net, and servers commonly provide information in postscript format, the enabling technology (i.e., Netscape and Hot Java) is responsible for the vulnerability. If it only worked under Unix, people would call it a Unix vulnerability, but since it works under Windows and OS/2 and every other system that runs Netscape or HotJava, it is a Netscape and HotJava vulnerability. I would also call it a postscript vulnerability, EXCEPT that HotJava and Netscape ALSO provide hooks to command interpreters and other insecure software, so we can't just pin it on the add-ons. The common thread is the Web browser, and that's where the blame belongs. Not with the millions of users, not with the tens of add-ons, not with the various operating environment, but with the one common thread, the Web browser. -- -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

When Postscript allows writing to files, most Web browsers become insecure - including Netscape, including HotJava. If the only commonly available postscript programs are insecure, the products have hooks designed to allow postscript to be used automatically to interpret programs from over the net, and servers commonly provide information in postscript format, the enabling technology (i.e., Netscape and Hot Java) is responsible for the vulnerability.

[This is my last response on this subject.] This is a non-sequitur. Providing hooks for third-party add ons does not make Netscape responsible for damage done by third party products. If you believe this is true, find me a legal precedent for it. It doesn't make sense on a purely intellectual level. If you produces a product that has the ability to be ugpraded, and someone upgrades it with dangerous third party products, how can you control that? The only way to assure against it is to not allow upgrades of functionality except by your own company. This throws the whole idea of reusable software, device independence, and building "platforms" right out the window. It's the kind of logic that seeks to make bars responsible for drunk drivers. Indeed, Microsoft and Apple should be held responsible for dangerous "applications" that their computers can execute. I don't know anyone who has a postscript viewer configured in Netscape and I suspect the vast majority of people using Netscape don't even have the knowledge to do it. Your comments are not significant and the threat is minor. If you had actually exposed a threat to the JavaVM/Classloader model, which might be installed on a sizable portion of browser machines, you might have a point. But since your postingas have made it clear that you haven't read or understood the Java papers (besides the white paper), nor have you looked at the actual implementation, your comments are essentially meaningless. You seem fixated on what is, a semantic argument about what "safe" or "secure" means. (e.g. your comments on MD5) You expect these words to have a binary meaning. Either something is safe/secure or it isn't. The world is a lot more fuzzy than that. -Ray

...

On Nov 16, 7:06pm, Dr. Frederick B. Cohen wrote:

...

So your claim is that Unix is perfectly secure for networking, because without inetd, sendmail, ident daemon, HTTP daemons, syslogd, and all those other add-on software pieces, if your users act perfectly and nobody ever makes a mistake, you are safe from known attacks.

Nope. Claim is roughly along the lines of, unix is incredibly insecure for networking, because of inetd, sendmail, ident, httpd ... but *if* there's a bug in sendmail, the trouble is not with the poor sod who put file access into the kernel, and definitely not with the person who wrote pine--even though pine calls sendmail.

But of course, the sendmail problems are all related to other problems with Unix, and the common thread to all of the sendmail attacks is Unix, so many people blame Unix, not sendmail (although I think there is enough blame to go around).

...

[summary of rest: postscript bad]

As you finally concluded, the problem is the web browser. I concede that a web browser is a security hole by its very nature in that it makes it a lot easier for anyone to grab anything from anywhere. (This is also why web browsers would be unpopular with censors, if censors thought they could get anywhere by arguing against web browsers instead of sites.)

Grabbing anything from anywhere isn't the problem. The problem is how you interpret it. Information only has meaning in that it is interpreted.

Since you've now stated that the web browser is wrong and evil and bad, perhaps it's time you explained your fix for the web browser.

I didn't say wrong, evil, or bad. I only said insecure. My complaints against Netscape and Sun are not that their Web browsers are insecure - it is that they are selling these browsers based on security. The general public, and most of the users in the world, don't percieve the difference between SSL and Java and secure - they hear that SSL makes them safe, that Java makes them safe, and they believe it.

The millions of users, even if they *aren't* the problem, even if they *are* blameless for blindly accepting anything anyone sends them, even if they are faultless to ignore any notes on security or care which come with web browsers--despite all of this--will still want something like a web browser.

It's like selling me a gun and calling it safe because it has a safety on it. The safety doesn't make a gun safe, it only makes it safer against particular classes of problems. Gun sellers don't call guns safe, and neither should sellers of Web browsers.

Your argument seems to be running to "users are stupid", but it's the developer's fault that users are stupid, and the developer should protect the user in all cases from their own stupidity.

If the user claims to provide safety, that should apply to the least knowledgeable user, not only to the most knowledgeable. Almost any system can be operated securely by the most knowledgeable user. That's not the market Netscape and Java are aimed toward.

People shouldn't make web browsers, because web browsers, in untrained hands, can damage computers. People shouldn't make guns, because guns, in untrained hands, can damage computers.

I said neither. I said that people shouldn't claim that Web browsers are safe just because they have some safety features. The same applies to guns.

I would say that connectivity is risk, and that those who want connectivity must weigh those risks. I think most people weigh the risks of Netscape et al. and say, "the benefits offset the risks."

If that were true, I wouldn't have a real problem with it, but it's not true. Most people don't understand the risks. In fact, even most people on this list apparently don't understand the risks. People see benefits because they pop out at them on the screen. People only see risks when they get burned by them and are aware of it. I think that very few people weigh the risks of Netscape/HotJava because almost nobody is even aware of them. Of the people that do weigh the risks, many of them listen to people who say that Netscape/Java is secure. Very few of them pay real attention to the details of what is actually claimed about security. Then we have the people at Netscape/Sun and many of the people on this list who keep telling people that these products are secure. We hear again and again that they should blame any negative results of using these products on their users and the copy of ghostscript or postscript they imported to make their browser read the files they want to read. If companies claim a secure browser, it should be secure regardless of the typical errors and omissions made by the least sophistocated user.

[web browsers don't destroy hard drives, numbskulls with mice do]

Current Web browsers are unsafe - so are most current users. Bullets kill people, but for the most part, people pull the triggers, and a gun is the enabling technology. When you hand millions of people who know nothing about guns with loaded oozies and put them into crowds, you can hardly claim no responsibility when they start shooting each other. -- -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236