Re: Netscape rewards are an insult
:: Request-Remailing-To: cypherpunks@toad.com Subject: Re: Netscape rewards are an insult
Promoting the notion that hackers are earnestly attacking Netscape and reporting its bugs increases its credibility to the stock market porkers. Is that not why dear all-too-attentive Jeff has been assigned duty on this list, feeding peanuts to chimp hackers and champ newshacks?
Whoa!!
I'm afraid you're a little out of line here. I've worked with Jeff at a couple different companies over the last 6 years. Besides being a very good programmer he's also one of the people I consider the most resistant to corportate bullstuff (beleive me, we both got a lot of it at MicroUnity). I'm sure he's on this list because he thinks it's a good idea to pay attention to it.
Maybe he is, but I'd rather hear everyone speak for themself. You can speak for you. And you can let Jeff speak for himself. And I'd rather that Netscape speak for itself, too. Is Jeff or any of the other netscape posters here officially?? Or are they here, just out of personal curiosity (without their employers knowledge, I mean ...) cause they have a whole lot of spare time on their hands to learn about cryptography and security. I wish one of them (or Netscape) would make an official comment to make sure that the record is straight, and that there is no mis-reporting.
What the hell is wrong with you people? Up 'til a few months ago, the oft-heard refrain on cipherpunks was "why won't the software vendors listen to us?"... now they're listening,
Yep, they seem to be listening. They just don't seem to be talking. Can someone say something, please?? Is it true that: - Netscape has known about this problem since last week's scathing public attack and demonstration of the problem which included sample code posted to the Internet?? - If you run and use a Netscape client, that any machine anywhere in the world if it's on the Net could retrieve all of the files off of your hard drive or LAN?? Or even worse ... erase files on your Hard drive and wipe you out?? - Even if your machine is behind a firewall or proxy server, that there is no protection?? That you can't do anything?? Can someone comment, please?? (Carbon copy sent to: postmaster@netscape.com, cypherpunks@toad.com, cert@cert.org)
West Canadian Graphics wrote:
Is Jeff or any of the other netscape posters here officially??
I am not an official spokesperson of netscape. What I post here is either my opinion, my interpretation of netscape's public statements (press releases), or my interpretation of the sentiments of my co-workers. Obviously management know that I do spend some time reading and writing messages on cypherpunks, but I've never been told to do it or to stop doing it.
Or are they here, just out of personal curiosity (without their employers knowledge, I mean ...) cause they have a whole lot of spare time on their hands to learn about cryptography and security.
I'm here to learn and to contribute, which I think is why most people are here.
- Netscape has known about this problem since last week's scathing public attack and demonstration of the problem which included sample code posted to the Internet??
Which problem are you talking about?
- If you run and use a Netscape client, that any machine anywhere in the world if it's on the Net could retrieve all of the files off of your hard drive or LAN??
Or even worse ... erase files on your Hard drive and wipe you out??
I don't believe this statement to be true. How about the following: If you download a program to your computer that is infected with a virus, the virus could send all of the files on your hard disk to anyone it wants to, or it could wipe your entire hard disk. Now, what does this have to do with running netscape? --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Is Jeff or any of the other netscape posters here officially??
I speak for myself. I am not an official Netscape spokescritter, and have no desires to be one.
Or are they here, just out of personal curiosity (without their employers knowledge, I mean ...) cause they have a whole lot of spare time on their hands to learn about cryptography and security.
I don't have a lot of spare time, but I do consider reading the messages going to cypherpunks as part of my job. (Well at least some of each message. :-)
I wish one of them (or Netscape) would make an official comment to make sure that the record is straight, and that there is no mis-reporting.
On what topic?
- Netscape has known about this problem since last week's scathing public attack and demonstration of the problem which included sample code posted to the Internet??
I am not quite sure what problem you are talking about? NFS and MITM ftp attacks?
- If you run and use a Netscape client, that any machine anywhere in the world if it's on the Net could retrieve all of the files off of your hard drive or LAN??
Or even worse ... erase files on your Hard drive and wipe you out??
Can you expand on this? I am not aware that any of the executables we have shipped do this. If you get a compromised version of any program (i.e. one that some attacker has changed) then that changed version will do whatever the attacker has built it to do. This is not a Netscape specific issue.
- Even if your machine is behind a firewall or proxy server, that there is no protection?? That you can't do anything??
Firewalls and proxies help against many attacks. Without knowing which one you mean, it's impossible to respond intelligently. (In particular I know of no sites that allow NFS packets to cross a firewall boundary.) PK -- Philip L. Karlton karlton@netscape.com Principal Curmudgeon http://www.netscape.com/people/karlton Netscape Communications Corporation
I am not quite sure what problem you are talking about? NFS and MITM ftp attacks?
This character has been going on and oon regarding some big hole he apparently found in netscape, but no one else on the list seems to have noticed anything, or replicated any alleged claims he may have made. Maybe if the person in question would repost this alleged post describing some massive hole, it would help us all. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
On Tue, 17 Oct 1995, sameer wrote:
I am not quite sure what problem you are talking about? NFS and MITM ftp attacks?
This character has been going on and oon regarding some big hole he apparently found in netscape, but no one else on the list I guess he/it must be some existentially frustrated Java virus. (apologies in advance, couldn't resist)
(my little contribution: People download binaries off the net all the time. Code gets infected and infects PCs. Big deal. Infected PC's on networks can infect the rest of that network and call in even more infectious code from across the net. So what? I'm sorry, is this a new concept here? It doesn't take netscape/java to do this. It's been possible to do this in C for the longest time. Just takes a little more effort.) These opinions are not even my own. Blame them on my non-algorithmic OTP and its good friend Mr. Line Noise.
s1018954@aix2.uottawa.ca wrote:
my little contribution: People download binaries off the net all the time. Code gets infected and infects PCs. Big deal.
You don't seem to understand the issue here. Netscape with JAVA is supposed to become more or less the 'only' program you will run, a kind of superimposed operative system, or your main shell for running 'everything' from. Much of 'everything' will be downloaded at the time of execution. (Microsoft is supposed to be reduced to one of several 'kernel-suppliers' only.) And 'infected PCs' really *are* a very big deal in corporate and institutional surroundings. Mats
On Wed, 18 Oct 1995, Mats Bergstrom wrote:
You don't seem to understand the issue here. Netscape with JAVA is supposed to become more or less the 'only' program you will run, a kind of superimposed operative system, or your main shell for running 'everything' from. Much of 'everything' will be downloaded at the time of execution. (Microsoft is supposed to be reduced to one of several 'kernel-suppliers' only.) And 'infected PCs' really *are* a very big deal in corporate and institutional surroundings.
I understand this exactly, I face my university's restricting account security measures and virus paranoia every time I log in. And I'm all for component ware becoming a reality. It's just that some of last week's java screaming seemed a bit shrill. What doesn't seem a "big deal" to me is that the security problems of the past also apply to Java. It's not that it's irrelevant, it's that it's obvious. The internet worm, as far as I know, was written in C (and some vax asm?). I'm just saying, "yeah, so what else is new?", "secure" software has holes. I'm happy someone's trying to give some thought to language security during the design phase (no matter how ineffective, Perry).
sameer wrote:
Phil Karlton wrote:
I am not quite sure what problem you are talking about? NFS and MITM ftp attacks?
This character has been going on and oon regarding some big hole he apparently found in netscape, but no one else on the list seems to have noticed anything, or replicated any alleged claims he may have made. Maybe if the person in question would repost this alleged post describing some massive hole, it would help us all.
I am not technically competent to judge if his/her claim is worth reposting, but here it is, clipped from the very long Friday 13 rant, as found at Raph's index site (Subject: Bugs Bounty??...shhh... I'm huntin wa'bits... From:anonymous-remailer@shell.portal.com). Mats ___________________________________________________________________ <long first part deleted; general aspects on the Bounty Hunt> And this is where we introduce a little old document called pushpull.html. from Netscape's Web site. It's titled: An Exploration of Dynamic Documents.
The Great Idea
The general idea is that browsers have always been driven by user input. You click on a link or an icon or an image and some data comes to you. As soon as people saw they could do that, they wanted to give a server the ability to push new data down to the browser. (An obvious example is a stock trader who wants to see new quote data every 5 minutes.) Up until now, that hasn't been possible.
And I can think of many people who would _also_ like to push down data to a browser. But, that's not a great idea. Guess what?? It's not even a good idea. It might even be a bad idea.
Netscape Navigator 1.1 gives content creators and server administrators two new open standards-based mechanisms for making this work. The mechanisms are similar in nature and effect, but complementary. They are:
Server push -- the server sends down a chunk of data; the browser display the data but leaves the connection open; whenever the server wants it sends more data and the browser displays it, leaving the connection open; at some later time the server sends down yet more data and the browser displays it; etc.
Yes, the client "processes data" and then possibly displays it, while in
Client pull -- the server sends down a chunk of data, including a directive (in the HTTP response or the document header) that says "reload this data in 5 seconds", or "go load this other URL in 10 seconds". After the specified amount of time has elapsed, the client does what it was told -- either reloading the current data or getting new data.
Hmm. Netscape's clients blindly trust and follows server's instructions and does what it is told to do. If it's told to load a particular document in five seconds. It does that. It dances to the server's instructions. Something which should cause any Security Administrator's hair to stand on end, as the server takes control of the client's machine and "manipulates it".
In server push, the magic is accomplished by using a variant of the MIME message format "multipart/mixed", which lets a single message (or HTTP response) contain many data items. In client pull, the magic is accomplished by an HTTP response header (or equivalent HTML tag) that tells the client what to do after some specified time delay.
For server push we use a variant of "multipart/mixed" called "multipart/x-mixed-replace". The "x-" indicates this type is experimental. The "replace" indicates that each new data block will cause the previous data block to be replaced -- that is, new data will be displayed instead of (not in addition to) old data.
So here's an example of "multipart/x-mixed-replace" in action:
Content-type: multipart/x-mixed-replace; boundary=ThisRandomString
--ThisRandomString Content-type: text/plain
Data for the first object.
--ThisRandomString Content-type: text/plain
Data for the second and last object.
--ThisRandomString--
The key to the use of this technique is that the server does not push the whole "multipart/x-mixed-replace" message down all at once but rather sends down each successive data block whenever it sees fit.
And this is the problem. We have a pipe. And we have a server making a decision when it will send the next data block. I guess the server could also decide dynamically what that data block is going to be once it has opened it's pipe to the client. That is way too much trust for a client to place in a server that it doesn't know if it can trust.
The HTTP connection stays open all the time, and the server pushes down new data blocks as rapidly or as infrequently as it wants, and in between data blocks the browser simply sits and waits for more data in the current window. The user can even go off and do other things in other windows; when the server has more data to send, it just pushes another data block down the pipe, and the appropriate window updates itself.
Yep, the appropriate window just "updates" itself at the command of the server. A good faith update ... or let's call it a good faith process.
So here's exactly what happens:
Following in the tradition of the standard "multipart/mixed", "multipart/x-mixed-replace" messages are composed using a unique boundary line that separates each data object. Each data object has its own headers, allowing for an object-specific content type and other information to be specified.
Let's emphasize that what we have is a slave client at one end of a pipe accepting an object-specific content-type from any server. This is not within the tradition of multipart/mixed. And this is a problem.
The specific behavior of "multipart/x-mixed-replace" is that each new data object replaces the previous data object. The browser gets rid of the first data object and instead displays the second data object.
A "multipart/x-mixed-replace" message doesn't have to end! That is, the server can just keep the connection open forever and send down as many new data objects as it wants. The process will then terminate if the user is no longer displaying that data stream in a browser window or if the browser severs the connection (e.g. the user presses the "Stop" button). We expect this will be the typical way people will use server push.
The previous document will be cleared and the browser will begin displaying the next document when the "Content-type" header is found, or at the end of the headers otherwise, for a new data block. The current data block (document) is considered finished when the next message boundary is found.
Together, the above two items mean that the server should push down the pipe: a set of headers (most likely including "Content-type"), the data itself, and a separator (message boundary). When the browser sees the separator, it knows to sit still and wait indefinitely for the next data block to arrive.
Now let's play with the prior example. Let's say that we utilized different types of objects. I'll use multipart/parallel and application/postscript.
Content-type: multipart/x-mixed-replace; boundary=ThisRandomString
--ThisRandomString Content-type: application/postscript
Data for the first object
--ThisRandomString Content-Type: multipart/parallel; boundary=ThisSecondRandomString
--ThisSecondRandomString Content-Type: application/postscript
Data for the second object
--ThisSecondRandomString Content-type: application/postscript
Deletefile Renamefile Filenameforall File
--ThisSecondRandomString--
--ThisRandomString--
I think that the foregoing explains itself without me having to draw any more maps, than is absolutely necessary. The first data object sent is application/postscript. The second object is multipart/parallel. And it's where we conflict with federal requirements:
b. Unauthorized manipulation of the computer and its associated peripheral devices."[8, sec. I B.3]
And I think that this is applicable across the entire product line. I wonder if this makes me eligible for a bounty for each product where there is this Security Bug?? That would be very chivalrous of Netscape to offer me that. Then maybe I could get a real computer rather than this crufty old Mac Plus (a yellow one) and my 2400 baud modem... and then, I might just be able to do some virtually real hunting. Alice de 'nonymous ... (doing a bad impression of Elmer Fudd with thoughts of Bugs Bounty in his lil mind.) ...just another one of those... P.S. And yes I brought this whole issue (tangentially) to the attention of netscape.com yesterday afternoon. I think I asked whether they were going to have a formal specification and register their x-mixed-replace with IANA. They haven't gotten to my email yet, (I think). Or maybe, I'm in the Bulk response group. <shrug> P.P.S. I give permission to have this propogate freely through the cyber-aethyr. All other rights are of course reserved. C. S. U. M. O. C. L. U. N. E. _____________________________________________________________________ end quote
Mats Bergstrom wrote:
I am not technically competent to judge if his/her claim is worth reposting, but here it is, clipped from the very long Friday 13 rant, as found at Raph's index site (Subject: Bugs Bounty??...shhh... I'm huntin wa'bits... From:anonymous-remailer@shell.portal.com).
Thanks for digging this one out. I looked and didn't find it in our local spool. Alice de 'nonymous wrote:
Content-type: multipart/x-mixed-replace; boundary=ThisRandomString
--ThisRandomString Content-type: application/postscript
Data for the first object
--ThisRandomString Content-Type: multipart/parallel; boundary=ThisSecondRandomString
--ThisSecondRandomString Content-Type: application/postscript
Data for the second object
--ThisSecondRandomString Content-type: application/postscript
Deletefile Renamefile Filenameforall File
--ThisSecondRandomString--
--ThisRandomString--
I think that the foregoing explains itself without me having to draw any more maps, than is absolutely necessary. The first data object sent is application/postscript. The second object is multipart/parallel.
The above appears to be total trash: 1) Netscape does not know about multipart/parallel, and will bring up a "save as" dialog when it is encoutered. 2) The whole multipart/x-mixed-replace, multipart/parallel, server push thing is not interesting. The final part with the naughty postscript could just be the main document. 3) Netscape does not ship with a helper app configured for application/postscript. If a user configures a postscript viewer that has not had the file operations disabled as a helper app to any web browser then they are opening themselves up for a world of hurt. The same is true if they just download the file and run their viewer on it manually. The same is true if they configure /bin/sh as an external viewer. Obviously everyone should heed perry's warnings and emasculate their postscript interpreters before using them to view files of unknown origin. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Jeff Weinstein - Electronic Munitions Specialist Wrote: ...
If a user configures a postscript viewer that has not had the file operations disabled as a helper app to any web browser then they are opening themselves up for a world of hurt. The same is true if they just download the file and run their viewer on it manually. The same is true if they configure /bin/sh as an external viewer.
Obviously everyone should heed perry's warnings and emasculate their postscript interpreters before using them to view files of unknown origin.
WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to be secure - regardless of the user's use of their product. Otherwise, the ads should read: "Netscape can be used securely by sufficiently knowledgeable users who have emasculated their postscript interpreters before using them to view files of unknown origin, and who have removed all other known, unknown, and/or undisclosed security holes from their systems. Otherwise, Netscape is insecure and should not be trusted." -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Dr. Frederick B. Cohen wrote:
Jeff Weinstein - Electronic Munitions Specialist Wrote:
...
If a user configures a postscript viewer that has not had the file operations disabled as a helper app to any web browser then they are opening themselves up for a world of hurt. The same is true if they just download the file and run their viewer on it manually. The same is true if they configure /bin/sh as an external viewer.
Obviously everyone should heed perry's warnings and emasculate their postscript interpreters before using them to view files of unknown origin.
WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to be secure - regardless of the user's use of their product. Otherwise, the ads should read:
"Netscape can be used securely by sufficiently knowledgeable users who have emasculated their postscript interpreters before using them to view files of unknown origin, and who have removed all other known, unknown, and/or undisclosed security holes from their systems. Otherwise, Netscape is insecure and should not be trusted."
Why did I know you would be showing up in this discussion? You wouldn't be related to alice de 'nonymous would you? I don't believe that Netscape claims to be some magic bullet that will suddenly make your system secure when you install it. We also don't claim that it will detect viruses. Dont you think we've wasted enough bandwidth on this? I'm sure most readers of this list are sick of it by now. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to be secure - regardless of the user's use of their product. Otherwise, the ads should read:
"Netscape can be used securely by sufficiently knowledgeable users who have emasculated their postscript interpreters before using them to view files of unknown origin, and who have removed all other known, unknown, and/or undisclosed security holes from their systems. Otherwise, Netscape is insecure and should not be trusted."
Why did I know you would be showing up in this discussion? You wouldn't be related to alice de 'nonymous would you?
Is it Netscape's position that when people call them on their statements they make irrelevant comments and inflamatory remarks toward legitimate researchers who are freely helping them understand the security issues they apparently don't understand?
I don't believe that Netscape claims to be some magic bullet that will suddenly make your system secure when you install it. We also don't claim that it will detect viruses.
You claim that you provide secure net access for the purposes of transactions - which you don't - and you have gotten an enormous amount of money from people who don't understand these issues based, at least in part, on your false claims. Some people might interpret that as fraud. Now instead of trying to insult and put down people who have legitimate security concerns, you personally attack individuals, try to redirect the discussion away from the security flaws in Netscape, and try to hush the discussion with:
Dont you think we've wasted enough bandwidth on this? I'm sure most readers of this list are sick of it by now.
I think that you should give a copy of this and the other messages on this topic to someone at Netscape who is responsible for protection and ask them to speak for the company and address these issues head on. Regardless of your disclaimer, when you speak on the net, we hear Netscape, and the sounds are starting to sound more and more like Microsoft to me. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
On Wed, 18 Oct 1995, Dr. Frederick B. Cohen wrote:
You claim that you provide secure net access for the purposes of transactions - which you don't - and you have gotten an enormous amount of money from people who don't understand these issues based, at least in part, on your false claims. Some people might interpret that as fraud.
Well, assuming that US law follows british practice in this regard, it would seem that those people would be wrong- to prove fraud, you would need to show intent to commit fraud, and it's been obvious for a long long time that Netscape's security holes are the result of lack of experience rather than malice of any kind. Would you have a security expert write your graphics engine? Microsoft is the Evil Empire; Netscape is a Naughty Principality. Simon ---- (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n))))
Dr. Frederick B. Cohen wrote:
Why did I know you would be showing up in this discussion? You wouldn't be related to alice de 'nonymous would you?
Is it Netscape's position that when people call them on their statements they make irrelevant comments and inflamatory remarks toward legitimate researchers who are freely helping them understand the security issues they apparently don't understand?
Perhaps that comment was out of line. If I offended you I apologize.
I don't believe that Netscape claims to be some magic bullet that will suddenly make your system secure when you install it. We also don't claim that it will detect viruses.
You claim that you provide secure net access for the purposes of transactions - which you don't - and you have gotten an enormous amount of money from people who don't understand these issues based, at least in part, on your false claims. Some people might interpret that as fraud.
Now instead of trying to insult and put down people who have legitimate security concerns, you personally attack individuals, try to redirect the discussion away from the security flaws in Netscape, and try to hush the discussion with:
I don't see how any product could meet your definition of "secure". I think you've made your point, and I don't agree with it. How you pursue the matter is of course up to you.
Dont you think we've wasted enough bandwidth on this? I'm sure most readers of this list are sick of it by now.
I think that you should give a copy of this and the other messages on this topic to someone at Netscape who is responsible for protection and ask them to speak for the company and address these issues head on. Regardless of your disclaimer, when you speak on the net, we hear Netscape, and the sounds are starting to sound more and more like Microsoft to me.
If you wish to get an official statement from Netscape, you should contact our PR department. Their number is 415-528-2802. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
On Wed, 18 Oct 1995, Dr. Frederick B. Cohen wrote:
Is it Netscape's position that when people call them on their statements they make irrelevant comments and inflamatory remarks toward legitimate researchers who are freely helping them understand the security issues they apparently don't understand?
Jeff doesn't speak directly for Netscape, Doc. Your previous suggestion didn't make much sense, the idea that a single peice of software must close ALL the holes across the board to be called "secure" is ludicrous. Granted it should cover all within it's domain, and provide safegaurds, but to expect Netscape to handle security problems that rightfully should be fixed in the TCP/IP protocol stack, or in the interprator for another language that happens to have a security hole and can be spawned off. Netscape does not come with a postscript app preset so the user has to make a conscious choice. All postscript viewers I have used make mention of these security problems, and I would hope(tho do not for one second believe) that users read this warnings. If they don't and set-up the browser to spawn off files of unknown origins, then they are taking their own risks and I do not think for one second netscape could be held responsible. There is no defense against the dreaded DEU hole that exists on all systems. Nesta Stubbs "Betsy, can you find the Pentagon for me? Cynico Network Consulting It has five sides and a big parking lot" nesta@cynico.com -Fred McMurray-
Regardless of your disclaimer, when you speak on the net, we hear Netscape, and the sounds are starting to sound more and more like Microsoft to me.
Speak for yourself. When Jeff posts, I hear (fancy that!) Jeff. In any case, it might be wise for Jeff to get a non-netscape account to do his cypherpunks posting from, so as to avoid confusion. (ObPlug: Community ConneXion offers mailboxes for just $5/month -- shell accounts for $7.50 ;-) -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to be secure - regardless of the user's use of their product. Otherwise, the ads should read:
"Netscape can be used securely by sufficiently knowledgeable users who have emasculated their postscript interpreters before using them to view files of unknown origin, and who have removed all other known, unknown, and/or undisclosed security holes from their systems. Otherwise, Netscape is insecure and should not be trusted."
That's bullshit. Netscape can't control every user's entire environment. It's Netscape's job to produce a secure product. If the users of said product decide to shoot themselves in the foot by configuring it insecurely that is there problem. It is in Netscape's best interest to make it difficult to configure insecurely, but impossible to prevent. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to be secure - regardless of the user's use of their product. Otherwise, the ads should read:
By that rule, it should instead say: "Netscape is only secure if "you use it in a physically secure computer, only accessible to the person "using it, with an absolutely secure OS, configured for maximum security, "totally bug-free, using a network connection that only spans trusted hosts "with absolute security levels at least as astringent as that of origin, "that can in no way whatsoever be tapped of otherwise tampered with, "and to which only persons of abosulte trust (if that thing exists) for "the original user have access. And that only if God doesn't decide to "make a miracle to break the security or a quantic effect doesn't suddenly "materialize some kind of horrible and unknown monster from another dimension "with evil intentions against that specific user of Netscape and power "enough to break his/her tight security ring! Oh, and provided the user doesn't "suddenly become mad and etc, etc, etc..." You could go on forever. Look, the truth is that no matter how you put it, there is always a weakest link which is the human factor. The most you can say is that any method -cryptographic or not- is as secure as the weakest link in the whole environment in which it is used. That stated, the farther you can go is to guarantee only the security of *your* crypto -or whatever- method and only as far as commonly accepted wisdom and knowledge allow you to do so. You can't be sure there is no one there who knows how to factor big numbers, and is keeping silent and becoming very reach breaking into other people information. I think it is fair if anybody says that their product -or crypto- method, considered isolatedly, has a given level of "accepted" strength. With that in their hand any minimally intelligent user should be able to evaluate the security of his/her own setup given all the -infinite- things that can go wrong and his/her prsonal trust on mankind. Otherwise it would be like asking car makers to give you a detailed listing of the relative resistance of all the materials in the car against any possible other matter in the Universe into which you could possibly crash. Imagine it: The new XXXX is safe to drive as long as you don't crash into a truck, concrete wall, jump over a cliff, submerge into deep ocean, or a nuclear bomb doesn't explode over your head...! jr
On Wed, 18 Oct 1995, Dr. Frederick B. Cohen wrote:
WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to be secure - regardless of the user's use of their product. Otherwise, the ads should read:
That just doesn't make all that much sense. "regardless of the users use of their product"? Sure, like PGP should be considered insecure software because as a user I could use it on an ISP, and make my passwd two characters long and leave it set as an environment variable in the shell for the pre-mail script I have.
"Netscape can be used securely by sufficiently knowledgeable users who have emasculated their postscript interpreters before using them to view files of unknown origin, and who have removed all other known, unknown, and/or undisclosed security holes from their systems. Otherwise, Netscape is insecure and should not be trusted."
No, otherwise the postscript viewer is insecure. Netscape is not handling the postscript code, just passing it along. It does not come with an application for postscript automagically setup for the user so you can't blame it for spawning an application without the users knowledge. Maybe there should(or is there already) be a note in the docs mentioning this, but of all the regular users I know, none of them read documentation. To expect a system to call itself insecure because the user is stupid and invites evil in doesn't make much sense. So I guess Java can NEVER be secure because if I want I can enable native calls and all the file access classes and other dangerous stuff for any application I want to and shut down all the inbuilt security. It's Suns fault that I'm dumb as a brick wall? Nesta Stubbs "Betsy, can you find the Pentagon for me? Cynico Network Consulting It has five sides and a big parking lot" nesta@cynico.com -Fred McMurray-
Dr. Frederick B. Cohen wrote:
WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to be secure - regardless of the user's use of their product. Otherwise, the ads should read:
"Netscape can be used securely by sufficiently knowledgeable users who have emasculated their postscript interpreters before using them to view files of unknown origin, and who have removed all other known, unknown, and/or undisclosed security holes from their systems. Otherwise, Netscape is insecure and should not be trusted."
Err... If software companies were to follow your line of logic, software boxes (all sorts of software) would become covered with fine print. As would ads for the software. Although I'm sure industry lawyers would welcome that, personally I think it would be quite sad. A stupid example: I can replace copy on your machine so that it does a delete instead. Does that mean that the OS manufacturer has to warn a user about this? There's a point at which one has to hand off the assessment to the buyer. This is my own opinion and also that of anyone who agrees with me. I'm reading this group because it's very interesting for me personally. There. -- ~Jules (Julius Cisek) /- __ - mailto:jules@netscape.com Server Eng, NETSCAPE /\ >\=/\ --- http://home.netscape.com/people/jules MtnView-CA-USA-Earth \/ -\/ -- p:415.528.2968 f:415.528.4122 ---===> COGITO ERGO VROOM <===---
Dr. Frederick B. Cohen wrote:
I respectfully disagree. Netscape claims to be "secure" - hence it is Netscape's job to be secure - regardless of the user's use of their product. Otherwise, the ads should read:
"Netscape can be used securely by sufficiently knowledgeable users who have emasculated their postscript interpreters before using them to view files of unknown origin, and who have removed all other known, unknown, and/or undisclosed security holes from their systems. Otherwise, Netscape is insecure and should not be trusted."
Err... If software companies were to follow your line of logic, software boxes (all sorts of software) would become covered with fine print. As would ads for the software. Although I'm sure industry lawyers would welcome that, personally I think it would be quite sad.
The point is, Netscape CLAIMS to provide security - Miscrosoft doesn't.
A stupid example: I can replace copy on your machine so that it does a delete instead. Does that mean that the OS manufacturer has to warn a user about this?
On my machine, if you replace copy with delete, it will be detected before it does the delete, and, unless you are very skilled, when I tell it to copy, the corruption will be automatically corrected. This is because I use an "integrity shell" - something you guys at Netscape probably never heard of.
There's a point at which one has to hand off the assessment to the buyer.
The point I have been trying to make that many on this list seem to ignore again and again, is that Netscape makes the security claims. If you don't provide effective protection, don't make the claim. If you want to make the claim back it up with something other than media hype.
This is my own opinion and also that of anyone who agrees with me. I'm reading this group because it's very interesting for me personally. There.
All of our opinions are our own, and my opinion is that Netscape (not you) is: - making inadequately supported claims about a nebulous thing called "security". - using it as a basis to get people to invest millions (billions?) of dollars. - plans to use it to move millions, and eventually billions of dollars over the Internet, potentially placing a fair chunk of the world economy (I'm mot kidding) as well as individual privacy (and thus freedom) at risk. - may succeed unless people who do understand the implications find a way to fix the thing. These things concern me, so I will stand my ground regardless of the flames and ask, yet again, for someone at Netscape to tell us what you mean by "security" when you make claims about it (I won't repost my questions from a few days ago since you have already ignored them) and why your claims are strong enough for a big chunk of the world economy to rest on it. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Dr. Frederick B. Cohen wrote:
Dr. Frederick B. Cohen wrote:
I respectfully disagree. Netscape claims to be "secure" - hence it is Netscape's
job to
be secure - regardless of the user's use of their product. Otherwise, the ads should read:
"Netscape can be used securely by sufficiently knowledgeable users who have emasculated their postscript interpreters before using them to view files of unknown origin, and who have removed all other known, unknown, and/or undisclosed security holes from their systems. Otherwise, Netscape is insecure and should not be trusted."
Err... If software companies were to follow your line of logic, software boxes (all sorts of software) would become covered with fine print. As would ads for the software. Although I'm sure industry lawyers would welcome that, personally I think it would be quite sad.
The point is, Netscape CLAIMS to provide security - Miscrosoft doesn't.
Here is a quote from Microsoft's Internet Explorer 2.0 Beta announcement, which can be found at http://www.microsoft.com/windows/pr/sept2895.htm: Internet Explorer 2.0 also provides users with a secure environment. Complete support for Secure Sockets Layer (SSL) and RSA encryption allows integration with secure sites. In addition, Internet Explorer 2.0 will support Private Communication Technology (PCT), which is an efficient and secure upgrade to the SSL protocol. Internet Explorer will also support Secure Transaction Technology (STT), an electronic payment technology jointly developed by Microsoft and Visa International, as soon as it is available. There is that pesky word "secure", five times in one paragraph.
A stupid example: I can replace copy on your machine so that it does a delete instead. Does that mean that the OS manufacturer has to warn a user about this?
On my machine, if you replace copy with delete, it will be detected before it does the delete, and, unless you are very skilled, when I tell it to copy, the corruption will be automatically corrected. This is because I use an "integrity shell" - something you guys at Netscape probably never heard of.
What if they replace your "integrity shell"?
There's a point at which one has to hand off the assessment to the buyer.
The point I have been trying to make that many on this list seem to ignore again and again, is that Netscape makes the security claims. If you don't provide effective protection, don't make the claim. If you want to make the claim back it up with something other than media hype.
We are working on clarifying our security claims. Here is an example from the San Jose Mercury news on Aug. 17, 1995: "We have said for a long time that given the right amount of computer power, that a 40-bit key encrypted message could be decrypted," said Mike Homer, Netscape's vice president of marketing.
This is my own opinion and also that of anyone who agrees with me. I'm reading this group because it's very interesting for me personally. There.
All of our opinions are our own, and my opinion is that Netscape (not you) is:
- making inadequately supported claims about a nebulous thing called "security".
Here is one definition of the word "security" from the Webster's New World Dictionary, Third Edition: protection or defense against attack, espionage, etc. Note that I make no claims that this is Netscape's definition of security in our products.
- using it as a basis to get people to invest millions (billions?) of dollars.
Billions of dollars have not been invested in Netscape. An examination of the prospectus and the current stock price will bear this out. Here is a quote from the Netscape prospectus: The Company has included in its products an implementation of the Secure Sockets Layer ("SSL"), a security protocol which operates in conjunction with encryption and authentication technology licensed from RSA Data Security, Inc. ("RSA"). Despite the existence of these technologies, the Company's products may be vulnerable to break-ins and similar disruptive problems caused by Internet users. Such computer break-ins and other disruptions would jeopardize the security of information stored in and transmitted through the computer systems of end users of the Company's products... Of course anyone who is interested in investing in Netscape's stock should get and read the entire prospectus.
- plans to use it to move millions, and eventually billions of dollars over the Internet, potentially placing a fair chunk of the world economy (I'm mot kidding) as well as individual privacy (and thus freedom) at risk.
It would have to be many billions of dollars before it becomes "a fair chunk of the world economy", and I think that even the most optimistic projections of internet commerce put that many years in the future.
- may succeed unless people who do understand the implications find a way to fix the thing.
These things concern me, so I will stand my ground regardless of the flames and ask, yet again, for someone at Netscape to tell us what you mean by "security" when you make claims about it (I won't repost my questions from a few days ago since you have already ignored them) and why your claims are strong enough for a big chunk of the world economy to rest on it.
I don't think that it is reasonable to expect that everyone who asks for an official company position on some random mailing list will get a response. The people who make such statements are not usually on such lists, and the have other forums for making public statements. Perhaps you should call our PR department for a statement. You are certainly free to "stand your ground", but I am also free to not respond to you. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
The point is, Netscape CLAIMS to provide security - Miscrosoft doesn't.
Here is a quote from Microsoft's Internet Explorer 2.0 Beta announcement, which can be found at http://www.microsoft.com/windows/pr/sept2895.htm:
Internet Explorer 2.0 also provides users with a secure environment. Complete support for Secure Sockets Layer (SSL) and RSA encryption allows integration with secure sites. In addition, Internet Explorer 2.0 will support Private Communication Technology (PCT), which is an efficient and secure upgrade to the SSL protocol. Internet Explorer will also support Secure Transaction Technology (STT), an electronic payment technology jointly developed by Microsoft and Visa International, as soon as it is available.
There is that pesky word "secure", five times in one paragraph.
I hadn't seen it - everything I said about Netscape (except the money) applies doubly so to Microsoft - doubly because they have been putting garbage out for years and should have fixed it long ago.
A stupid example: I can replace copy on your machine so that it does a delete instead. Does that mean that the OS manufacturer has to warn a user about this?
On my machine, if you replace copy with delete, it will be detected before it does the delete, and, unless you are very skilled, when I tell it to copy, the corruption will be automatically corrected. This is because I use an "integrity shell" - something you guys at Netscape probably never heard of.
What if they replace your "integrity shell"?
If you really want to know how this works, you might try reading the 5+ refereed journal articles on the subject, however, to replace the Integrity shell undetected, you would have to bypass the hardware write protection on a hard-disk.
There's a point at which one has to hand off the assessment to the buyer.
The point I have been trying to make that many on this list seem to ignore again and again, is that Netscape makes the security claims. If you don't provide effective protection, don't make the claim. If you want to make the claim back it up with something other than media hype.
We are working on clarifying our security claims. Here is an example from the San Jose Mercury news on Aug. 17, 1995:
"We have said for a long time that given the right amount of computer power, that a 40-bit key encrypted message could be decrypted," said Mike Homer, Netscape's vice president of marketing.
"We" - I take it you are now speaking officially for Netscape? So how come Netscape doesn't even know how about Integrity shells and yet claims to be able to design secure systems for money transfers?
This is my own opinion and also that of anyone who agrees with me. I'm reading this group because it's very interesting for me personally. There.
All of our opinions are our own, and my opinion is that Netscape (not you) is:
- making inadequately supported claims about a nebulous thing called "security".
Here is one definition of the word "security" from the Webster's New World Dictionary, Third Edition:
protection or defense against attack, espionage, etc.
Note that I make no claims that this is Netscape's definition of security in our products.
So what IS Netscape's definition?
- using it as a basis to get people to invest millions (billions?) of dollars.
Billions of dollars have not been invested in Netscape. An examination of the prospectus and the current stock price will bear this out.
That's why the ?
Here is a quote from the Netscape prospectus:
The Company has included in its products an implementation of the Secure Sockets Layer ("SSL"), a security protocol which operates in conjunction with encryption and authentication technology licensed from RSA Data Security, Inc. ("RSA"). Despite the existence of these technologies, the Company's products may be vulnerable to break-ins and similar disruptive problems caused by Internet users. Such computer break-ins and other disruptions would jeopardize the security of information stored in and transmitted through the computer systems of end users of the Company's products...
Excellent - I appreciate the information and withdraw my aspersions relating to fraud.
Of course anyone who is interested in investing in Netscape's stock should get and read the entire prospectus.
Absolutely.
- plans to use it to move millions, and eventually billions of dollars over the Internet, potentially placing a fair chunk of the world economy (I'm mot kidding) as well as individual privacy (and thus freedom) at risk.
It would have to be many billions of dollars before it becomes "a fair chunk of the world economy", and I think that even the most optimistic projections of internet commerce put that many years in the future.
You must be unaware of Chaos theory. Even a few hundred million screwed up in the right way can have a major impact on the global economy. It has something to dop with the fact that economies work on the basis of peples' perceptions, not just facts.
- may succeed unless people who do understand the implications find a way to fix the thing.
These things concern me, so I will stand my ground regardless of the flames and ask, yet again, for someone at Netscape to tell us what you mean by "security" when you make claims about it (I won't repost my questions from a few days ago since you have already ignored them) and why your claims are strong enough for a big chunk of the world economy to rest on it.
I don't think that it is reasonable to expect that everyone who asks for an official company position on some random mailing list will get a response. The people who make such statements are not usually on such lists, and the have other forums for making public statements. Perhaps you should call our PR department for a statement.
You are certainly free to "stand your ground", but I am also free to not respond to you.
It's a deal. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
participants (11)
-
fc@all.net -
J. R. Valverde (EMBL Outstation: the EBI) -
Jeff Weinstein -
Julius Cisek -
Mats Bergstrom -
Nesta Stubbs -
Phil Karlton -
s1018954@aix2.uottawa.ca -
sameer -
Simon Spero -
Westcan1@softnc1.softnc.com