I have unsubscribed from this mailing list. Please remove my name from your personal address lists. Thanks. ahg3 ---------- From: Peter Wayner[SMTP:pcw@access.digex.net] Sent: Tuesday, October 24, 1995 2:33 PM To: Dr. Frederick B. Cohen Cc: cypherpunks Subject: Re: Does your software?

My get-only server is available in source form, is 80 lines long and thus easily understood, has been shown to meet security properties, is now in the process of being mathematically proven to meet those properties, and is published in a refereed journal which can be used to confirm its contents in detail. Hence, I do provide secure distribution through purely physical means.

Uh, proofs only go so far. There was one Cornell CS professor who was a real devotee of "proving" your programs correct. He even published one of his proofs in a "refereed" journal. Big whoop. It still had an error. Proofs can help identify flaws, but they can never rule out all flaws. That's why their name is so bogus. I wouldn't be surprised if you could prove that the Finger daemon, which is sort of like a really low-level GET-ONLY HTTP server, is also safe. In fact, your math proving ability could probably even prove the pre-Robert Morris finger daemon is safe and secure. If programmers don't think of preventing finger requests longer that 512 bytes then why should the head-in-the-clouds program provers? - Peter

-- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

P.S. "FC" is your log in and "FC is found inscribed in the writings of the Unabomber. Coincidence? on't speak officially, were to be torn apart and the ulterior motives speculated upon, I'd either shut up on this list or get off it completely. (Recall that we had Marc Andreessen on this list last December--for whatever reasons, and there are likely several, he left. I recall many attacks on his company. He perhaps figured "What the hell do I need this for?") Legitimate, scientific analysis is commendable. The brute force attack on Netscape was great, and even better was the random seed attack. But many of the attacks are less solid: "How can you people at Digital Datawhack produce such crap? The assumptions you make in the Flogisticon module are disgusting, another example of security through obscenity." (What I think this piling on is likely to accomplish is to push company list subscribers here to just shut up. They see that the more is said by folks from Netscape, as the best current example, the more fireworks and insults ensue. The less that is said the better. This is not a good situation.) I'm not arguing for "niceness," just that some of the edge be taken off the attacks. The "bounties" that are being offered in press releases have the danger of inviting premature announcement of results. And of discouraging companies from actively participating in this list and discussing what might be done to improve security. Just my views. No doubt some will think I'm a shill for some company. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."