Java & Netscape security [NOISE]

Dr. Frederick B. Cohen fc at all.net
Thu Nov 16 16:09:54 PST 1995


> Perhaps Dr. Fred fails to realise that some people *aren't* speaking
> for their entire company every time they write e-mail. [see fc.all.net--
> i always enjoy pronouncing that nearly phonetically]

I thought all Netscape and Sun communications come from their PR
departments.  You can't have it both ways.  Your position seems to be:

	If employees make statements that work out, it's OK.
	If their statements don't work out, you disclaim them.

This is baloney.  When you work for Netscape or Sun and speak about your
company's products, you are representing the company whether you
disclaim it or not.

...
> To have some slight cpunks relevance, I will weigh in on the side of
> `It's not X's responsibility to ensure that Y's software isn't broken.'
> {for all X, Y in {software developers}} Why? For the same reason that
> I'm not generally held accountable for, say, Gary Jeffer's opinions
> or Tim May's: because I don't have any control over them.

	So your claim is that Unix is perfectly secure for networking,
because without inetd, sendmail, ident daemon, HTTP daemons, syslogd,
and all those other add-on software pieces, if your users act perfectly
and nobody ever makes a mistake, you are safe from known attacks. 

	I think this is ridiculous.

	When sendmail has a bug, most Unix systems become insecure. 
When syslog has a bug, most Unix systems become insecure.  These are
commonly called Unix insecurities.

	When Postscript allows writing to files, most Web browsers
become insecure - including Netscape, including HotJava.  If the only
commonly available postscript programs are insecure, the products have
hooks designed to allow postscript to be used automatically to interpret
programs from over the net, and servers commonly provide information in
postscript format, the enabling technology (i.e., Netscape and Hot Java)
is responsible for the vulnerability.

	If it only worked under Unix, people would call it a Unix
vulnerability, but since it works under Windows and OS/2 and every other
system that runs Netscape or HotJava, it is a Netscape and HotJava
vulnerability.

	I would also call it a postscript vulnerability, EXCEPT that
HotJava and Netscape ALSO provide hooks to command interpreters and
other insecure software, so we can't just pin it on the add-ons.  The
common thread is the Web browser, and that's where the blame belongs. 
Not with the millions of users, not with the tens of add-ons, not with
the various operating environment, but with the one common thread, the
Web browser.


-- 
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236





More information about the cypherpunks-legacy mailing list