Netscape rewards are an insult

anonymous-remailer at shell.portal.com anonymous-remailer at shell.portal.com
Thu Oct 19 10:23:54 PDT 1995


> :I've deleted the rest of your content-free rant.  Instead of alluding to
> :some "flawed algorithm", why not tell us about the hole you say you've
> :found in netscape?

OK, Netscape functions by DESIGN as an enhanced delivery vehicle.

Is that a sufficient explanation of the hole?? or is more detail necessary
(which follows): 

     Netscape blindly trusts any and all ports on all servers.  On the 
     basis of this trust, it begins a negotiation with a server that 
     might well have a dynamic deliverability capability.  The client then 
     examines a Content-type header, trusts the content-type to decide 
     what application it should launch, and then launches and processes 
     the data block it is fed, all on good faith.

     It even trusts the server to redirect it to any arbitrary destination
     which it automatically loads and then executes.

Is this enough of an explanation??  Or should I paraphrase:

      Netscape is a gateway that permits an untrustworthy server to take 
      complete control of a client's machine.  The server can tell the 
      client where it should go, what it should load and how often, and
      what applications to execute on the client machine, as though this 
      arbitrary server were its master.

Does this help to underscore the problem??  

The Netscape Navigator client was DESIGNED to be controlled remotely from
any machine on the Internet.  This is the "flawed algorithm".  W3 was
meant to be hypertext ... not a gateway that permits a server to deliver
customized byte bombs down a clearcut path by remote-control. 

If people don't know that you don't let another person (or machine) take
control of your machine and run programs on it ... well, like I said in
the past. 

>   "Let me make this absolutely clear.
>
>   It should not be up to non-US citizens like myself to safe-guard US
>   economic security, and protect vital national interests.  It is not 
>   my job and certainly not my responsibility to protect the international
>   public and Fortune 500 companies from poor security."

So without giving out another "exploitation algorithm" to the Internet,
without extending a helping hand to Japan to retaliate against the US for
the American Japanese auto surveillance, I will simply quote from two
sources which are "public record" and mentioned in the FAQ. 

>From the "Orange Book", one of the volumes of the Department of Defence's
"Rainbow Series" more commonly known as TCSEC (Trusted Computer System
Evaluation Criteria) and available from: 

 U.S. Government Printing Office         INFOSEC Awareness Office
 Superintendent of Documents     - or -  National Computer Security Centre
 Washington, DC 20402	                 9800 Savage Road	
                                         Fort George G. Meade, MD  20755-6000

which stipulates that:

      "... it is required that ADP (Automated Data Processing) systems
       that "process, store, or use classified data and produce 
       classified information will, with reasonable dependability, prevent:

        a. Deliberate or inadvertent access to classified material by
           unauthorized persons, and

        b. Unauthorized manipulation of the computer and its associated 
           peripheral devices."

The above quoted reference is public information.  And, since Netscape is
making "no-comment" I will quote Netscape's public information. 

>   NETSCAPE CLIENT APIS (NCAPIS) 2.0
>          The NCAPIs are designed to allow third-party applications to
>          remotely control the Netscape Navigator client. They are
>          platform specific, utilizing the platform's native method of
>          interprocess communication (IPC). These APIs are not final
>          and may change with the release of version 1.1 of Netscape
>          Navigator (they do not work with Netscape Navigator 1.0).

Herein is the "flawed algorithm" which is just a fancy way of saying that
it's a flawed idea.  And this isn't new ... it's been there for a long
time. 

Generally, we don't routinely trust every other computer, foreign or 
domestic on the Internet to manipulate us by remote control.  This is
as basic as the idea that we don't give out our PIN numbers with our 
banking cards to anyone who asks us.  

If someone tries to suggest differently, then they are a fool.

Let's recall that Version 1.1 of Navigator was released long ago, and
trusts every machine on the Internet to do just that.  It trusts every
other machine on the Internet to be "trustworthy".  Whether that machine
is foreign or domestic.  We are not speaking about the new and improved --
feature added -- "beta" 2.0 software, we are speaking of the software that
AT&T is using internally and is selling to its customers as we speak as a 
"co-branded" product.

Software which AT&T security "approved" of in direct contravention of the
most basic of basic security principles.

Let me reiterate this.

Netscape's current existing software was designed in direct contravention
of the US Department of Defence's evaluation criteria for Trusted Computer
Systems, the TCSEC.  It also contravenes the ITSEC (Information Technology
Security Evaluation Criteria) which is a document developed by the
British, German, French, and Netherlands governments.

(Anyone can get a free copy of ITSEC by writing to the Commission of the
European Communities in Brussels.)

Netscape forgot one thing about trust.  If you "trust everyone" ... even if
you always trust everyone, you always cut the cards.

And when you're playing poker at these stakes ... well ... 'nuff said.



Alice de 'nonymous ...

                                  ...just another one of those...


P.S.  This post is in the public domain.  Please don't shoot the messenger.
                  C.  S.  U.  M.  O.  C.  L.  U.  N.  E.

P.P.S If this is confusing to anyone, please direct your comments to
      one or all of the following newsgroups:

                   alt.2600
                   alt.security
                   comp.security.announce
                   comp.security.misc
                   comp.virus







More information about the cypherpunks-legacy mailing list