Netscape Logic Bomb detailed by IETF

[Dr. Frederick B. Cohen]

> Mr. Anonymous has a good reason to be anonymous -- he's an annoying

Perhaps.

> fool.

I don't agree.

> Yes, Mr. Anonymous, we all know postscript is dangerous. Thank you for
> this stunning revelation. We've read the IETF documents before, and
> some of us even helped write them.

Then you should support his point which is valid.

> anonymous-remailer at shell.portal.com writes:
> > Clearly, someone has a vested interest which they are expending a 
> > great deal of effort to protect.  My email to Netscape detailing their 
> > logic bomb has gone unanswered, and unacknowledged for ten days now.
> 
> Maybe because you're an idiot and they don't feel that its necessary
> to answer. What more need be said?

Being insulting and calling people names benefits nobody.

> Those of us who care run our postscript interpreters with all the
> dangerous commands stripped out, but given that Netscape doesn't
> supply postscript interpreters, its not really their fault or
> problem.

I strongly disagree.  If Netscape provided a way to execute shell
commands on your host from a remote computer, it would certainly be a
hole created by their product.  The fact that the default shell is
potentially dangerous means it's incumbant on those who provide access
to it to provide adequate protection.

If Netscape wants to claim their product doesn't degrade security, they
should provide a safe postscript interpreter or not provide hooks to
unsafe ones.

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236