1995-10-14 - Re: Netscape rewards are an insult

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: pjnesser@rocket.com (Philip J. Nesser)
Message Hash: 1ab8831f331b7cbf65a023be59de9983e71a912c1feda96f7d1e257007661adc
Message ID: <9510141801.AA01730@all.net>
Reply To: <199510141700.KAA06274@oac1.rocket.com>
UTC Datetime: 1995-10-14 18:04:05 UTC
Raw Date: Sat, 14 Oct 95 11:04:05 PDT

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Sat, 14 Oct 95 11:04:05 PDT
To: pjnesser@rocket.com (Philip J. Nesser)
Subject: Re: Netscape rewards are an insult
In-Reply-To: <199510141700.KAA06274@oac1.rocket.com>
Message-ID: <9510141801.AA01730@all.net>
MIME-Version: 1.0
Content-Type: text


Phil typed:
> Have things really come to this?  Besides the legal implications of
> discovering a hole and then selling the information to someone, (who
> presumably will only want this information for one purpose) where has the
> attitude of doing for the sake of doing gone?

It's one thing to do good for the sake of doing good.  Most of us do that
every day by participating in this list.  It's quite another thing to be
insulted in the process.  I think that Netscape's reward is an insult,

If they think you can find major security bugs in Netscape for as little
as $1000, they should take the product off the market, or at least stop
claiming that it offers security.

>  Has Netscape been pestering
> security experts on the net for free work?  Have they been plaguing people
> or lists with email asking the net to do their jobs?  

They do far worse.  They claim security when they don't have it, and
when the cypherpunks demonstrate the false claims, Netscape offer
insulting future tribute.  I think that if they are sincere, they should
reward the individuals who found the last few holes with $25,000 each,
and show that they really mean business.

> I am tired of hearing people who may have had the urge to find weaknesses
> and bugs now going greedy and deciding that they should be paid for it.  If
> you dont want to participate then don't!  Its that simple.  If you feel
> netscape is a greedy money grubbing company who deserves to pay 25k for a
> bug report then start a company and develop a competing product which you
> feel deserves to get bug reports.  

I'm not greedy, and I have never found a novel security hole and told
the affected people they had to pay to find out about it.  I just don't
like seeing sincere people who volunteer their efforts being insulted or
trivialized or taken advantage of by the big-money people - and make no
mistake about it - that is what the Netscape offer is really all about.

The $25K is a trivial amount for finding such a hole in a product that
is supposed to secure billions of dollars worth of electronic funds
transfers.  If the bad guys find a hole, it could easily cost millions. 
If you don't believe me, look at the statistics for other holes in the
credit card and telecommunications businesses.  They losses are in the
billions each year. 

	If Netscape won't bet $25K that they have no such holes, why
should their clients bet millions that the bad guys won't find and
exploit one. 

> The reason why the Internet has become so popular/powerful is the
> willingness of people to help out and distribute information.  As a
> computer/networking professional I have saved hundreds of hours worth of
> my time when someone has been able to answer a question or solve a problem
> for me.  Likewise I have and continue to give back just as many hours back
> answering others questions.  That attitude is completely lacking in your
> suggestion and I can only hope that the those opinions are in the minority
> even today.

It's not my attitude that's changing the Internet.  It's the nature of
any technology that it can be used for both good and evil.  The Internet
is no longer a research tool, and there are plenty of people using it
for criminal purposes.  If we don't start seriously rewarding people who
find and help fix the holes, we are dooming the Internet. 

And, oh yeah, the reason the Internet became so popular so fast had
nothing to do with free distribution of information.  It had to do with
the Vice President making public announcements about the NII, enormous
public relations efforts, and lots of national advertising.  The free
information has been there for 25 years or so.  The advertising and the
enormous growth started when the marketing people got going.

> The ironic part is the people who have been the most successful at finding
> bugs are not the ones who are demanding money for it!

The ironic part is that a company that claims to have a "secure" method
for using credit cards on the Internet thinks that their security is so
weak that it only takes $1000 to find a major hole.

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236




Thread