From: fc@all.net (Dr. Frederick B. Cohen)
Date: Wed, 18 Oct 95 19:35:07 PDT
To: jules@netscape.com (Julius Cisek)
Subject: [NOISE] Re: Postscript in Netscape
In-Reply-To: <3085AE63.BB6@netscape.com>
Message-ID: <9510190231.AA15730@all.net>
MIME-Version: 1.0
Content-Type: text


> Dr. Frederick B. Cohen wrote:
> > I respectfully disagree. Netscape claims to be "secure" - hence it is Netscape's job to
> > be secure - regardless of the user's use of their product.  Otherwise,
> > the ads should read:
> > 
> >         "Netscape can be used securely by sufficiently knowledgeable
> >         users who have emasculated their postscript interpreters before
> >         using them to view files of unknown origin, and who have removed
> >         all other known, unknown, and/or undisclosed security holes from
> >         their systems.  Otherwise, Netscape is insecure and should not be
> >         trusted."
> 
> Err...  If software companies were to follow your line of logic, software
> boxes (all sorts of software) would become covered with fine print.  As
> would ads for the software.  Although I'm sure industry lawyers would
> welcome that, personally I think it would be quite sad.

The point is, Netscape CLAIMS to provide security - Miscrosoft doesn't.

> 
> A stupid example:
> I can replace copy on your machine so that it does a delete instead.
> Does that mean that the OS manufacturer has to warn a user about this?

On my machine, if you replace copy with delete, it will be detected
before it does the delete, and, unless you are very skilled, when I tell
it to copy, the corruption will be automatically corrected.  This is
because I use an "integrity shell" - something you guys at Netscape
probably never heard of. 

> There's a point at which one has to hand off the assessment to the buyer.

The point I have been trying to make that many on this list seem to ignore
again and again, is that Netscape makes the security claims.  If you don't
provide effective protection, don't make the claim.  If you want to make
the claim back it up with something other than media hype.

> This is my own opinion and also that of anyone who agrees with me.
> I'm reading this group because it's very interesting for me personally.
> There.

All of our opinions are our own, and my opinion is that Netscape (not you) is:

	- making inadequately supported claims about a nebulous
	thing called "security".

	- using it as a basis to get people to invest millions (billions?)
	of dollars.

	- plans to use it to move millions, and eventually billions of
	dollars over the Internet, potentially placing a fair chunk of the
	world economy (I'm mot kidding) as well as individual privacy
	(and thus freedom) at risk.

	- may succeed unless people who do understand the implications
	find a way to fix the thing.

These things concern me, so I will stand my ground regardless of the
flames and ask, yet again, for someone at Netscape to tell us what you
mean by "security" when you make claims about it (I won't repost my
questions from a few days ago since you have already ignored them) and
why your claims are strong enough for a big chunk of the world economy
to rest on it. 

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236