From: David Berger <dvberger@eit.COM>
Date: Wed, 11 Oct 95 18:51:36 PDT
To: Paul A Gauthier <gauthier@CS.Berkeley.EDU>
Subject: Re: NYT on Internet Flaws
Message-ID: <199510120159.SAA27558@viper.eit.com>
MIME-Version: 1.0
Content-Type: text/plain


[stuff deleted]

>People seem to miss that the NFS hack was only an _example_ of a powerful
>way to silently destroy the integrity of an executable. Spoofing the
>insecure FTP session they used to retrieve it works. Sending them a random
>trojan horse works. The point was not that NFS is insecure. It was that
>unless you can authenticate your executables as being trustworthy NOTHING
>ELSE MATTERS.

No I don't think the community missed the point.  While both NFS and FTP are
equally weak in the way you point out, I think you should have used FTP as
your main example because if we presume that the file server where the
binary lives is reasonably trustworthy (like the guys at Netscape haven't
inserted a trojan horse into their own binary and placed it up for FTP) then
the way the file will propogate throughout the net is FTP and not NFS.

Nonwithstanding, the NY Times writer took an otherwise reasonable point and
blew it up into a "War of the Worlds" style article.  I'd make sure he
writes a decent article before quoting me in it.

David  (wondering whose stock fell because of this page one-er)
===========================================================================
David A. Berger
Software Engineer/Internet Product Development
Enterprise Integration Technologies|800 El Camino Real|Menlo Park, CA 94025
dvberger@eit.com   http://www.eit.com/~dvberger/ (415) 617-8792
===========================================================================