From: anonymous-remailer@shell.portal.com
Date: Wed, 18 Oct 95 11:41:00 PDT
To: cypherpunks@toad.com
Subject: Re: Netscape rewards are an insult
Message-ID: <199510181839.LAA07648@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


Jeff Weinstein <jsw@netscape.com> wrote:
> David A Wagner wrote:
> > I do think their ``bug bounty'' system is an improvement -- at least
> > they're showing some concern for security, and beginning to admit
> > that outside review of security-critical code is...well...critical.
>
>   The whole bug bounty thing is an experiment.  We have no idea how
> valuable it will be, but we thought it would be worth trying.  As we
> gain more experience with it, we will probably evolve it.

Mr, Weinstein:

Is your comment about the "Bugs Bounty" program an official comment, that
you have "no idea how valuable" it will be??  Shall I give you a clue,
as to how valuable the discovery of a flawed algorithm might be??

How valuable do you think the ability to download an entire geo-physical
company's 3-D seismic data base is, while some company temp is looking at
a pretty picture of Moo Goo Gai pan, or downloading a recipe for goat-cheese
salad with ginger and macadamia nuts??

Why not admit that the whole Bugs Bounty program was a sham.  Nothing more
than a quickly slapped together public-relations program, that tried to
create an appearance that Netscape had a pro-active business plan.

Is it because there WAS no plan, whatsoever??

Why not admit that you were forced to take action and show that you were
"doing something" following the crack of the Netscape browser that was
supposed to protect sensitive information such as credit-card transactions.
And why not admit that what you did was raid a couple of left over press
kits, and take out some shirts and cups and throw together a damage control
program.  Your so-called "Bugs Bounty" program.

Is it because, a program that says that anyone who reports a "bug" in your
two billion dollar software wouldn't be rewarded -- no, they would
be entered into a draw where they _might_ could get a chance to win a cup
or a shirt??  Or they might receive a $1,000 reward as long as they agree
to a waiver of all their rights, and agree that by reporting the problem to
Netscape and entering the "Bugs Bounty" contest, that their report would:

   "become Netscape's property to be used at Netscape's sole discretion"

Is it because, this simply doesn't pass the giggle test??  And is
demonstrative of such a cavalier internal attitude and approach to
security that it can only be characterized as the grossest of misconduct?

I'm certain that even the marketing people must have burst into peals of
laughter at that one.

Why not admit that Netscape never thought that anyone would find anything at
all??  Why not admit that Netscape thought that they could weasal out of the
Berkeley crack, with a nice little pat on the head to the kids who found it??
Why not admit that not only did Netscape not have an action plan for "bugs"
prior to the "Berkeley crack", but doesn't have any action plan following it.

Why not admit that none of the cocky boys at Netscape had even considered
what would be done if there was an easily exploitable critical design flaw
in the algorithm.

And now that someone took Netscape up on its challenge, and simply said that
the emperor has no clothes, now that someone hasn't just discovered a "bug"
like the "Berkeley crack" but has demonstrated that the Netscape algorithm
is fatally flawed, by posting the exploitation algorithm, now what??

Good God, I asked for clarification from Netscape last Thursday, and Netscape
hasn't bothered to even return my email from almost a week ago.  And, after
posting the exploitation algorithm last week -- on Friday the Thirteenth --
there has been nothing but public relations huff-and-puff.

Clearly, no one performed adequate top-down / bottom-up analysis at Netscape.
And both the internal and external review process were woefully inadequate.

Or to steal a line from Jonathan Swift, in Gulliver's Travels.  Are you,

        "a most ingenious Architect who had contrived a new
         Method for building Houses, by beginning at the Roof,
         and working downwards to the Foundation ..."

and then done nothing else, but issue press-releases to hype and promote
Netscape stock in some self-centered attempt to help out your "friends"
on Wall Street.

>> Still, I do agree that they really oughta be employing true experts
>> to carefully evaluate their system, if they wanna claim anything about
>> its security.
>
>  We are doing that to.  We are paying outside consultants to review
>everything related to security.

Oh yep, I bet you're paying them.

I wonder ... are you paying them in shirts or migs, for their white-wash
review??  And will the report from the external review become "Netscape's
sole property to be used at the sole discretion of Netscape".

Which consultants are you going to get, Mister (unofficial, off the record
speaking personally, not speaking for the Company) Netscape spokesperson??

Who?  AT&T??

AT&T has security people.  The phone company, has very good security
people. And the phone company is supposed to have good quality control,
(ISO-9000 or TQM or something ...) yet AT&T's own internal security
review missed this gaping gash in Netscape browser software.  Even now,
AT&T is using this software internally within its business units and is
ACTIVELY recommending a co-branded version of it to its worldwide customers.

Has Netscape informed AT&T about this??

I'm sure that Netscape has piled their best people into their Falcon and
are busily jetting them around the world signing confidentiality
agreements and retaining every possible outside consultant.  Entering into
agency agreements to keep the lid on the biggest international news story
since the Tylenol or Perrier poisoning.

I wonder who Netscape will get to sign??  Who's going to lend their name,
so that Netscape can say that "we're working closely with Jerry Lewis" or
something similar to solve our security problems.

But Mr.Lewis can't go public with what he knows, can he??  Even if he knows
that Netscape is fatally flawed.  Mr. Lewis will be a Netscape agent at that
point, won't he??  And he'll be bound by the terms of his confidentiality
agreement, even if the company is actively strategically misrepresenting
his confidential report.

Who's going to be left after Netscape hires all these outside consultants??
Who do you hire??  Euro-Mickey, Minny and Donald Duck??

Captain Kangaroo??



Alice de 'nonymous ...

                                  ...just another one of those...


P.S.  This post is in the public domain.
                  C.  S.  U.  M.  O.  C.  L.  U.  N.  E.