From: Adam Shostack <adam@homeport.org>
Date: Sat, 24 Jan 1998 03:49:40 +0800
To: Markus.Kuhn@cl.cam.ac.uk
Subject: Re: Netscape 5 will be GPL'ed
In-Reply-To: <E0xvVff-0003c1-00@heaton.cl.cam.ac.uk>
Message-ID: <199801231938.OAA19072@homeport.org>
MIME-Version: 1.0
Content-Type: text/plain



Markus Kuhn wrote:

| > NETSCAPE ANNOUNCES PLANS TO MAKE NEXT-GENERATION COMMUNICATOR SOURCE CODE
| > AVAILABLE FREE ON THE NET
| 
| Excellent!
| 
| Finally mainstream software companies start to understand that security
| critical software has to be provided to the customer in full compilable
| source code to allow independent security evaluation.

	I'm not sure that this is the message they're sending at all.
They're trying to work the Linux/GNU model of getting a horde of
volunteer programmers to improve their product, and base other
products on it, because of the ease of integration.  I don't know that
security was even on their minds.

| No formal CC/ITSEC evaluation process can beat the scrutiny of the
| Internet crowd.  I wonder how long we have to wait for the day on which

Not that the internet crowd is such hot shit, either.  The freely
usable FWTK contained a *really* easy to find replay attack for about
3 years, befire I pointed it out at the Crypto rump session.
(www.homeport.org/~adam/crypto97.html).  Small code.  Comments
pointing to problems.  Security critical in some instances.  3 Years
to find.

Adam



| we can download the latest GPL'ed Windows NT version source code from
| Microsoft's web server ...



-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume