1995-09-19 - Re: NYT on Netscape Crack

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: cypherpunks@toad.com
Message Hash: 7da0867b315f1a347c7d37234b2e8e8b10d4bc58500b25b151bc3c70bf915f24
Message ID: <199509190355.XAA01329@frankenstein.piermont.com>
Reply To: <199509190300.XAA05027@pipe4.nyc.pipeline.com>
UTC Datetime: 1995-09-19 03:55:59 UTC
Raw Date: Mon, 18 Sep 95 20:55:59 PDT

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Mon, 18 Sep 95 20:55:59 PDT
To: cypherpunks@toad.com
Subject: Re: NYT on Netscape Crack
In-Reply-To: <199509190300.XAA05027@pipe4.nyc.pipeline.com>
Message-ID: <199509190355.XAA01329@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Markoff's article in the Times says:
>    Netscape officials said today that they would strengthen
>    the system, by making it significantly harder to determine
>    the random number at the heart of their coding system. They
>    said they would no longer disclose what data would be used
>    to generate the random numbers.

Not, of course, that they disclosed it before -- it was found by
reverse engineering the distributed executable. Not, of course, that
they have a choice in the matter of whether to disclose it -- they
will be "disclosing" how its done as soon as they release the
code. Not, of course, that security through obscurity does any good --
it just magnifies the pain.

I suspect that there are far more flaws in Netscape. String buffer
overflows are another good guess here -- they are probably rampant
through the code both for the browser and the commerce server they
sell. I can't prove it myself, of course, given that I don't have the
time to rip the thing apart, but the same folks never seemed to learn
their lesson in release after release when they worked at NCSA, and
the only thing thats probably keeping their dignity here is the lack
of distributed source code.

I'll pay for the "I broke Netscape's Security" T-Shirt for the
enterprising person that takes the time to find them in the object
code. (See Sameer's page on the shirts he's developing as prizes for
the Netscape flaw finders.)

Two "I broke Netscape's Security" T-Shirts to that daring soul at
Netscape who finds the next flaw and has the balls to mention it in
public instead of sweeping it under the carpet -- even if the person
is Marc Andreessen.

Perry





Thread