1995-09-19 - Re: NYT on Netscape Crack

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: cypherpunks@toad.com
Message Hash: 7da0867b315f1a347c7d37234b2e8e8b10d4bc58500b25b151bc3c70bf915f24
Message ID: <199509190355.XAA01329@frankenstein.piermont.com>
Reply To: <199509190300.XAA05027@pipe4.nyc.pipeline.com>
UTC Datetime: 1995-09-19 03:55:59 UTC
Raw Date: Mon, 18 Sep 95 20:55:59 PDT

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Mon, 18 Sep 95 20:55:59 PDT
To: cypherpunks@toad.com
Subject: Re: NYT on Netscape Crack
In-Reply-To: <199509190300.XAA05027@pipe4.nyc.pipeline.com>
Message-ID: <199509190355.XAA01329@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Markoff's article in the Times says:
>    Netscape officials said today that they would strengthen
>    the system, by making it significantly harder to determine
>    the random number at the heart of their coding system. They
>    said they would no longer disclose what data would be used
>    to generate the random numbers.

Not, of course, that they disclosed it before -- it was found by
reverse engineering the distributed executable. Not, of course, that
they have a choice in the matter of whether to disclose it -- they
will be "disclosing" how its done as soon as they release the
code. Not, of course, that security through obscurity does any good --
it just magnifies the pain.

I suspect that there are far more flaws in Netscape. String buffer
overflows are another good guess here -- they are probably rampant
through the code both for the browser and the commerce server they
sell. I can't prove it myself, of course, given that I don't have the
time to rip the thing apart, but the same folks never seemed to learn
their lesson in release after release when they worked at NCSA, and
the only thing thats probably keeping their dignity here is the lack
of distributed source code.

I'll pay for the "I broke Netscape's Security" T-Shirt for the
enterprising person that takes the time to find them in the object
code. (See Sameer's page on the shirts he's developing as prizes for
the Netscape flaw finders.)

Two "I broke Netscape's Security" T-Shirts to that daring soul at
Netscape who finds the next flaw and has the balls to mention it in
public instead of sweeping it under the carpet -- even if the person
is Marc Andreessen.

Perry

Thread

• Return to September 1995

• Return to “Adam Shostack <adam@homeport.org>”
• Return to “Black Unicorn <unicorn@polaris.mindport.net>”
• Return to “Eli Brandt <eli@UX3.SP.CS.CMU.EDU>”
• Return to “Eric Young <eay@mincom.oz.au>”
• Return to “hallam@w3.org”
• Return to “John Young <jya@pipeline.com>”
• Return to “jsw@neon.netscape.com (Jeff Weinstein)”
• Return to “m5@dev.tivoli.com (Mike McNally)”
• Return to ““Perry E. Metzger” <perry@piermont.com>”
• Return to “Ray Cromwell <rjc@clark.net>”
• Return to “sameer <sameer@c2.org>”
• Return to “shields@tembel.org (Michael Shields)”

• Return to “Thomas Grant Edwards <tedwards@Glue.umd.edu>”

• 1995-09-19 (Mon, 18 Sep 95 20:35:19 PDT) - NYT on Netscape Crack - John Young <jya@pipeline.com>
  • 1995-09-19 (Mon, 18 Sep 95 20:55:59 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
    • 1995-09-19 (Mon, 18 Sep 95 21:20:38 PDT) - Re: NYT on Netscape Crack - Black Unicorn <unicorn@polaris.mindport.net>
      • 1995-09-19 (Mon, 18 Sep 95 21:28:11 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
      • 1995-09-19 (Mon, 18 Sep 95 21:28:51 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
    • 1995-09-19 (Mon, 18 Sep 95 22:02:45 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
    • 1995-09-19 (Tue, 19 Sep 95 00:03:38 PDT) - Re: NYT on Netscape Crack - Ray Cromwell <rjc@clark.net>
      • 1995-09-19 (Tue, 19 Sep 95 00:18:35 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
        • 1995-09-19 (Tue, 19 Sep 95 00:34:36 PDT) - Re: NYT on Netscape Crack - Ray Cromwell <rjc@clark.net>
          • 1995-09-19 (Tue, 19 Sep 95 00:53:18 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
            • 1995-09-20 (Tue, 19 Sep 95 23:49:33 PDT) - Re: NYT on Netscape Crack - shields@tembel.org (Michael Shields)
        • 1995-09-19 (Tue, 19 Sep 95 06:49:50 PDT) - Re: NYT on Netscape Crack - Adam Shostack <adam@homeport.org>
          • 1995-09-19 (Tue, 19 Sep 95 07:00:23 PDT) - Re: NYT on Netscape Crack - sameer <sameer@c2.org>
      • 1995-09-19 (Tue, 19 Sep 95 08:49:43 PDT) - Re: NYT on Netscape Crack - hallam@w3.org
    • 1995-09-19 (Tue, 19 Sep 95 12:38:35 PDT) - Re: NYT on Netscape Crack - Thomas Grant Edwards <tedwards@Glue.umd.edu>
  • 1995-09-19 (Mon, 18 Sep 95 21:15:19 PDT) - Re: NYT on Netscape Crack - Black Unicorn <unicorn@polaris.mindport.net>
  • 1995-09-19 (Tue, 19 Sep 95 01:14:28 PDT) - Re: NYT on Netscape Crack - jsw@neon.netscape.com (Jeff Weinstein)
    • 1995-09-19 (Tue, 19 Sep 95 03:16:22 PDT) - Re: NYT on Netscape Crack - Eric Young <eay@mincom.oz.au>
    • 1995-09-19 (Tue, 19 Sep 95 05:40:36 PDT) - Re: NYT on Netscape Crack - m5@dev.tivoli.com (Mike McNally)
    • 1995-09-20 (Tue, 19 Sep 95 20:26:45 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
      • 1995-09-20 (Tue, 19 Sep 95 21:05:58 PDT) - Re: NYT on Netscape Crack - Ray Cromwell <rjc@clark.net>
        • 1995-09-20 (Wed, 20 Sep 95 07:05:47 PDT) - Re: NYT on Netscape Crack - “Perry E. Metzger” <perry@piermont.com>
  • 1995-09-19 (Tue, 19 Sep 95 07:38:57 PDT) - Re: NYT on Netscape Crack - Eli Brandt <eli@UX3.SP.CS.CMU.EDU>
    • 1995-09-19 (Tue, 19 Sep 95 13:09:56 PDT) - Re: NYT on Netscape Crack - Thomas Grant Edwards <tedwards@Glue.umd.edu>