From: "Vladimir Z. Nuri" <vznuri@netcom.com>
Date: Wed, 20 Sep 95 11:58:55 PDT
To: cypherpunks@toad.com
Subject: netscape bug
Message-ID: <199509201855.LAA17261@netcom16.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


clearly the netscape engineers did not practice "safe crypto programming",
but I question the seriousness of the crack.

none of the articles mention that the cracker must have login access
to the computer that the random numbers are generated on. is this true?
does the code require knowledge of the PID etc. that can only be obtained
by a login to the system that the netscape session is running on?

if this is true (i.e. login access required) this bug is by far not
as serious as some of the hyperbole is suggesting. I agree it is still
very insecure but the most dangerous crypto bugs are those where you
can determine keys from data alone.. physical penetration into a machine
is another level of security..

furthermore, I would like to commend Netscape for their fast response
to the problem and apparent commitment to establishing safeguards that
avoid it in the future.

cypherpunks have an easy time ridiculing someone who slit their throat
on writing some crypto functions, but geez, cut them some slack:
 crypto stuff has so many pitfalls and bugaboos that even the world-class 
experts make mistakes. where else can not properly "burning" stack 
registers (function parameters) and environment variables be considered 
"lethal"??? PGP errors have been reported on numerous 
occasions, some in the randomizer code. do people call for Zimmermann's
head on a stick and call him "incompetent"?

often when cryptographers say something is "broken" it can still mean
that it is not necessarily unsafe in practice. there are many shades
of "broken", some requiring a Cray and other's requiring a PC. I am
really surprised how much people here consider "broken is broken". this
is only the extreme theoretical perspective. granted I am not advocating
that people *not*fix* bad crypto functions, I'm only saying that maybe
its not in everyone's best interest to run around and say "the sky is
falling" and lambaste companies for minor difficulties..

Netscape is a world class product, and it's *free*. on this cypherpunks
list, I have seen no end to the venemous criticisms that people level at 
*free* products, which IMHO is quite tasteless at times. Netscape has
done far more for the cypherpunk cause than  many, many companies just
by including RC4 in their product. they have taken some heat for their
decisions & code, but they are on the front lines of battle. now instead of
our vague claims about how the world can benefit from good crypto, how
it is immensely valuable and important to cyberspatial financial transactions,

to promote the cypherpunk cause, we now have something *popular*, *physical*,
 and *tangible* to point to: netscape!!
this is *not* vaporware. this is not some cpunk saying, "all one needs
is [x] algorithm running on [y] network and you have a world class
infrastructure". the amount of work to get something like Netscape into
the world is quite daunting and herculean. we owe a great debt to netscape
and their accomplishments for furthering our own agenda!!! please do not 
trivialize what they have accomplished!! Netscape is here, it works, and
it is cyberspatial crypto that Joe Sixpack can understand and *use*!!
it is not a toy remailer, it is not some PGP front end, it is not some
mailer script, *this* is the format in which Joe Sixpack will be 
using crypto in the future, the format which will bring "crypto to the
unwashed masses"!!

Netscape may very well be the chief vehicle that puts on *concrete pressure*
on our government to relax crypto export laws. I see this happening 
*right now* with them going to a 64 bit key from a 40 bit one, and the
world starting to realize the importance of crypto and the idiocy of 
the export laws. I am really amazed at how few seem to be supporting
Netscape here and considering them the *premiere ally* in our current
battle. it reminds me of how much people here rant at Microsoft when 
virtually no other company on the planet could pull off what they make
look easy (ah, that's another story I've filled up other posts with).

please do *not* take an adversarial relationship with the companies
who are helping advance the cutting edge of cyberspace!! do *not*
ridicule them. rather, help them to understand their problems. I think
you will find that most companies are *not* hostile to improving their
software, and will readily admit it when it needs fixing (intel has
been humbled by their pentium glitch, and I doubt any company again will
ever be so obstinate and belligerent..) . 

I am willing to bet that the netscape bug would have been fixed quickly if it
had been quietly brought to their attention, without the blaring media
lights (I enjoy the media circus as much as the next guy, but on the
other hand, doing some things quietly may actually advance the cypherpunk
cause further than by making a noisy hullaballoo in cyberspace).

once again I commend Netscape for their fine software and willingness to
perfect it. netscape is at the cutting edge of advancing key cyberspace
technologies and it is not surprising that they make some minor mistakes
with the code in these early phases. cyberspace is very young!! give 
designers a bit of time to get it right. be patient!! do not accuse
them of incompetence!! netscape is tens of thousands of lines of 
world-class code. only in programming can a few moments of total,
rapt attention lead to bugs that get blared on the front page of
new york times and affect your stock price!! good lord, give the guys
a break.

cpunks: when Netscape has some serious competitors, they will get
their act together. but at the moment they are the only game in town,
and it will pay off to be nice to them, and try to support them, instead
of kicking them in the teeth and wringing them every time they make
a mistake. few in the world are as knowledgeable or paranoid as we are
about security, and its going to be a gradual process to get to even
a fraction of the expertise here penetrating the mainstream software
industry. be patient!!

--

P.M. notes that anywhere there is a data-driven buffer overflow (which
he suspects are all over netscape) he can get code to execute anything
he wants. this reminds me of the
Morris internet worm that ran exactly the same way. it used a
bug in the finger demon that caused a string buffer overwrite
(via strcpy, instead of strncpy) to execute customized code.

my question: I have not seen the specifics of how this works. does
this require specialized knowledge of the native machine language on the 
host machine? or is it just used to cause something like a core dump
to get a command line or something like that?


--Vlad Nuri