From: "Philip J. Nesser" <pjnesser@rocket.com>
Date: Sat, 14 Oct 95 10:01:07 PDT
To: fc@all.net
Subject: Re: Netscape rewards are an insult
In-Reply-To: <9510141153.AA16412@all.net>
Message-ID: <199510141700.KAA06274@oac1.rocket.com>
MIME-Version: 1.0
Content-Type: text/plain



Have things really come to this?  Besides the legal implications of
discovering a hole and then selling the information to someone, (who
presumably will only want this information for one purpose) where has the
attitude of doing for the sake of doing gone?  Has Netscape been pestering
security experts on the net for free work?  Have they been plaguing people
or lists with email asking the net to do their jobs?  

I am tired of hearing people who may have had the urge to find weaknesses
and bugs now going greedy and deciding that they should be paid for it.  If
you dont want to participate then don't!  Its that simple.  If you feel
netscape is a greedy money grubbing company who deserves to pay 25k for a
bug report then start a company and develop a competing product which you
feel deserves to get bug reports.  

The reason why the Internet has become so popular/powerful is the
willingness of people to help out and distribute information.  As a
computer/networking professional I have saved hundreds of hours worth of
my time when someone has been able to answer a question or solve a problem
for me.  Likewise I have and continue to give back just as many hours back
answering others questions.  That attitude is completely lacking in your
suggestion and I can only hope that the those opinions are in the minority
even today.

The ironic part is the people who have been the most successful at finding
bugs are not the ones who are demanding money for it!

--->  Phil

>From: fc@all.net (Dr. Frederick B. Cohen)
>Date: Sat, 14 Oct 1995 07:53:53 -0400 (EDT)

>	The idea that Netscape (like Microsoft) thinks they can get free
>testing services from all over the net by real experts just by offerring
>a tee shirt is down right offensive.

>	I have a better idea.  How about an open market in break-in
>software.  We crack Netscape and offer the crack code to the highest
>bidder.  Bids start at US$25K per hole.  For the insult, Netscape has to
>outbid the competition by a factor of 2 to get the details of the hole.
>Here's how it works:

>	- We get a panel of 5 cypherpunk judges who test each claimed hole.
>	- Exploit code is sent to the panel for verification.
>	- If they verify the hole, it is put up for bid.
>	- Winning bidder gets the code for 3 months before it is released
>	  on hacker BBS systems throughout the world.
>	- The panel of judges splits 25% of the money paid for the code
>	  as pay for their efforts.  The rest goes to the author.

>	I have an even better idea.  How about if Netscape gets some
>competent programmers with real security expertise, adds in some good
>change controls, a serious internal testing program, quality control ala
>ISO-9000, internal IT auditors, external IT auditors, training and
>education for their employees, and everything else it takes to be in the
>software business in a serious way.

>	As an alternative, we could help them contact the shareholders
>for a lawsuit.  After all, they are a public company now and are responsible
>to the shareholders for the value of their stock.  If it goes down because
>they aren't doing an adequate job of software quality control, the officers
>may be personally liable.

>-- 
>-> See: Info-Sec Heaven at URL http://all.net
>Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236