From: Nesta Stubbs <nesta@cynico.com>
To: “Dr. Frederick B. Cohen” <fc@all.net>
Message Hash: 5a7e8a967daaad29212be7b88c0260a138bd4c60093c55f399fcf8f827983cdc
Message ID: <Pine.BSD.3.91.951024214619.20203D-100000@miso.wwa.com>
Reply To: <9510231413.AA26514@all.net>
UTC Datetime: 1995-10-25 03:02:23 UTC
Raw Date: Tue, 24 Oct 95 20:02:23 PDT
From: Nesta Stubbs <nesta@cynico.com>
Date: Tue, 24 Oct 95 20:02:23 PDT
To: "Dr. Frederick B. Cohen" <fc@all.net>
Subject: Re: Netscape Logic Bomb detailed by IETF
In-Reply-To: <9510231413.AA26514@all.net>
Message-ID: <Pine.BSD.3.91.951024214619.20203D-100000@miso.wwa.com>
MIME-Version: 1.0
Content-Type: text/plain
On Mon, 23 Oct 1995, Dr. Frederick B. Cohen wrote:
> > Yes, Mr. Anonymous, we all know postscript is dangerous. Thank you for
> > this stunning revelation. We've read the IETF documents before, and
> > some of us even helped write them.
>
> Then you should support his point which is valid.
>
I don't think they have vested interests at all. I think that they are
able to see that the problem is not with the browser. You know
"/bin/login" is insecure because it allows hooks for unpasswded logins, I
mean if the user wanted to they could leave root unpasswded and if they are
using "/bin/login" someone could get into their system just like that.
That point is NOT valid IMO.
> I strongly disagree. If Netscape provided a way to execute shell
> commands on your host from a remote computer, it would certainly be a
> hole created by their product. The fact that the default shell is
> potentially dangerous means it's incumbant on those who provide access
> to it to provide adequate protection.
>
NO, postscript provides the method for executing shell commands if you
accept postscript from anywhere. Netscape can NEVER be "fool"proof
against all hardware errors, particularly loose nuts on the keyboard.
Nesta Stubbs "Betsy, can you find the Pentagon for me?
Cynico Network Consulting It has five sides and a big parking lot"
nesta@cynico.com -Fred McMurray-
Return to October 1995
Return to “Simon Spero <ses@tipper.oit.unc.edu>”