1995-10-24 - Re: Netscape Logic Bomb detailed by IETF
Header Data
From: Aleph One <aleph1@dfw.net>
To: “Dr. Frederick B. Cohen” <fc@all.net>
Message Hash: c247ce9ba10ab33c55c1b3072b891b746b003fa7869c54e14eae761df16c6751
Message ID: <Pine.SUN.3.90.951024083716.7258A-100000@dfw.net>
Reply To: <9510240929.AA08313@all.net>
UTC Datetime: 1995-10-24 13:50:39 UTC
Raw Date: Tue, 24 Oct 95 06:50:39 PDT
Raw message
From: Aleph One <aleph1@dfw.net>
Date: Tue, 24 Oct 95 06:50:39 PDT
To: "Dr. Frederick B. Cohen" <fc@all.net>
Subject: Re: Netscape Logic Bomb detailed by IETF
In-Reply-To: <9510240929.AA08313@all.net>
Message-ID: <Pine.SUN.3.90.951024083716.7258A-100000@dfw.net>
MIME-Version: 1.0
Content-Type: text/plain
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
On Tue, 24 Oct 1995, Dr. Frederick B. Cohen wrote:
> Date: Tue, 24 Oct 1995 05:29:33 -0400 (EDT)
> From: Dr. Frederick B. Cohen <fc@all.net>
> > In message <9510231413.AA26514@all.net>, Dr. Frederick B. Cohen writes:
> > >I strongly disagree. If Netscape provided a way to execute shell
> > >commands on your host from a remote computer, it would certainly be a
> > >hole created by their product. The fact that the default shell is
> > >potentially dangerous means it's incumbant on those who provide access
> > >to it to provide adequate protection.
> >
> > They do, add:
> >
> > application/x-shell; sh %s
> >
> > to your .mailcap.
> >
[..rant removed..]
> To support the position you seem to be taking (and the one currently
> taken by Netscape), you would have to say that the last several Sendmail
> "bugs" were not sendmail problems but rather shell problems because all
> sendmail did was allow you to execute a shell from the remote machine
> (perhaps via a queue file). You would also apparently say that it's
> secure to allow a server to grant unlimited shell access to unknown,
> unauthenticated remote users. This seems foolhearty to me.
This is compleate bullshit. Equating bugs on sendmail to adding the above
to your mailcap, is compleately of the wall. Why not try this: compare it to
adding
stupidfuck: "|/bin/sh"
Obiously no one in their right mind will put the above on their aliases file.
And please tell me of one MTA does check for this? You want to add to
sendmail so that it checks for this? Maybe it should also check for
pipes to perl, sed, awk, csh, python, ad nauseum.
Now if you would understand that *people* are supposed to know what to put
into their aliases file, you would understand they need to know what they
have to put in their mailcap files. There is nothing a program can do
about it. If you scan for certain interpreters and outlaw them, new ones
will be created you dont know about.
Your logic is compleatly flawled.
> That's correct. Secure software has to have secure distribution in
> order to maintain its security when distributed through an untrusted
> channel. I think that Netscape uses an MD5 checksum which the members
> of this list seem to place unlimited trust in (incorrectly in my view,
> but that would be picking two nits with one keyboard entry).
Question: Does your software (your striped down http server, etc)
do this? I bet not.
Thread
Return to October 1995
- Return to “Adam Shostack <adam@homeport.org>”
- Return to “Aleph One <aleph1@dfw.net>”
- Return to “Andy Brown <asb@nexor.co.uk>”
- Return to “anonymous-remailer@shell.portal.com”
- Return to “fc@all.net (Dr. Frederick B. Cohen)”
- Return to “futplex@pseudonym.com (Futplex)”
- Return to “hallam@w3.org”
- Return to “Jeff Barber <jeffb@sware.com>”
- Return to “Jeff Weinstein <jsw@netscape.com>”
- Return to “Jon Mittelhauser <jonm@netscape.com>”
- Return to ““Josh M. Osborne” <stripes@va.pubnix.com>”
- Return to “Laurent Demailly <dl@hplyot.obspm.fr>”
- Return to “Mark <mark@lochard.com.au>”
- Return to “Matt Blaze <mab@crypto.com>”
- Return to “Nesta Stubbs <nesta@cynico.com>”
- Return to ““Perry E. Metzger” <perry@piermont.com>”
- Return to “Ray Cromwell <rjc@clark.net>”
- Return to “roy@cybrspc.mn.org (Roy M. Silvernail)”
- Return to “sameer <sameer@c2.org>”
Return to “Simon Spero <ses@tipper.oit.unc.edu>”
- 1995-10-22 (Sun, 22 Oct 95 14:10:05 PDT) - Netscape Logic Bomb detailed by IETF - anonymous-remailer@shell.portal.com
- 1995-10-23 (Mon, 23 Oct 95 06:44:11 PDT) - Re: Netscape Logic Bomb detailed by IETF - “Perry E. Metzger” <perry@piermont.com>
- 1995-10-23 (Mon, 23 Oct 95 07:16:40 PDT) - Re: Netscape Logic Bomb detailed by IETF - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-23 (Mon, 23 Oct 95 08:01:02 PDT) - Re: Netscape Logic Bomb detailed by IETF - “Josh M. Osborne” <stripes@va.pubnix.com>
- 1995-10-24 (Tue, 24 Oct 95 02:32:25 PDT) - Re: Netscape Logic Bomb detailed by IETF - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Tue, 24 Oct 95 06:50:39 PDT) - Re: Netscape Logic Bomb detailed by IETF - Aleph One <aleph1@dfw.net>
- 1995-10-24 (Tue, 24 Oct 95 08:52:20 PDT) - Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Tue, 24 Oct 95 10:10:53 PDT) - Re: Does your software? - Jeff Barber <jeffb@sware.com>
- 1995-10-24 (Tue, 24 Oct 95 10:50:17 PDT) - Re: Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-25 (Wed, 25 Oct 95 06:33:11 PDT) - Re: Does your software? - Andy Brown <asb@nexor.co.uk>
- 1995-10-25 (Wed, 25 Oct 95 10:25:00 PDT) - Re: Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-25 (Wed, 25 Oct 95 06:33:11 PDT) - Re: Does your software? - Andy Brown <asb@nexor.co.uk>
- 1995-10-24 (Tue, 24 Oct 95 16:01:55 PDT) - Re: Does your software? - Jon Mittelhauser <jonm@netscape.com>
- 1995-10-25 (Tue, 24 Oct 95 21:40:12 PDT) - Re: Does your software? - Simon Spero <ses@tipper.oit.unc.edu>
- 1995-10-25 (Wed, 25 Oct 95 03:52:48 PDT) - Re: Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-25 (Tue, 24 Oct 95 21:40:12 PDT) - Re: Does your software? - Simon Spero <ses@tipper.oit.unc.edu>
- 1995-10-25 (Tue, 24 Oct 95 17:24:50 PDT) - Re: Does your software? - Jeff Weinstein <jsw@netscape.com>
- 1995-10-25 (Wed, 25 Oct 95 04:22:42 PDT) - Re: Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-25 (Wed, 25 Oct 95 06:55:27 PDT) - Re: Does your software? - Adam Shostack <adam@homeport.org>
- 1995-10-25 (Wed, 25 Oct 95 07:09:01 PDT) - Re: Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-25 (Wed, 25 Oct 95 09:05:14 PDT) - Re: Does your software? - Aleph One <aleph1@dfw.net>
- 1995-10-25 (Wed, 25 Oct 95 06:55:27 PDT) - Re: Does your software? - Adam Shostack <adam@homeport.org>
- 1995-10-25 (Wed, 25 Oct 95 04:22:42 PDT) - Re: Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Tue, 24 Oct 95 10:50:17 PDT) - Re: Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Tue, 24 Oct 95 15:39:02 PDT) - Re: Does your software? - Ray Cromwell <rjc@clark.net>
- 1995-10-24 (Tue, 24 Oct 95 15:54:11 PDT) - Re: Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Tue, 24 Oct 95 10:10:53 PDT) - Re: Does your software? - Jeff Barber <jeffb@sware.com>
- 1995-10-24 (Tue, 24 Oct 95 08:52:20 PDT) - Does your software? - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Tue, 24 Oct 95 06:50:39 PDT) - Re: Netscape Logic Bomb detailed by IETF - Aleph One <aleph1@dfw.net>
- 1995-10-24 (Tue, 24 Oct 95 07:29:09 PDT) - MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - Laurent Demailly <dl@hplyot.obspm.fr>
- 1995-10-24 (Tue, 24 Oct 95 07:46:20 PDT) - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Tue, 24 Oct 95 09:32:07 PDT) - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - Andy Brown <asb@nexor.co.uk>
- 1995-10-24 (Tue, 24 Oct 95 10:15:03 PDT) - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - hallam@w3.org
- 1995-10-24 (Tue, 24 Oct 95 12:02:35 PDT) - Hash collisions [was Re: MD5 weakness ? …] - Matt Blaze <mab@crypto.com>
- 1995-10-25 (Tue, 24 Oct 95 17:16:29 PDT) - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - Mark <mark@lochard.com.au>
- 1995-10-24 (Tue, 24 Oct 95 08:54:39 PDT) - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - futplex@pseudonym.com (Futplex)
- 1995-10-24 (Tue, 24 Oct 95 13:04:15 PDT) - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Tue, 24 Oct 95 16:38:31 PDT) - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - “Perry E. Metzger” <perry@piermont.com>
- 1995-10-24 (Tue, 24 Oct 95 10:46:44 PDT) - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - Laurent Demailly <dl@hplyot.obspm.fr>
- 1995-10-24 (Tue, 24 Oct 95 07:46:20 PDT) - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Tue, 24 Oct 95 08:27:53 PDT) - Re: Netscape Logic Bomb detailed by IETF - Jeff Weinstein <jsw@netscape.com>
- 1995-10-24 (Tue, 24 Oct 95 09:28:18 PDT) - Re: Netscape Logic Bomb detailed by IETF - sameer <sameer@c2.org>
- 1995-10-24 (Tue, 24 Oct 95 02:32:25 PDT) - Re: Netscape Logic Bomb detailed by IETF - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-23 (Mon, 23 Oct 95 08:32:06 PDT) - Re: Netscape Logic Bomb detailed by IETF - “Perry E. Metzger” <perry@piermont.com>
- 1995-10-23 (Mon, 23 Oct 95 12:13:18 PDT) - Re: Netscape Logic Bomb detailed by IETF - futplex@pseudonym.com (Futplex)
- 1995-10-25 (Tue, 24 Oct 95 20:02:23 PDT) - Re: Netscape Logic Bomb detailed by IETF - Nesta Stubbs <nesta@cynico.com>
- 1995-10-23 (Mon, 23 Oct 95 08:01:02 PDT) - Re: Netscape Logic Bomb detailed by IETF - “Josh M. Osborne” <stripes@va.pubnix.com>
- 1995-10-23 (Mon, 23 Oct 95 07:16:40 PDT) - Re: Netscape Logic Bomb detailed by IETF - fc@all.net (Dr. Frederick B. Cohen)
- 1995-10-24 (Mon, 23 Oct 95 17:31:07 PDT) - Re: Netscape Logic Bomb detailed by IETF - roy@cybrspc.mn.org (Roy M. Silvernail)
- 1995-10-23 (Mon, 23 Oct 95 06:44:11 PDT) - Re: Netscape Logic Bomb detailed by IETF - “Perry E. Metzger” <perry@piermont.com>