1995-10-14 - Netscape rewards are an insult

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: cypherpunks@toad.com
Message Hash: c6e4c6d1d79368e681d83309783ae690bb612e456433dc0e79a231a0b3fdde83
Message ID: <9510141153.AA16412@all.net>
Reply To: N/A
UTC Datetime: 1995-10-14 11:56:18 UTC
Raw Date: Sat, 14 Oct 95 04:56:18 PDT

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Sat, 14 Oct 95 04:56:18 PDT
To: cypherpunks@toad.com
Subject: Netscape rewards are an insult
Message-ID: <9510141153.AA16412@all.net>
MIME-Version: 1.0
Content-Type: text


	The idea that Netscape (like Microsoft) thinks they can get free
testing services from all over the net by real experts just by offerring
a tee shirt is down right offensive.

	I have a better idea.  How about an open market in break-in
software.  We crack Netscape and offer the crack code to the highest
bidder.  Bids start at US$25K per hole.  For the insult, Netscape has to
outbid the competition by a factor of 2 to get the details of the hole.
Here's how it works:

	- We get a panel of 5 cypherpunk judges who test each claimed hole.
	- Exploit code is sent to the panel for verification.
	- If they verify the hole, it is put up for bid.
	- Winning bidder gets the code for 3 months before it is released
	  on hacker BBS systems throughout the world.
	- The panel of judges splits 25% of the money paid for the code
	  as pay for their efforts.  The rest goes to the author.

	I have an even better idea.  How about if Netscape gets some
competent programmers with real security expertise, adds in some good
change controls, a serious internal testing program, quality control ala
ISO-9000, internal IT auditors, external IT auditors, training and
education for their employees, and everything else it takes to be in the
software business in a serious way.

	As an alternative, we could help them contact the shareholders
for a lawsuit.  After all, they are a public company now and are responsible
to the shareholders for the value of their stock.  If it goes down because
they aren't doing an adequate job of software quality control, the officers
may be personally liable.

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236




Thread