1995-10-12 - Re: NYT on Internet Flaws

Header Data

From: Jeff Weinstein <jsw@netscape.com>
To: Paul A Gauthier <gauthier@CS.Berkeley.EDU>
Message Hash: c7c404f7efc284a9bbf155390d0a55841a31f1abbcc37aee2d308dbb8850b8ec
Message ID: <307CD9F9.36CE@netscape.com>
Reply To: <199510120005.RAA01681@moosehead.CS.Berkeley.EDU>
UTC Datetime: 1995-10-12 09:23:33 UTC
Raw Date: Thu, 12 Oct 95 02:23:33 PDT

Raw message

From: Jeff Weinstein <jsw@netscape.com>
Date: Thu, 12 Oct 95 02:23:33 PDT
To: Paul A Gauthier <gauthier@CS.Berkeley.EDU>
Subject: Re: NYT on Internet Flaws
In-Reply-To: <199510120005.RAA01681@moosehead.CS.Berkeley.EDU>
Message-ID: <307CD9F9.36CE@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain


Paul A Gauthier wrote:
> 
> >
> > Patrick Horgan wrote:
> > >
> > > > From: "K. M. Ellis" <kelli@zeus.towson.edu>
> > > >
> > > I'd love to see something in there about most commercial sites being behind
> > > firewalls without nfs access across the firewall.  This greatly reduces the
> >
> >   It might also be worth noting that people accessing the net
> > via an ISP from home do not typically use NFS either.
> >
> 
> They don't often have the skill/knowledge/concern to verify a PGP checksum
> to ensure someone didn't patch their browser, either.

  I don't believe that my posting of PGP signed checksums last night
is a final solution that will make the world safe for all end users.
I'm rather insulted that you imply that I do.  If you read Markoff's
article, you will see that we have stated that we are working on
a more global solution.

> People seem to miss that the NFS hack was only an _example_ of a powerful
> way to silently destroy the integrity of an executable. Spoofing the
> insecure FTP session they used to retrieve it works. Sending them a random
> trojan horse works. The point was not that NFS is insecure. It was that
> unless you can authenticate your executables as being trustworthy NOTHING
> ELSE MATTERS.
> 
> SSL, good RNGs for session key selection, etc, are all null
> and void if you run (any) untrusted software that patches
> your Netscape executable, for example, or if you got a bum copy to
> start with.

  I think everyone agrees that if you don't check the bits you
get from an insecure FTP session, or if you let a bad guy write to
your disk, then you may be in trouble.  The point is that you and a
few reporters are running around yelling at the top of your lungs
that internet commerce is totally doomed because it is possible for
users to infect their systems with viruses.  In the case of
Netscape, users who are worried about their binary being infected
during downloading could actually buy the product, either in their
local computer store or from us directly.

  Perhaps you have a solution to offer to this whole problem?

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.





Thread