From: Paul A Gauthier <gauthier@CS.Berkeley.EDU>
To: jsw@netscape.com (Jeff Weinstein)
Message Hash: d1d2063ce6365926fd993c11f1cc9bed8b2a515f63ec34281e072e1e579566e5
Message ID: <199510120005.RAA01681@moosehead.CS.Berkeley.EDU>
Reply To: <307C4D2F.150B@netscape.com>
UTC Datetime: 1995-10-12 00:05:45 UTC
Raw Date: Wed, 11 Oct 95 17:05:45 PDT
From: Paul A Gauthier <gauthier@CS.Berkeley.EDU>
Date: Wed, 11 Oct 95 17:05:45 PDT
To: jsw@netscape.com (Jeff Weinstein)
Subject: Re: NYT on Internet Flaws
In-Reply-To: <307C4D2F.150B@netscape.com>
Message-ID: <199510120005.RAA01681@moosehead.CS.Berkeley.EDU>
MIME-Version: 1.0
Content-Type: text/plain
>
> Patrick Horgan wrote:
> >
> > > From: "K. M. Ellis" <kelli@zeus.towson.edu>
> > >
> > I'd love to see something in there about most commercial sites being behind
> > firewalls without nfs access across the firewall. This greatly reduces the
>
> It might also be worth noting that people accessing the net
> via an ISP from home do not typically use NFS either.
>
They don't often have the skill/knowledge/concern to verify a PGP checksum
to ensure someone didn't patch their browser, either.
People seem to miss that the NFS hack was only an _example_ of a powerful
way to silently destroy the integrity of an executable. Spoofing the
insecure FTP session they used to retrieve it works. Sending them a random
trojan horse works. The point was not that NFS is insecure. It was that
unless you can authenticate your executables as being trustworthy NOTHING
ELSE MATTERS.
SSL, good RNGs for session key selection, etc, are all null
and void if you run (any) untrusted software that patches
your Netscape executable, for example, or if you got a bum copy to
start with.
Paul
Return to October 1995
Return to ““Philip J. Nesser” <pjnesser@rocket.com>”