1995-10-23 - Re: Netscape Logic Bomb detailed by IETF

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: perry@piermont.com
Message Hash: db308be6e95e45a7e910e82cea9f0765a2509f2e4ff8673a5c30b746a445fd98
Message ID: <9510231413.AA26514@all.net>
Reply To: <199510231344.JAA04051@jekyll.piermont.com>
UTC Datetime: 1995-10-23 14:16:40 UTC
Raw Date: Mon, 23 Oct 95 07:16:40 PDT

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Mon, 23 Oct 95 07:16:40 PDT
To: perry@piermont.com
Subject: Re: Netscape Logic Bomb detailed by IETF
In-Reply-To: <199510231344.JAA04051@jekyll.piermont.com>
Message-ID: <9510231413.AA26514@all.net>
MIME-Version: 1.0
Content-Type: text


> Mr. Anonymous has a good reason to be anonymous -- he's an annoying

Perhaps.

> fool.

I don't agree.

> Yes, Mr. Anonymous, we all know postscript is dangerous. Thank you for
> this stunning revelation. We've read the IETF documents before, and
> some of us even helped write them.

Then you should support his point which is valid.

> anonymous-remailer@shell.portal.com writes:
> > Clearly, someone has a vested interest which they are expending a 
> > great deal of effort to protect.  My email to Netscape detailing their 
> > logic bomb has gone unanswered, and unacknowledged for ten days now.
> 
> Maybe because you're an idiot and they don't feel that its necessary
> to answer. What more need be said?

Being insulting and calling people names benefits nobody.

> Those of us who care run our postscript interpreters with all the
> dangerous commands stripped out, but given that Netscape doesn't
> supply postscript interpreters, its not really their fault or
> problem.

I strongly disagree.  If Netscape provided a way to execute shell
commands on your host from a remote computer, it would certainly be a
hole created by their product.  The fact that the default shell is
potentially dangerous means it's incumbant on those who provide access
to it to provide adequate protection.

If Netscape wants to claim their product doesn't degrade security, they
should provide a safe postscript interpreter or not provide hooks to
unsafe ones.

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236




Thread