From: "Cedric Ingrand" <cedric@isicom.fr>
Date: Sat, 14 Oct 95 18:06:30 PDT
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: Netscape rewards are an insult
Message-ID: <199510150106.CAA29348@s2.isicom.fr>
MIME-Version: 1.0
Content-Type: text/plain


 
> 	I have a better idea.  How about an open market in break-in
> software.  We crack Netscape and offer the crack code to the highest
> bidder.  Bids start at US$25K per hole.  For the insult, Netscape has to
> outbid the competition by a factor of 2 to get the details of the hole.

You're talking gaping security holes. They're merely talking bugs. I
don't know if it's already been covered elsewhere, but I saw Jim
Clark at a press conference in Paris a couple of weeks ago, and he
more or less laid out what he intended to do about security:

"First of all, I am chairing an audit commitee for security. All new 
security-related and encryption-related mechanisms that we build into 
our products has to go through this audit commitee before being 
released. The audit commitee hires outside auditors, security 
auditors, particularly RSA and experts out of academia, Ron Rivest 
from MIT and people like this to do the audit of our security 
systems. Another thing we're doing is publishing the source code 
which does the security so people can just see what the algorithms 
are. Had we done that in the first place, if we had published our 
source code, people wouldn't say 'ha ha! It's easy to guess that 
you're using this gate as the starting point of the random number'. 
So we think that by publishing the algorithms, having a security 
audit by an outsider auditor... it's sort of like the accounting 
profession, they have an audit commitee on the board of directors, 
the audit is actually done by an outside financial institution and to 
some degree it's exactly what's happening in security. We think that 
we were the first company to introduce this technology to the 
internet and so we were the first company to come under attack. We 
were careless, and we're not going to be careless in the future."

I haven't seen Netscape deliver on this promise of publishing their 
encryption code, so I'll keep the promise on tape for a little while 
(-:

Best, Cedric.

 
---------------------------------------------------------
Cedric Ingrand - cedric@planetepc.fr - +33.1.43.98.88.56.