From: fc@all.net (Dr. Frederick B. Cohen)
To: jsw@netscape.com (Jeff Weinstein)
Message Hash: e94968fa4bc1f4bbd97679469c74716c2e3e2c095376b8e72495ea47824e3eb1
Message ID: <9510190913.AA01502@all.net>
Reply To: <3085EB9F.5C18@netscape.com>
UTC Datetime: 1995-10-19 09:46:37 UTC
Raw Date: Thu, 19 Oct 95 02:46:37 PDT
From: fc@all.net (Dr. Frederick B. Cohen)
Date: Thu, 19 Oct 95 02:46:37 PDT
To: jsw@netscape.com (Jeff Weinstein)
Subject: Re: [NOISE] Re: Postscript in Netscape
In-Reply-To: <3085EB9F.5C18@netscape.com>
Message-ID: <9510190913.AA01502@all.net>
MIME-Version: 1.0
Content-Type: text
> > The point is, Netscape CLAIMS to provide security - Miscrosoft doesn't.
>
> Here is a quote from Microsoft's Internet Explorer 2.0 Beta announcement,
> which can be found at http://www.microsoft.com/windows/pr/sept2895.htm:
>
>
> Internet Explorer 2.0 also provides users with a secure environment.
> Complete support for Secure Sockets Layer (SSL) and RSA encryption
> allows integration with secure sites. In addition, Internet
> Explorer 2.0 will support Private Communication Technology (PCT),
> which is an efficient and secure upgrade to the SSL protocol.
> Internet Explorer will also support Secure Transaction Technology
> (STT), an electronic payment technology jointly developed by
> Microsoft and Visa International, as soon as it is available.
>
> There is that pesky word "secure", five times in one paragraph.
I hadn't seen it - everything I said about Netscape (except the money)
applies doubly so to Microsoft - doubly because they have been putting
garbage out for years and should have fixed it long ago.
> > >
> > > A stupid example:
> > > I can replace copy on your machine so that it does a delete instead.
> > > Does that mean that the OS manufacturer has to warn a user about this?
> >
> > On my machine, if you replace copy with delete, it will be detected
> > before it does the delete, and, unless you are very skilled, when I tell
> > it to copy, the corruption will be automatically corrected. This is
> > because I use an "integrity shell" - something you guys at Netscape
> > probably never heard of.
>
> What if they replace your "integrity shell"?
If you really want to know how this works, you might try reading the 5+
refereed journal articles on the subject, however, to replace the
Integrity shell undetected, you would have to bypass the hardware write
protection on a hard-disk.
> > > There's a point at which one has to hand off the assessment to the buyer.
> >
> > The point I have been trying to make that many on this list seem to ignore
> > again and again, is that Netscape makes the security claims. If you don't
> > provide effective protection, don't make the claim. If you want to make
> > the claim back it up with something other than media hype.
>
> We are working on clarifying our security claims. Here is an
> example from the San Jose Mercury news on Aug. 17, 1995:
>
> "We have said for a long time that given the right amount of
> computer power, that a 40-bit key encrypted message could be
> decrypted," said Mike Homer, Netscape's vice president of marketing.
"We" - I take it you are now speaking officially for Netscape? So how come
Netscape doesn't even know how about Integrity shells and yet claims to
be able to design secure systems for money transfers?
> > > This is my own opinion and also that of anyone who agrees with me.
> > > I'm reading this group because it's very interesting for me personally.
> > > There.
> >
> > All of our opinions are our own, and my opinion is that Netscape (not you) is:
> >
> > - making inadequately supported claims about a nebulous
> > thing called "security".
>
> Here is one definition of the word "security" from the Webster's
> New World Dictionary, Third Edition:
>
> protection or defense against attack, espionage, etc.
>
> Note that I make no claims that this is Netscape's definition of
> security in our products.
So what IS Netscape's definition?
> > - using it as a basis to get people to invest millions (billions?)
> > of dollars.
>
> Billions of dollars have not been invested in Netscape. An examination
> of the prospectus and the current stock price will bear this out.
That's why the ?
> Here is a quote from the Netscape prospectus:
>
> The Company has included in its products an implementation of the
> Secure Sockets Layer ("SSL"), a security protocol which operates in
> conjunction with encryption and authentication technology licensed
> from RSA Data Security, Inc. ("RSA"). Despite the existence of
> these technologies, the Company's products may be vulnerable to
> break-ins and similar disruptive problems caused by Internet users.
> Such computer break-ins and other disruptions would jeopardize the
> security of information stored in and transmitted through the
> computer systems of end users of the Company's products...
Excellent - I appreciate the information and withdraw my aspersions relating
to fraud.
> Of course anyone who is interested in investing in Netscape's
> stock should get and read the entire prospectus.
Absolutely.
> > - plans to use it to move millions, and eventually billions of
> > dollars over the Internet, potentially placing a fair chunk of the
> > world economy (I'm mot kidding) as well as individual privacy
> > (and thus freedom) at risk.
>
> It would have to be many billions of dollars before it becomes
> "a fair chunk of the world economy", and I think that even the
> most optimistic projections of internet commerce put that many
> years in the future.
You must be unaware of Chaos theory. Even a few hundred million screwed
up in the right way can have a major impact on the global economy. It has
something to dop with the fact that economies work on the basis of peples'
perceptions, not just facts.
> > - may succeed unless people who do understand the implications
> > find a way to fix the thing.
> >
> > These things concern me, so I will stand my ground regardless of the
> > flames and ask, yet again, for someone at Netscape to tell us what you
> > mean by "security" when you make claims about it (I won't repost my
> > questions from a few days ago since you have already ignored them) and
> > why your claims are strong enough for a big chunk of the world economy
> > to rest on it.
>
> I don't think that it is reasonable to expect that everyone who
> asks for an official company position on some random mailing list
> will get a response. The people who make such statements are not
> usually on such lists, and the have other forums for making public
> statements. Perhaps you should call our PR department for a statement.
>
> You are certainly free to "stand your ground", but I am also
> free to not respond to you.
It's a deal.
--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Return to October 1995
Return to “Westcan1@softnc1.softnc.com (West Canadian Graphics)”