From: anonymous-remailer@shell.portal.com
To: cypherpunks@toad.com
Message Hash: f07ffb7c1a4600c642287efee7611a2b2f1bbed8d97e8d63033f222f5da43be1
Message ID: <199510191722.KAA06757@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1995-10-19 17:23:54 UTC
Raw Date: Thu, 19 Oct 95 10:23:54 PDT
From: anonymous-remailer@shell.portal.com
Date: Thu, 19 Oct 95 10:23:54 PDT
To: cypherpunks@toad.com
Subject: Re: Netscape rewards are an insult
Message-ID: <199510191722.KAA06757@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain
> :I've deleted the rest of your content-free rant. Instead of alluding to
> :some "flawed algorithm", why not tell us about the hole you say you've
> :found in netscape?
OK, Netscape functions by DESIGN as an enhanced delivery vehicle.
Is that a sufficient explanation of the hole?? or is more detail necessary
(which follows):
Netscape blindly trusts any and all ports on all servers. On the
basis of this trust, it begins a negotiation with a server that
might well have a dynamic deliverability capability. The client then
examines a Content-type header, trusts the content-type to decide
what application it should launch, and then launches and processes
the data block it is fed, all on good faith.
It even trusts the server to redirect it to any arbitrary destination
which it automatically loads and then executes.
Is this enough of an explanation?? Or should I paraphrase:
Netscape is a gateway that permits an untrustworthy server to take
complete control of a client's machine. The server can tell the
client where it should go, what it should load and how often, and
what applications to execute on the client machine, as though this
arbitrary server were its master.
Does this help to underscore the problem??
The Netscape Navigator client was DESIGNED to be controlled remotely from
any machine on the Internet. This is the "flawed algorithm". W3 was
meant to be hypertext ... not a gateway that permits a server to deliver
customized byte bombs down a clearcut path by remote-control.
If people don't know that you don't let another person (or machine) take
control of your machine and run programs on it ... well, like I said in
the past.
> "Let me make this absolutely clear.
>
> It should not be up to non-US citizens like myself to safe-guard US
> economic security, and protect vital national interests. It is not
> my job and certainly not my responsibility to protect the international
> public and Fortune 500 companies from poor security."
So without giving out another "exploitation algorithm" to the Internet,
without extending a helping hand to Japan to retaliate against the US for
the American Japanese auto surveillance, I will simply quote from two
sources which are "public record" and mentioned in the FAQ.
From the "Orange Book", one of the volumes of the Department of Defence's
"Rainbow Series" more commonly known as TCSEC (Trusted Computer System
Evaluation Criteria) and available from:
U.S. Government Printing Office INFOSEC Awareness Office
Superintendent of Documents - or - National Computer Security Centre
Washington, DC 20402 9800 Savage Road
Fort George G. Meade, MD 20755-6000
which stipulates that:
"... it is required that ADP (Automated Data Processing) systems
that "process, store, or use classified data and produce
classified information will, with reasonable dependability, prevent:
a. Deliberate or inadvertent access to classified material by
unauthorized persons, and
b. Unauthorized manipulation of the computer and its associated
peripheral devices."
The above quoted reference is public information. And, since Netscape is
making "no-comment" I will quote Netscape's public information.
> NETSCAPE CLIENT APIS (NCAPIS) 2.0
> The NCAPIs are designed to allow third-party applications to
> remotely control the Netscape Navigator client. They are
> platform specific, utilizing the platform's native method of
> interprocess communication (IPC). These APIs are not final
> and may change with the release of version 1.1 of Netscape
> Navigator (they do not work with Netscape Navigator 1.0).
Herein is the "flawed algorithm" which is just a fancy way of saying that
it's a flawed idea. And this isn't new ... it's been there for a long
time.
Generally, we don't routinely trust every other computer, foreign or
domestic on the Internet to manipulate us by remote control. This is
as basic as the idea that we don't give out our PIN numbers with our
banking cards to anyone who asks us.
If someone tries to suggest differently, then they are a fool.
Let's recall that Version 1.1 of Navigator was released long ago, and
trusts every machine on the Internet to do just that. It trusts every
other machine on the Internet to be "trustworthy". Whether that machine
is foreign or domestic. We are not speaking about the new and improved --
feature added -- "beta" 2.0 software, we are speaking of the software that
AT&T is using internally and is selling to its customers as we speak as a
"co-branded" product.
Software which AT&T security "approved" of in direct contravention of the
most basic of basic security principles.
Let me reiterate this.
Netscape's current existing software was designed in direct contravention
of the US Department of Defence's evaluation criteria for Trusted Computer
Systems, the TCSEC. It also contravenes the ITSEC (Information Technology
Security Evaluation Criteria) which is a document developed by the
British, German, French, and Netherlands governments.
(Anyone can get a free copy of ITSEC by writing to the Commission of the
European Communities in Brussels.)
Netscape forgot one thing about trust. If you "trust everyone" ... even if
you always trust everyone, you always cut the cards.
And when you're playing poker at these stakes ... well ... 'nuff said.
Alice de 'nonymous ...
...just another one of those...
P.S. This post is in the public domain. Please don't shoot the messenger.
C. S. U. M. O. C. L. U. N. E.
P.P.S If this is confusing to anyone, please direct your comments to
one or all of the following newsgroups:
alt.2600
alt.security
comp.security.announce
comp.security.misc
comp.virus
Return to October 1995
Return to “sameer <sameer@c2.org>”