1995-11-17 - Re: Java & Netscape security (reply to misc. postings)

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: mrm@netcom.com (Marianne Mueller)
Message Hash: 2efc99864f39e456ce7bff9fba6045345bf4af93af3bf5a8292c81dfa36ebd82
Message ID: <9511162108.AA08466@all.net>
Reply To: <199511161933.LAA18504@netcom20.netcom.com>
UTC Datetime: 1995-11-17 00:23:04 UTC
Raw Date: Fri, 17 Nov 1995 08:23:04 +0800

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Fri, 17 Nov 1995 08:23:04 +0800
To: mrm@netcom.com (Marianne Mueller)
Subject: Re: Java & Netscape security (reply to misc. postings)
In-Reply-To: <199511161933.LAA18504@netcom20.netcom.com>
Message-ID: <9511162108.AA08466@all.net>
MIME-Version: 1.0
Content-Type: text


> 3.  Postscript considered dangerous:   (insert-smiley) 
> 
> As for the question of someone invoking a postscript interpreter via a
> browser and thus opening up their system to some rogue postscript
> file: I think it would be great if either of these two things were to
> magically happen:
> 
> 	1) people would stop putting postscript docs on web pages
> 	because it's the wrong technology for WWW - it wastes
> 	bandwidth - it's hard to view & hence often ugly - everyone
> 	just prints it out anyway and then complains because there
> 	is no one "standard" implementation of postscript printing
> 	worldwide and there are dozens of minor problems
> 
> 	2) someone could implement a secure postscript previewer
> 	(whatever that means!) 
> 
> I doubt either of those two things will happen.  The average Jo on the
> internet needs to understand that when s/he downloads binary files
> over the internet and run them from insecure programs on their local
> computer, well, s/he runs some risk.  This risk might be tiny, but
> it's impossible to quantify loss.  If I lose a poem that I'm writing,
> to me that's priceless, so I do not intend to imply that loss of data
> isn't tragic for the person who loses it.  If you have data you can't
> bear to lose, be sure to practice safe computing.  Perform backups
> regularly, and use judgement about which interpreters and executable
> programs you allow to run on your PC.
> 
> Marianne

It seems clear from this that Netscape, or at least Marianne who seems
to speak for Netscpe, doesn't understand the protection issues that my
clients face.  I will nevertheless forward this official Netscape line
to them so they can better understand why I tell them it is insecure.

-- 
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236





Thread