1995-11-17 - Re: Java & Netscape security [NOISE]

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: rmartin@aw.sgi.com (Richard Martin)
Message Hash: 6b12695a51c5187e9621ad1437f17c12c7c2b956485138913526d33786b688d3
Message ID: <9511170355.AA28616@all.net>
Reply To: <9511162021.ZM15853@glacius.alias.com>
UTC Datetime: 1995-11-17 05:04:14 UTC
Raw Date: Fri, 17 Nov 1995 13:04:14 +0800

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Fri, 17 Nov 1995 13:04:14 +0800
To: rmartin@aw.sgi.com (Richard Martin)
Subject: Re: Java & Netscape security  [NOISE]
In-Reply-To: <9511162021.ZM15853@glacius.alias.com>
Message-ID: <9511170355.AA28616@all.net>
MIME-Version: 1.0
Content-Type: text


...
> On Nov 16,  7:06pm, Dr. Frederick B. Cohen wrote:
> > 	So your claim is that Unix is perfectly secure for networking,
> > because without inetd, sendmail, ident daemon, HTTP daemons, syslogd,
> > and all those other add-on software pieces, if your users act perfectly
> > and nobody ever makes a mistake, you are safe from known attacks.
> 
> Nope. Claim is roughly along the lines of, unix is incredibly insecure
> for networking, because of inetd, sendmail, ident, httpd ... but *if*
> there's a bug in sendmail, the trouble is not with the poor sod who
> put file access into the kernel, and definitely not with the person
> who wrote pine--even though pine calls sendmail.

But of course, the sendmail problems are all related to other problems with
Unix, and the common thread to all of the sendmail attacks is Unix, so many
people blame Unix, not sendmail (although I think there is enough blame to
go around).

> > [summary of rest: postscript bad]
> 
> As you finally concluded, the problem is the web browser. I concede that
> a web browser is a security hole by its very nature in that it makes it
> a lot easier for anyone to grab anything from anywhere. (This is also
> why web browsers would be unpopular with censors, if censors thought they
> could get anywhere by arguing against web browsers instead of sites.)

Grabbing anything from anywhere isn't the problem.  The problem is how you
interpret it.  Information only has meaning in that it is interpreted.

> Since you've now stated that the web browser is wrong and evil and bad,
> perhaps it's time you explained your fix for the web browser.

I didn't say wrong, evil, or bad.  I only said insecure.  My complaints
against Netscape and Sun are not that their Web browsers are insecure -
it is that they are selling these browsers based on security.  The
general public, and most of the users in the world, don't percieve the
difference between SSL and Java and secure - they hear that SSL makes
them safe, that Java makes them safe, and they believe it. 

> The
> millions of users, even if they *aren't* the problem, even if they *are*
> blameless for blindly accepting anything anyone sends them, even if they
> are faultless to ignore any notes on security or care which come with web
> browsers--despite all of this--will still want something like a web browser.

It's like selling me a gun and calling it safe because it has a safety on it.
The safety doesn't make a gun safe, it only makes it safer against particular
classes of problems.  Gun sellers don't call guns safe, and neither should
sellers of Web browsers.

> Your argument seems to be running to "users are stupid", but it's the
> developer's fault that users are stupid, and the developer should protect
> the user in all cases from their own stupidity.

If the user claims to provide safety, that should apply to the least
knowledgeable user, not only to the most knowledgeable.  Almost any
system can be operated securely by the most knowledgeable user.  That's
not the market Netscape and Java are aimed toward.

> People shouldn't make web browsers, because web browsers, in untrained hands,
> can damage computers.
> People shouldn't make guns, because guns, in untrained hands, can damage
> computers.

I said neither.  I said that people shouldn't claim that Web browsers
are safe just because they have some safety features.  The same applies
to guns. 

> I would say that connectivity is risk, and that those who want connectivity
> must weigh those risks. I think most people weigh the risks of Netscape
> et al. and say, "the benefits offset the risks."

If that were true, I wouldn't have a real problem with it, but it's not
true.  Most people don't understand the risks.  In fact, even most
people on this list apparently don't understand the risks.  People see
benefits because they pop out at them on the screen.  People only see
risks when they get burned by them and are aware of it.

I think that very few people weigh the risks of Netscape/HotJava because
almost nobody is even aware of them.  Of the people that do weigh the
risks, many of them listen to people who say that Netscape/Java is
secure.  Very few of them pay real attention to the details of what is
actually claimed about security.

Then we have the people at Netscape/Sun and many of the people on this
list who keep telling people that these products are secure.  We hear
again and again that they should blame any negative results of using
these products on their users and the copy of ghostscript or postscript
they imported to make their browser read the files they want to read. 

If companies claim a secure browser, it should be secure regardless of
the typical errors and omissions made by the least sophistocated user.

> [web browsers don't destroy hard drives, numbskulls with mice do]

Current Web browsers are unsafe - so are most current users.  Bullets
kill people, but for the most part, people pull the triggers, and a gun
is the enabling technology.  When you hand millions of people who know
nothing about guns with loaded oozies and put them into crowds, you can
hardly claim no responsibility when they start shooting each other. 

-- 
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236





Thread