From: "Richard Martin" <rmartin@aw.sgi.com>
Date: Fri, 17 Nov 1995 10:56:01 +0800
To: fc@all.net (Dr. Frederick B. Cohen)
Subject: Re: Java & Netscape security  [NOISE]
In-Reply-To: <9511170006.AA17075@all.net>
Message-ID: <9511162021.ZM15853@glacius.alias.com>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----


We see enough press releases around here that we can recognise pronouncements
from the mouth of a computer company and those from individuals who happen
to work for a company.

On Nov 16,  7:06pm, Dr. Frederick B. Cohen wrote:
> 	So your claim is that Unix is perfectly secure for networking,
> because without inetd, sendmail, ident daemon, HTTP daemons, syslogd,
> and all those other add-on software pieces, if your users act perfectly
> and nobody ever makes a mistake, you are safe from known attacks.

Nope. Claim is roughly along the lines of, unix is incredibly insecure
for networking, because of inetd, sendmail, ident, httpd ... but *if*
there's a bug in sendmail, the trouble is not with the poor sod who
put file access into the kernel, and definitely not with the person
who wrote pine--even though pine calls sendmail.

> [summary of rest: postscript bad]

As you finally concluded, the problem is the web browser. I concede that
a web browser is a security hole by its very nature in that it makes it
a lot easier for anyone to grab anything from anywhere. (This is also
why web browsers would be unpopular with censors, if censors thought they
could get anywhere by arguing against web browsers instead of sites.)

Since you've now stated that the web browser is wrong and evil and bad,
perhaps it's time you explained your fix for the web browser. The
millions of users, even if they *aren't* the problem, even if they *are*
blameless for blindly accepting anything anyone sends them, even if they
are faultless to ignore any notes on security or care which come with web
browsers--despite all of this--will still want something like a web browser.

Your argument seems to be running to "users are stupid", but it's the
developer's fault that users are stupid, and the developer should protect
the user in all cases from their own stupidity.

People shouldn't make web browsers, because web browsers, in untrained hands,
can damage computers.
People shouldn't make guns, because guns, in untrained hands, can damage
computers.

I would say that connectivity is risk, and that those who want connectivity
must weigh those risks. I think most people weigh the risks of Netscape
et al. and say, "the benefits offset the risks."

richard

[web browsers don't destroy hard drives, numbskulls with mice do]

- --
Richard Martin                           I DON'T SPEAK FOR ALIAS|WAVEFRONT
Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team]
rmartin@aw.sgi.com/g4frodo@cdf.toronto.edu      http://www.io.org/~samwise
Trinity College UofT ChemPhysCompSci 9T7+PEY=9T8 Shad Valley Waterloo 1992

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMKvjYx1gtCYLvIJ1AQEjawP/WQh2UW4zDJpwQvObG1FLBGWwXZx0tV9S
EnkUCRJfqQvaDUWRuyKdyjffYIiwthbCUPyblLcNtj608b1skyledUm7ZNGRsn3m
F+nJ8CNLU7MFhPIiknY5HvjiNE+LCgLibIZRg4LfGAJ2cEScDBOq5JFp8E/9NycX
xUSIVSCVP3g=
=1Q1b
-----END PGP SIGNATURE-----