1995-11-23 - Re: Java & Netscape security [NOISE]

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: karlton@netscape.com (Phil Karlton)
Message Hash: 96245481433c00a30138155e72ea2418bc5da42f564eabf9628e21acdfd3870e
Message ID: <9511231357.AA10766@all.net>
Reply To: <30B3CE64.6BF2@netscape.com>
UTC Datetime: 1995-11-23 14:00:43 UTC
Raw Date: Thu, 23 Nov 95 06:00:43 PST

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Thu, 23 Nov 95 06:00:43 PST
To: karlton@netscape.com (Phil Karlton)
Subject: Re: Java & Netscape security [NOISE]
In-Reply-To: <30B3CE64.6BF2@netscape.com>
Message-ID: <9511231357.AA10766@all.net>
MIME-Version: 1.0
Content-Type: text


> Alice (or someone representing themselves as Alice) said:
> 
> > What I'm trying to say is that if someome posts from watson.ibm.com,
> > and IF they are talking about OS/2, we will not accept that they are
> > not speaking independantly of the knowledge they have garnered from
> > watson.
> 
> And that is understable.
> 
> > In the same way, someone who writes from Netscape.com or AT&T, or Sun
> > and tries to disclaim that they are speaking for the company, when
> > they step out as an employee of a company is deluding themselves.
> 
> This is a complete non sequitur. See if you can follow this: only those
> authorized by the company to speak for the company are authorized speak
> for the company.

This is not correct, at least according to legal precident.  If someone who
is from Sun representes themselves as being from Sun (i.e., a Sun.Com email
address in their signature line), then when they speak (or email) about Sun,
its products, its policies, etc., they represent Sun.

> There is a genuine difference between a corporate officer saying
> 
> 	The Amalgamated Widget corporate policy on stong crypto is ...
> 
> and some engineer from Amalgamated Widget saying
> 
> 	My private opinion on strong crypto is ...

There is indeed a difference, but it's not as big as you might seem to
think.  Even more importantly, there is a difference between the person
from Amalgamated Widget speaking on strong crypto and the person from
Sun speaking on Java.

> The consequence of every statement by every employee being taken as
> company policy is that every employee (except for public relations) will
> be prohibited from contributing to any public forum or even answering
> apparently innocuous questions on the net. This would not be a desirable
> outcome.

In fact, employees represent the company any time they use company
names, symbols, stationary, return addresses, etc.

If the Netscape legal staff and corporate security board haven't made
this clear to management and employees, that's pretty bad.  If the
officers of Netscape haven't taken appropriate policy measures to notify
employees of this potential liability (it appears that at least they
haven't notified Phillip), then negative consequences could result in
personal liability to the officers (a shareholder lawsuit would be the
most common cause of such liability).  As a Netscape employee, you
should immediately point this out to the corporate person you report to,
and do so in writing.

This sort of lapse is a strong indicator that inadequate IT audit has
been done in Netscape.  In a comprehensive IT audit, such policy lapses
should be identified quickly and changes in corporate policies should
follow very closely. 

> Still speaking for myself,

You are still speaking for Netscape, but hopefully after reading this
message, you and your company will realize it.

> PK
> --
> Philip L. Karlton		karlton@netscape.com
> Principal Curmudgeon		http://www.netscape.com/people/karlton
> Netscape Communications

-- 
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236




Thread