1995-11-17 - Re: Java & Netscape security [NOISE]

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: rmartin@aw.sgi.com (Richard Martin)
Message Hash: fcb559abd04d77cc9051f0acee49f9dea70d69d291b70276cc8506eb8f0051bb
Message ID: <9511170006.AA17075@all.net>
Reply To: <9511161831.ZM14572@glacius.alias.com>
UTC Datetime: 1995-11-17 00:09:54 UTC
Raw Date: Thu, 16 Nov 95 16:09:54 PST

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Thu, 16 Nov 95 16:09:54 PST
To: rmartin@aw.sgi.com (Richard Martin)
Subject: Re: Java & Netscape security  [NOISE]
In-Reply-To: <9511161831.ZM14572@glacius.alias.com>
Message-ID: <9511170006.AA17075@all.net>
MIME-Version: 1.0
Content-Type: text


> Perhaps Dr. Fred fails to realise that some people *aren't* speaking
> for their entire company every time they write e-mail. [see fc.all.net--
> i always enjoy pronouncing that nearly phonetically]

I thought all Netscape and Sun communications come from their PR
departments.  You can't have it both ways.  Your position seems to be:

	If employees make statements that work out, it's OK.
	If their statements don't work out, you disclaim them.

This is baloney.  When you work for Netscape or Sun and speak about your
company's products, you are representing the company whether you
disclaim it or not.

...
> To have some slight cpunks relevance, I will weigh in on the side of
> `It's not X's responsibility to ensure that Y's software isn't broken.'
> {for all X, Y in {software developers}} Why? For the same reason that
> I'm not generally held accountable for, say, Gary Jeffer's opinions
> or Tim May's: because I don't have any control over them.

	So your claim is that Unix is perfectly secure for networking,
because without inetd, sendmail, ident daemon, HTTP daemons, syslogd,
and all those other add-on software pieces, if your users act perfectly
and nobody ever makes a mistake, you are safe from known attacks. 

	I think this is ridiculous.

	When sendmail has a bug, most Unix systems become insecure. 
When syslog has a bug, most Unix systems become insecure.  These are
commonly called Unix insecurities.

	When Postscript allows writing to files, most Web browsers
become insecure - including Netscape, including HotJava.  If the only
commonly available postscript programs are insecure, the products have
hooks designed to allow postscript to be used automatically to interpret
programs from over the net, and servers commonly provide information in
postscript format, the enabling technology (i.e., Netscape and Hot Java)
is responsible for the vulnerability.

	If it only worked under Unix, people would call it a Unix
vulnerability, but since it works under Windows and OS/2 and every other
system that runs Netscape or HotJava, it is a Netscape and HotJava
vulnerability.

	I would also call it a postscript vulnerability, EXCEPT that
HotJava and Netscape ALSO provide hooks to command interpreters and
other insecure software, so we can't just pin it on the add-ons.  The
common thread is the Web browser, and that's where the blame belongs. 
Not with the millions of users, not with the tens of add-ons, not with
the various operating environment, but with the one common thread, the
Web browser.


-- 
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236




Thread