NYT on Netscape Crack

[John Young <jya@pipeline.com>]

   The New York Times, September 19, 1995, pp. A1, D21.


   Security Flaw Is Discovered In Software Used in Shopping

   By John Markoff


   San Francisco, Sept. 18 -- A serious security flaw has been
   discovered in Netscape, the most popular software used for
   computer transactions over the Internet's World Wide Web,
   threatening to cast a chill over the emerging market for
   electronic commerce.

   The flaw, which could enable a knowledgeable criminal to
   use a computer to break Netscape's security coding system
   in less than a minute, means that no one using the software
   can be certain of protecting credit card information, bank
   account numbers or other types of information that Netscape
   is supposed to keep private during on-line transactions.

   The weakness was identified by two first-year graduate
   students in computer science at the University of
   California at Berkeley, who published their findings on an
   Internet mailing list Sunday evening.

   Although the Netscape Communications Corporation, which
   produces the software, said today that the flaw could be
   fixed and that new copies of the software would be
   distributed as early as next week, Internet experts said
   the discovery underscored the danger of assuming that any
   computer security system was safe.

   "There needs to be much more public auditability in the way
   these financial security systems are designed and
   implemented," said Eric Hughes, president of Open Financial
   Networks, a company in Berkeley that is developing Internet
   commerce systems.

   The Netscape software is already used by an estimated eight
   million people for navigating the World Wide Web portion of
   the Internet. On the Web, thousands of companies offer
   text, images, video and audio information, much of it as a
   way of advertising or directly selling goods and services.
   Because the Netscape software is not only easy to use but
   has also been promoted as a secure way of dealing with
   personal and financial information, it has been seen as the
   emerging de facto standard for on-line commerce.

   Already, a diverse group of companies -- including Wells
   Fargo Bank, MCI Communications, Internet Shopping Network
   and Virtual Vineyards -- have adopted Netscape as the
   vehicle for checking bank balances, catalogue shopping or
   buying wine on line.

   Although Internet experts agreed with the company's
   assessment that the flaw could be fixed and that it posed
   no risk to people who use the World Wide Web only to
   retrieve nonsensitive data, the security problem's
   disclosure may represent a public relations setback for
   Netscape Communications and an inconvenience to millions of
   people who may feel a need to replace the version of
   Netscape installed on their computers. Last month the
   company's shares began public trading and had one of the
   most successful first days in Wall Street's history,
   largely on the resounding popularity of the Netscape
   software.

   Today, as word of the security flaw circulated only within
   fairly small circles of Internet users, Netscape's stock
   closed with a slight loss, down 75 cents, to $52.50, in low
   Nasdaq trading volume.

   The company said it would release a repaired version of the
   software within a week. Users will be able to download it
   free over the Internet, through the Netscape site on the
   World Wide Web (http://home.netscape.com).

   The company had previously announced a next-generation
   version of Netscape that it said would be more secure than
   the original, and it said today that it would release this
   updated version within the next few weeks. But first it
   will remove the newly disclosed flaw, which is currently in
   the new version.

   "The good news and the bad news of the Internet is that
   when you put something up there, many more people can test
   it," said Mike Homer, the vice president of marketing at
   Netscape. "You also give yourself the opportunity of having
   people point things out which you can fix quickly."

   The company so far has distributed most copies of its
   program free over the Internet, under a strategy of making
   its money from commercial customers who use Netscape to
   provide services or for other business applications over
   the World Wide Web. So replacing the copies will not be an
   expensive undertaking.

   Instead, for Netscape Communications and for other
   companies betting their futures on the Internet, the real
   cost of this disclosure may be in the public's shaken
   confidence in the ability of computer companies to insure
   privacy and security for on-line commerce.

   The weakness in Netscape's security was discovered by Ian
   Goldberg, 22, and David Wagner, 21, two computer science
   students who share an office at the university and who also
   share an interest in the arcane science of cryptography,
   which is becoming increasingly important for business as
   companies begin to explore electronic commerce.

   The two students said they had decided to put the software
   to a test in an effort to raise public concern about
   placing too much trust in unproved electronic security
   systems.

   Netscape's security is based on a type of coding technology
   known generically as public key cryptography in which users
   exchange mathematically generated numbers -- or keys -- to
   encode or decode information. In such systems, a new key is
   created for each information exchange, based on a
   mathematical formula that is combined with numbers
   supposedly known only to the sender or recipient.

   The students found that by determining how Netscape's
   formula generated the number used as a starting point for
   creating a key, they were able to greatly reduce the
   potential combinations that would unlock the code. The
   starting-point number turned out to be based on the time
   and date of the transaction, combined with several other
   unique bits of information taken from a user's computer
   system -- bits of information that an electronic intruder
   could determine, if he were intent on intercepting a
   Netscape user's transactions.

   Knowing how the starting-point number was created greatly
   reduced the other possible components of the formula -- and
   the students found they were able to break the code in a
   matter of seconds using a standard computer work station.

   Netscape officials said today that they would strengthen
   the system, by making it significantly harder to determine
   the random number at the heart of their coding system. They
   said they would no longer disclose what data would be used
   to generate the random numbers.

   The announcement of the flaw was posted Sunday night on a
   computer network mailing list maintained by an informal
   group known as Cypherpunks. The group, which is made up of
   mathematicians, computer experts and privacy advocates, has
   been campaigning for more effective electronic security
   systems.

   The discovery is the second reported security weakness in
   the Netscape program to be posted on the Cypherpunks list
   in the last month. In August, Damien Doligez, a student at
   the Ecole Polytechnique in Paris, used a network of 120
   computers, running for eight days, to generate a Netscape
   secret key. But his was a "brute force" attack, requiring
   the computers to sample a vast range of numbers before
   coming up with a key that would break the code.

   The Berkeley students, in contrast, by identifying a basic
   flaw in the way Netscape set up its security system, were
   able to narrowly focus their attack to quickly break the
   code, with far less computer power.

   [End]