[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NYT on Netscape Crack



In article <[email protected]>, [email protected] (Perry E. Metzger) writes:
> 
> Markoff's article in the Times says:
> >    Netscape officials said today that they would strengthen
> >    the system, by making it significantly harder to determine
> >    the random number at the heart of their coding system. They
> >    said they would no longer disclose what data would be used
> >    to generate the random numbers.
> 
> Not, of course, that they disclosed it before -- it was found by
> reverse engineering the distributed executable. Not, of course, that
> they have a choice in the matter of whether to disclose it -- they
> will be "disclosing" how its done as soon as they release the
> code. Not, of course, that security through obscurity does any good --
> it just magnifies the pain.

  Regardless of what Markoff implies, we do not intend to depend on
security through obscurity.

> I suspect that there are far more flaws in Netscape. String buffer
> overflows are another good guess here -- they are probably rampant
> through the code both for the browser and the commerce server they
> sell. I can't prove it myself, of course, given that I don't have the
> time to rip the thing apart, but the same folks never seemed to learn
> their lesson in release after release when they worked at NCSA, and
> the only thing thats probably keeping their dignity here is the lack
> of distributed source code.

  Sigh.  For your information the security code for 1.x versions of
netscape was not even written by someone from NCSA.  The current
security team (which does not include the person who did the 1.x
version) also does not include anyone from NCSA.  While I can't
guarantee that such buffer overflow error don't exist in our
current products since I have not personally examined every line
of code, your generalization from experience with mosaic is bogus.
In the places in the code that I have seen where it looked like such
errors could have crept in, I have found that the correct checks
for buffer overflow have been in place.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.