[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Netscape rewards are an insult
> I have a better idea. How about an open market in break-in
> software. We crack Netscape and offer the crack code to the highest
> bidder. Bids start at US$25K per hole. For the insult, Netscape has to
> outbid the competition by a factor of 2 to get the details of the hole.
You're talking gaping security holes. They're merely talking bugs. I
don't know if it's already been covered elsewhere, but I saw Jim
Clark at a press conference in Paris a couple of weeks ago, and he
more or less laid out what he intended to do about security:
"First of all, I am chairing an audit commitee for security. All new
security-related and encryption-related mechanisms that we build into
our products has to go through this audit commitee before being
released. The audit commitee hires outside auditors, security
auditors, particularly RSA and experts out of academia, Ron Rivest
from MIT and people like this to do the audit of our security
systems. Another thing we're doing is publishing the source code
which does the security so people can just see what the algorithms
are. Had we done that in the first place, if we had published our
source code, people wouldn't say 'ha ha! It's easy to guess that
you're using this gate as the starting point of the random number'.
So we think that by publishing the algorithms, having a security
audit by an outsider auditor... it's sort of like the accounting
profession, they have an audit commitee on the board of directors,
the audit is actually done by an outside financial institution and to
some degree it's exactly what's happening in security. We think that
we were the first company to introduce this technology to the
internet and so we were the first company to come under attack. We
were careless, and we're not going to be careless in the future."
I haven't seen Netscape deliver on this promise of publishing their
encryption code, so I'll keep the promise on tape for a little while
(-:
Best, Cedric.
---------------------------------------------------------
Cedric Ingrand - [email protected] - +33.1.43.98.88.56.