[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape question transformed

On Fri, 13 Oct 1995, Rob L wrote:

> Actually, it is not jeapordy that they get from doing so, but some of the 
> best bug finders and security experts on the planet.. for close to free.

Actually, this is a very dangerous game to play, because realistically
Netscape gets both, foe and friend.  And they risk not only the entire 
company by taking this action, but they also pose risk to the public

They might get someone who responsibly tries to point out an incredibly
poor design methodology within ALL of Netscape's code -- the existing
installed code base as well as the new beta code.  Someone who points out 
this fatal design flaw to the public and not only to Netscape.

Or they might confront someone who announces that numerous pointers have
been placed in roulette programs making the Web under Netscape a little
more like playing Russian Roulette, rather than safe, fun entertainment.
Netscape clients might face a customized plexus, one that delivers dynamic
documents.  One time in six (if you're running CURRENT Netscape release
software) it deletes your WIN.INI.  Some machine in Bucharest reaches
right out, and wipes you clean.  Or maybe it just downloads all of your
Quicken files. 

Netscape is clearly not thinking clearly, here.

The issue here isn't "Bugs" and Netscape's so-called Bugs Bounty program. 
It's a broader question of design methodology and of design process.  Does
Netscape have a product that has any worth and utility??  Does Netscape
have a product which can go through a "Product Evaluation" and then a
"Certification Evaluation" as set out in the US Department of Defence's
Orange Book??  Or does Netscape's product fail the giggle test. 

> If hackers can find 10 bugs before final release, it means there is a 
> good chance that they will fix those bugs before final release.
> Think of it this way.. you practice a new task until you are competent at 
> it.. beta code is the same.. it is the practice or scratch code that may 
> be refined into the final product.

I'll beg to differ on this one.  This is not about hackers, nor is this
about crackers.  We are not talking about some shareware game program
here.  Nor are we talking about a word processor, spreadsheet, or draw
program.  We are talking about a program that has a different mission

The standard here is different.  

A bug in code that makes your system freeze is different than a sloppy
design methodology that allows someone to literally take complete control
of your machine from any other machine in the world, whether that machine
is foreign or domestic. 

Code which seeks to secure a public network connection, calls for a
different programming altitude, than writing common PC code. The
tolerances are different, the expectations are different, and the
challenge (which was summarized most cogently by a UK friend) distills to
a single basic issue. 

           How do you invite a few billion people into your 
           home without having one of them nick the silver??

Evaluation of technical computer security effectiveness is not
accomplished by the release of "practice code".  It has to start from the
ground up.  And it is certainly not assisted by having a corporate
communications policy that is geared to NOT opening a communications pipe
with someone who has attempted to offer constructive technical criticism. 

Let me make this absolutely clear.

It should not be up to non-US citizens like myself to safe-guard US
economic security, and protect vital national interests.  It is not my job
and certainly not my responsibility to protect the international public
and Fortune 500 companies from poor security. 

When that attempt is made however, the effort should not be stymied by
Netscape's thinly veiled attempt at information free-loading through
public-relations puffery.  From this vantage point, Netscape's press
releases have the stench of some two-bit penny stock hustler -- something
I'd expect from some Vancouver Stock Exchange promoter, rather than the
standard expected of a company with a Two Billion USD ($2,000,000,000)
market capitalization. 

After emailing the company more than two days ago, I would hope that a
communications channel would have been opened, or alternatively I would
have held out a hope that someone from Sun or Netscape might have made an
official comment here or publically.  I would have expected something 
other than a stone-walling silence.

My Friday the Thirteenth post obviously has people shaken. Clearly, Friday
was not the day to comment about this serious problem.  There was no
utility in causing panic and disrupting trading in Netscape stock,
especially in a market that can only be characterized as frothy.  But now
here we stand, many hours and days later, with the questions raised
remaining unaddressed, and with my copyright restriction on my Friday 
post hereby, and herein explicitly waived.

The question is no longer simply a question of whether Netscape can
produce quality code, but a new question rises on the horizon.  Does
Netscape have the management depth and experience to meet daily corporate
requirements??  And is the promise of Internet commerce whether put
forward by Netscape, Microsoft or AT&T simply a pipe dream. 

A very risky game, they like to play ...

Or since I had already spoken of Dominick Dunne on Friday, perhaps a turn
this Sunday to Johnnie Cochrane and his fine choice of words: 

          "Whom will I trust as I will adders fang'd
          They bear the mandate; they must sweep my way,
          And marshall me to knavery.  Let it work;
          For tis the sport to have the engineer
          Hoist with his own petar: and 't shall go hard ..."

Alice de 'nonymous ...

                                  ...just another one of those...

P.S.  This post is in the public domain.
                  C.  S.  U.  M.  O.  C.  L.  U.  N.  E.