[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Postscript in Netscape



On Wed, 18 Oct 1995, Dr. Frederick B. Cohen wrote:

> WRONG!!! Netscape claims to be "secure" - hence it is Netscape's job to
> be secure - regardless of the user's use of their product.  Otherwise,
> the ads should read:
>
That just doesn't make all that much sense.  "regardless of the users use 
of their product"?  Sure, like PGP should be considered insecure software 
because as a user I could use it on an ISP, and make my passwd two 
characters long and leave it set as an environment variable in the shell 
for the pre-mail script I have.  
 
> 	"Netscape can be used securely by sufficiently knowledgeable
> 	users who have emasculated their postscript interpreters before
> 	using them to view files of unknown origin, and who have removed
> 	all other known, unknown, and/or undisclosed security holes from
> 	their systems.  Otherwise, Netscape is insecure and should not be
> 	trusted."

No, otherwise the postscript viewer is insecure.  Netscape is not 
handling the postscript code, just passing it along.  It does not come 
with an application for postscript automagically setup for the user so 
you can't blame it for spawning an application without the users 
knowledge.  Maybe there should(or is there already) be a note in the docs 
mentioning this, but of all the regular users I know, none of them read 
documentation.  To expect a system to call itself insecure because the 
user is stupid and invites evil in doesn't make much sense.  So I guess 
Java can NEVER be secure because if I want I can enable native calls and 
all the file access classes and other dangerous stuff for any application 
I want to and shut down all the inbuilt security.  It's Suns fault that 
I'm dumb as a brick wall?

Nesta Stubbs		     "Betsy, can you find the Pentagon for me? 
Cynico Network Consulting     It has five sides and a big parking lot" 
[email protected]			-Fred McMurray-