Re: Postscript in Netscape

[Nesta Stubbs <nesta@cynico.com>]

On Wed, 18 Oct 1995, Dr. Frederick B. Cohen wrote:

> Is it Netscape's position that when people call them on their statements
> they make irrelevant comments and inflamatory remarks toward legitimate
> researchers who are freely helping them understand the security issues
> they apparently don't understand?
> 
Jeff doesn't speak directly for Netscape, Doc.  Your previous suggestion 
didn't make much sense, the idea that a single peice of software must 
close ALL the holes across the board to be called "secure" is ludicrous.  
Granted it should cover all within it's domain, and provide safegaurds, 
but to expect Netscape to handle security problems that rightfully should 
be fixed in the TCP/IP protocol stack, or in the interprator for another 
language that happens to have a security hole and can be spawned off.  
Netscape does not come with a postscript app preset so the user has to 
make a conscious choice.  All postscript viewers I have used make mention 
of these security problems, and I would hope(tho do not for one second 
believe) that users read this warnings.  If they don't and set-up the 
browser to spawn off files of unknown origins, then they are taking their 
own risks and I do not think for one second netscape could be held 
responsible.  There is no defense against the dreaded DEU hole that 
exists on all systems.




Nesta Stubbs		     "Betsy, can you find the Pentagon for me? 
Cynico Network Consulting     It has five sides and a big parking lot" 
nesta@cynico.com			-Fred McMurray-