Re: [NOISE] Re: Postscript in Netscape

["Julius A. Cisek" <jules@netscape.com>]

At 10:31 PM 10/18/95 -0400, you wrote:
>The point is, Netscape CLAIMS to provide security - Miscrosoft doesn't.

What do you mean by claim?  That a software "does something", right?  So if
a manual claims that copy will make a copy of a file, but someone has hacked
it to delete instead, isn't that the same thing?  Okay, it's a bad analogy
(take cover, a few more follow) but do you see my point?

Don't get me wrong.  I follow your logic, I just don't see how this will
benefit the internet business.  Many car manufacturers claim that their
air-bags make their cars safe, but do we expect them to add a disclaimer
that this is not the case when the car is set on fire?

When I buy The Club for my car am I expected to believe that it makes my car
invulnerable to burglary?  Yet the manufacturer "claims" just that!

I think pressing your idealism would render the word "secure" useless in any
situation, whether we're talking about software or diapers.

>On my machine, if you replace copy with delete, it will be detected
>before it does the delete, and, unless you are very skilled, when I tell
>it to copy, the corruption will be automatically corrected.  This is
>because I use an "integrity shell" - something you guys at Netscape
>probably never heard of. 

Personally, I haven't (but it sounds interesting).  So should the OS
provider tell it's users to use the integrity shell?

I get the feeling you think we're all a bunch of fledgling and ignorant
fools here.  In reality some of the brightest people I've ever met work
here.  And everyone here is taking personal pride in our products and
staying very much on top of what's going on around us.  We're not trying to
pull a fast one, we really want this stuff to work (and I truly believe that
we make the best, most secure browser on the market, period).

>> There's a point at which one has to hand off the assessment to the buyer.
>
>The point I have been trying to make that many on this list seem to ignore
>again and again, is that Netscape makes the security claims.  If you don't
>provide effective protection, don't make the claim.  If you want to make
>the claim back it up with something other than media hype.

We really don't control the media hype (we certainly don't have the $$$ to
buy a Rolling Stones song) and it (the media) has the potential to hurt us
as much as it can helped us.

Again, I see your point here, but this is capitalism after all.  I'm sure if
our "holes" are bad enough then we will be naturally selected out of the
picture.  I know, it would be nice to avoid the damage to the "customer",
but there is no way to do that.  The only way someone on the internet can be
truly secure (whatever that means) is not to be on it at all.  However, as a
user of the Navigator I'm not terribly paranoid about my security being
breached.  *To me* the product IS secure because breaching that security is
hard enough that in all likelihood no one will bother.

>	- making inadequately supported claims about a nebulous
>	thing called "security".

To me security doesn't mean anything absolute and I think it's wrong for
anyone to argue for absolute security because it's unachievable.  To me
security means making it harder for people to mess with my "stuff".
Therefore the Netscape claim is quite reasonable.

>	- using it as a basis to get people to invest millions (billions?)
>	of dollars.

People have invested in much more dangerous endeavors throughout history.
What's wrong with that?  And I'm sure there are people who are investing in
Netscape for other reasons (like, for example, because we're really cool,
which I can tell you is absolutely true <g>).

>	- plans to use it to move millions, and eventually billions of
>	dollars over the Internet, potentially placing a fair chunk of the
>	world economy (I'm mot kidding) as well as individual privacy
>	(and thus freedom) at risk.

Not any more than credit cards are already doing!  Come on, a trash can at
K-Mart is a lot less secure than the Navigator.  I do understand the
difference, but there is no such thing as absolutely secure transactions
involving money in any medium.  The point is to try and make it hard enough
to make it a rare occurrence.  I feel that we do that.

>	- may succeed unless people who do understand the implications
>	find a way to fix the thing.

Maybe we will do that here!  <g>  Again, you're not giving us enough credit,
imho.

>These things concern me, so I will stand my ground regardless of the
>flames and ask, yet again, for someone at Netscape to tell us what you
>mean by "security" when you make claims about it 
>why your claims are strong enough for a big chunk of the world economy
>to rest on it. 

If we truly are so evil and/or stupid, people will find out and the
competition will crush us.  Frankly, I'm more worried about people who try
to "protect the ignorant masses" than a hacker who breaks my code for a
credit card transaction.

>(I won't repost my
>questions from a few days ago since you have already ignored them)

I did not ignore them.  I didn't see them.  They must have been in a thread
that was not interesting to me.  Also, I only casually glance at this group
when I have a free moment, which isn't very often.

Ugly disclaimer:
This post is not an official Netscape statement.  As a matter of fact it's
not a Netscape statement at all.  I am merely posting from my Netscape
account.  I'm truly sorry about this, but that's just part of the business.
Therefore, please don't make any "claims" based on this post.

~Jules (Julius Cisek)   /- __  -   mailto:jules@netscape.com
Server Eng, NETSCAPE  /\ >\=/\ --- http://home.netscape.com/people/jules
MtnView-CA-USA-Earth  \/   -\/ --  p:415.528.2968 f:415.528.4122
          ---===> COGITO ERGO VROOM <===---