[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [NOISE] Re: Postscript in Netscape

Dr. Frederick B. Cohen wrote:
> > Dr. Frederick B. Cohen wrote:
> > > I respectfully disagree. Netscape claims to be "secure" - hence it is Netscape's 
job to
> > > be secure - regardless of the user's use of their product.  Otherwise,
> > > the ads should read:
> > >
> > >         "Netscape can be used securely by sufficiently knowledgeable
> > >         users who have emasculated their postscript interpreters before
> > >         using them to view files of unknown origin, and who have removed
> > >         all other known, unknown, and/or undisclosed security holes from
> > >         their systems.  Otherwise, Netscape is insecure and should not be
> > >         trusted."
> >
> > Err...  If software companies were to follow your line of logic, software
> > boxes (all sorts of software) would become covered with fine print.  As
> > would ads for the software.  Although I'm sure industry lawyers would
> > welcome that, personally I think it would be quite sad.
> The point is, Netscape CLAIMS to provide security - Miscrosoft doesn't.

  Here is a quote from Microsoft's Internet Explorer 2.0 Beta announcement,
which can be found at http://www.microsoft.com/windows/pr/sept2895.htm:

    Internet Explorer 2.0 also provides users with a secure environment.
    Complete support for Secure Sockets Layer (SSL) and RSA encryption
    allows integration with secure sites. In addition, Internet
    Explorer 2.0 will support Private Communication Technology (PCT),
    which is an efficient and secure upgrade to the SSL protocol.
    Internet Explorer will also support Secure Transaction Technology
    (STT), an electronic payment technology jointly developed by
    Microsoft and Visa International, as soon as it is available. 

  There is that pesky word "secure", five times in one paragraph.

> >
> > A stupid example:
> > I can replace copy on your machine so that it does a delete instead.
> > Does that mean that the OS manufacturer has to warn a user about this?
> On my machine, if you replace copy with delete, it will be detected
> before it does the delete, and, unless you are very skilled, when I tell
> it to copy, the corruption will be automatically corrected.  This is
> because I use an "integrity shell" - something you guys at Netscape
> probably never heard of.

  What if they replace your "integrity shell"?

> > There's a point at which one has to hand off the assessment to the buyer.
> The point I have been trying to make that many on this list seem to ignore
> again and again, is that Netscape makes the security claims.  If you don't
> provide effective protection, don't make the claim.  If you want to make
> the claim back it up with something other than media hype.

  We are working on clarifying our security claims.  Here is an
example from the San Jose Mercury news on Aug. 17, 1995:

    "We have said for a long time that given the right amount of
    computer power, that a 40-bit key encrypted message could be
    decrypted," said Mike Homer, Netscape's vice president of marketing. 

> > This is my own opinion and also that of anyone who agrees with me.
> > I'm reading this group because it's very interesting for me personally.
> > There.
> All of our opinions are our own, and my opinion is that Netscape (not you) is:
>         - making inadequately supported claims about a nebulous
>         thing called "security".

  Here is one definition of the word "security" from the Webster's
New World Dictionary, Third Edition:

    protection or defense against attack, espionage, etc.

  Note that I make no claims that this is Netscape's definition of
security in our products.

>         - using it as a basis to get people to invest millions (billions?)
>         of dollars.

  Billions of dollars have not been invested in Netscape.  An examination
of the prospectus and the current stock price will bear this out.

  Here is a quote from the Netscape prospectus:

    The Company has included in its products an implementation of the
    Secure Sockets Layer ("SSL"), a security protocol which operates in
    conjunction with encryption and authentication technology licensed
    from RSA Data Security, Inc. ("RSA").  Despite the existence of
    these technologies, the Company's products may be vulnerable to
    break-ins and similar disruptive problems caused by Internet users.
    Such computer break-ins and other disruptions would jeopardize the
    security of information stored in and transmitted through the
    computer systems of end users of the Company's products...

  Of course anyone who is interested in investing in Netscape's
stock should get and read the entire prospectus.

>         - plans to use it to move millions, and eventually billions of
>         dollars over the Internet, potentially placing a fair chunk of the
>         world economy (I'm mot kidding) as well as individual privacy
>         (and thus freedom) at risk.

  It would have to be many billions of dollars before it becomes
"a fair chunk of the world economy", and I think that even the
most optimistic projections of internet commerce put that many
years in the future.

>         - may succeed unless people who do understand the implications
>         find a way to fix the thing.
> These things concern me, so I will stand my ground regardless of the
> flames and ask, yet again, for someone at Netscape to tell us what you
> mean by "security" when you make claims about it (I won't repost my
> questions from a few days ago since you have already ignored them) and
> why your claims are strong enough for a big chunk of the world economy
> to rest on it.

  I don't think that it is reasonable to expect that everyone who
asks for an official company position on some random mailing list
will get a response.  The people who make such statements are not
usually on such lists, and the have other forums for making public
statements.  Perhaps you should call our PR department for a statement.

  You are certainly free to "stand your ground", but I am also
free to not respond to you.


Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.