[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Attacks on Products and Companies

At 12:02 AM 10/24/95, Ian Goldberg wrote:

>We should be keeping in mind that the goal here is to end up, in one way
>or another, with a _secure_ way of transacting on the net.  To that end,
>it may be necessary to demonstrate that some current products don't
>provide that way.  We certainly don't want people to be scared away
>from using one insecure product, only to use another, especially
>if the latter is less secure than the former.
>Everything would be _so_ much easier to check, though, if these
>people would stop this "security through obscurity" garbage and
>publish their protocols, if not their source.
>   - Ian "Mr. Worf, activate targetting scanners."

I don't wish to beat a dead horse, but my main point is not that we (the
list members, and others) should not be scrutinizing and trying to break
systems, but that it should be done with less general nastiness.

What do I mean by "nastiness"? (And let me first hasten to add that neither
Ian Goldberg nor his partner were nasty in their attacks on Netscape.)

The problem I see is that people often _personalize_ the attacks, or treat
members of companies who show up on the list as _adversaries_. I can't know
for sure if the various folks from Netscape, First Virtual, Digicash,
Intuit, etc., who hang out on this list feel besieged, but I know I sure
would. If everything I said, even with disclaimers that I don't speak
officially, were to be torn apart and the ulterior motives speculated upon,
I'd either shut up on this list or get off it completely. (Recall that we
had Marc Andreessen on this list last December--for whatever reasons, and
there are likely several, he left. I recall many attacks on his company. He
perhaps figured "What the hell do I need this for?")

Legitimate, scientific analysis is commendable. The brute force attack on
Netscape was great, and even better was the random seed attack. But many of
the attacks are less solid:

"How can you people at Digital Datawhack produce such crap? The assumptions
you make in the Flogisticon module are disgusting, another example of
security through obscenity."

(What I think this piling on is likely to accomplish is to push company
list subscribers here to just shut up. They see that the more is said by
folks from Netscape, as the best current example, the more fireworks and
insults ensue. The less that is said the better. This is not a good

I'm not arguing for "niceness," just that some of the edge be taken off the

The "bounties" that are being offered in press releases have the danger of
inviting premature announcement of results. And of discouraging companies
from actively participating in this list and discussing what might be done
to improve security.

Just my views. No doubt some will think I'm a shill for some company.

--Tim May

Views here are not the views of my Internet Service Provider or Government.
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."