[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape Logic Bomb detailed by IETF



On Mon, 23 Oct 1995, Dr. Frederick B. Cohen wrote:

> > Yes, Mr. Anonymous, we all know postscript is dangerous. Thank you for
> > this stunning revelation. We've read the IETF documents before, and
> > some of us even helped write them.
> 
> Then you should support his point which is valid.
> 
I don't think they have vested interests at all.  I think that they are 
able to see that the problem is not with the browser.  You know 
"/bin/login" is insecure because it allows hooks for unpasswded logins, I 
mean if the user wanted to they could leave root unpasswded and if they are 
using "/bin/login" someone could get into their system just like that.

That point is NOT valid IMO.  

> I strongly disagree.  If Netscape provided a way to execute shell
> commands on your host from a remote computer, it would certainly be a
> hole created by their product.  The fact that the default shell is
> potentially dangerous means it's incumbant on those who provide access
> to it to provide adequate protection.
>
NO, postscript provides the method for executing shell commands if you 
accept postscript from anywhere.  Netscape can NEVER be "fool"proof 
against all hardware errors, particularly loose nuts on the keyboard.



Nesta Stubbs		     "Betsy, can you find the Pentagon for me? 
Cynico Network Consulting     It has five sides and a big parking lot" 
[email protected]			-Fred McMurray-