[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape rewards are an insult

Alice here ...

I know that this is *painfully* dated, and I apologize to the list for
replying to a one month old post, but I felt I had to put some final items
on the record.  And I think that this is still timely ... so ... 

On Sat, 14 Oct 1995, Dr. Frederick B. Cohen wrote:

> Phil typed:
> > Have things really come to this?  Besides the legal implications of
> > discovering a hole and then selling the information to someone, (who
> > presumably will only want this information for one purpose) where has
> > the attitude of doing for the sake of doing gone?
> It's one thing to do good for the sake of doing good.  Most of us do that
> every day by participating in this list.  It's quite another thing to be
> insulted in the process.  I think that Netscape's reward is an insult,

Dr. Frederick B. Cohen has nailed it once again.  He's right. 

But Phil's comments really need to be addressed ... vis-a-vis the
implications of "discovering a hole and selling it".  Phil's hypothetical
is rightfully worrisome, but we should remember it _is_ only a

Let's not worry much about hypotheticals.  Perhaps we should worry more
about what in fact IS an ACTUAL, rather than what might possibly be. 

The hand-wringing should be over the existing reactions to publicly
ignored security holes and the ETHICS of the new Internet players.  

The ones who are so very cock-sure of themselves.  So cock-sure, that
they willingly gamble with public security and think that their invasion
of individuals personal boundaries and privacy is nothing noteworthy. 
That it will just somehow pass. 

My post detailing a structural flaw in Netscape Navigator was announced,
very quietly, to this list OVER ONE MONTH AGO.  And what has been done
about it, by AT&T and/or Netscape??  Nothing. 

AT&T has its reputation attached to this code, as does Deutsche Telecom,
as does Netscape.  The only "action" they've taken is to info-freeload and
then do absolutely, positively, definitely ... nothing. 


No one has taken any action whatsoever.

How would we treat a company ... let's say a construction company that
found out that one of its buildings was unsafe, and then proceeded not to
barricade the complex.  If the company found out that the girders were not
up to the engineered spec, and simply allowed risk and harm to continue. 
If the Company thought it was OK to gamble with people's lives?  Would we
say that the reckless disregard for the public interest merited criminal

Hopefully, we would.

To attack some hypothetical "information provider" for selling some
"hypothetical" information which a corporation denies is actually of any
value, at all -- nominal, or otherwise -- is an argument that just doesn't
float.  It completely misses the mark. 

> If they think you can find major security bugs in Netscape for as little
> as $1000, they should take the product off the market, or at least stop
> claiming that it offers security.

They should definitely take the product off the market.    


They should also stop claiming that it offers any security.  In fact, they
should attach a product warning label, something that says that Netscape
Navigator degrades your inherent safety and security as soon as you use

That would be the "right thing" to do.  Because that is truthful.

AT&T's "brass" should have used the "Tylenol" or "Perrier" crisis
management model on this one.  Rather than, "The stick your head in the
sand like an ostrich" model.  Or the "Gee, maybe if I close my eyes, and 
pull the covers over my head, the boogie-man will go away" school. 

Someone has to call them on their collective jump into the World of
Management by Denial.

The issue here isn't the so-called "reward", the focus should rightly be
placed on who knew what and when they knew it, and what they did as a
consequence.  The issue is whether these Goliath Companies, happily roll
the dice when public safety and security is on the line. 

It's that simple.  A real no brainer.

> >  Has Netscape been pestering
> > security experts on the net for free work?  Have they been plaguing
> > people or lists with email asking the net to do their jobs?
> They do far worse.  They claim security when they don't have it, and
> when the cypherpunks demonstrate the false claims, Netscape offer
> insulting future tribute.  I think that if they are sincere, they should
> reward the individuals who found the last few holes with $25,000 each,
> and show that they really mean business.

Actually, they said that they want to "harness" the power of the internet,
and in return offered a chance to be enrolled in a contest for a mug or a
T-shirt, or maybe ... if they ... in "their sole discretion" thought
something was a security bug, then they'd offer a $1,000 award. 

Not *pestering* security experts, but simply asking them to sorta, kinda
take a look at the product.  Look, and help build the Companies' fortunes,
while the "Creative" talent might get a nice Netscape mug for their

This is what Netscape DID, but this isn't the true issue.

The true issue is a question of attitudes, not of monetary compensation. I
really don't care if Netscape or AT&T offer gold stars and nice little
pats on the head, or offer many "millions" or offer $25,000, or expect the
world's foremost security auditors to work for T-shirts or a bitta

That's not the issue.

I just don't believe that any company should on the one hand represent
that they have a secure product -- that they actually care about security
 -- while on the other hand they take their black-box code and say that
anyone who brings an error to their attention -- a critical security flaw
 -- agrees implicitly to make the report the Company's property -- property
to be used at the Company's sole discretion. 

A security review audit is first and foremost for the benefit of the end
users.  The audit is not so that the company can use the information for
its own purposes.  The information is not there so that the company can
use a confidential auditor's report on security flaws to spy on their own
customers, and its certainly not there to enable a code cover-up.

Hell, these firms try to cover up even when the information is PUBLIC, let
alone when it's given to them in private.  And the crying and whining is 
unbecoming, because the attempt at private communication was made.

It was made with both Netscape, and with AT&T.

> > The ironic part is the people who have been the most successful at
> > finding bugs are not the ones who are demanding money for it!

You're right.  the people who find the bugs simply ask that the public
interest be served ... that the Network's interest be served, and that the
National interest be served. 

Defective product serves no one, and adding an object to an existing
computing environment under the rubric of an experimental data type serves
no-one.  Correction, it serves no-one except those who would rather see
harm come to the public. Those who value and place their own self-interest
above that of others. 

And the consequnces be damned.

> The ironic part is that a company that claims to have a "secure" method
> for using credit cards on the Internet thinks that their security is so
> weak that it only takes $1000 to find a major hole.

The ironic part is that even once a critical design flaw is identified, no
action is taken by anyone -- even when the person who finds it demands no
money whatsoever for it -- the real irony is that the press is silent, and
so is the company. 

See no evil, speak no evil, hear no evil.

Let the harm and damage continue ... by my calculation, it's been one
month already ... shall we maybe try now for two?? 

I don't think so. 

> --
> -> See: Info-Sec Heaven at URL http://all.net
> Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

Alice de 'nonymous ...

                                  ...just another one of those...

P.S.  This post is in the public domain.
                  C.  S.  U.  M.  O.  C.  L.  U.  N.  E.