[39526] in Cypherpunks
Re: NYT on Netscape Crack
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Sep 19 23:33:30 1995
To: jsw@neon.netscape.com (Jeff Weinstein)
Cc: cypherpunks@toad.com
In-Reply-To: Your message of "19 Sep 1995 08:13:40 GMT."
<43lu3k$7q6@tera.mcom.com>
Reply-To: perry@piermont.com
Date: Tue, 19 Sep 1995 23:24:15 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Jeff Weinstein writes:
> > I suspect that there are far more flaws in Netscape. String buffer
> > overflows are another good guess here -- they are probably rampant
> > through the code both for the browser and the commerce server they
> > sell. I can't prove it myself, of course, given that I don't have the
> > time to rip the thing apart, but the same folks never seemed to learn
> > their lesson in release after release when they worked at NCSA, and
> > the only thing thats probably keeping their dignity here is the lack
> > of distributed source code.
>
> Sigh. For your information the security code for 1.x versions of
> netscape was not even written by someone from NCSA.
If there is ANY place in the code that I can do a data driven buffer
overflow, I can force you to execute code that I supply. I don't give
a damn if it's in the "security" code. It makes no difference where it
is. If there is a chink, thats it -- you're meat.
Besides, the "security code" obviously was written by someone who
doesn't understand anything about cryptography and yet presumed to
play cryptographer. A person who thinks seeding things off the time
makes for a good PRNG is capable of almost anything.
> In the places in the code that I have seen where it looked like such
> errors could have crept in, I have found that the correct checks
> for buffer overflow have been in place.
I have very serious doubts in this regard -- VERY serious doubts,
especially given what I've been told by several former Netscape
employees.
Perry
