On Tue, 21 Jun 1994, C Matthew Curtin wrote:
> > > Mosaic had a major problem based on its extensive use of the
> > > system() call. It allowed rude WWW servers to run arbitrary commands
> > > on your machine when your Mosaic client conncected to them. I don't
> > > trust the Mosiac source, it was written by a 22 year old. (Not to say
> > > that 22 year olds can't write secure software, simply most don't have
> > > the experience, mindset & skill to know what the attacks are likely to
> > > be, know that preventing them is a really good idea, and then be able
> > > to code things well enough that the attacks are actually blocked.)
> > Why should it take older people to write code that prevents attacks from
> > younger people!? I imagine most "crackers" are in their 20's.
> Generally speaking, lazy/insecure/whatever techniques (such as extensive
> use of system()) happen in code written by younger, less experienced
> programmers. I know, I'm 21, and am annoyed by the kind of code that some
> of my peers generate... (Note that the original author didn't say that
> being 22 means you write bad code, but he is correct in observing that
> being 22 means you're more likely to do so.)
> Has anyone taken a look at any commercial WWW clients from a security
> perspective? I don't expect that NCSA will really generate much more than
> demo or prototype-level stuff, and that we'll continue to have problems
> with TaxWare(TM), but it has shown interesting possibilities. Are there
> vendors out there really addressing the shortcomings of Mosaic?
> It seems to me that our jobs as admins are going to be complicated
> significantly as long as people are clamoring for stuff like Mosaic,
> without there being a good, secure (or less insecure :) implementation
> of that technology...
> C. Matthew Curtin, Ohio Division Data Processing Supervisor
> Transamerica Real Estate Tax Service +1 614 431 0647
> 1105 Schrock Rd., Suite 437 FAX: +1 614 431 0622
> Columbus, OH 43229 cmc @
Just saw a post yesterday that indicates that a new version of the NCSA
Mosiac application is available for beta. They also mentioned that they
have hired three new programmers to replace the ones that have gone into
the private sector. I believe that they are also looking for some more
programmers. I guess we haven't heard the last from them.
========== Mark E. Allen, mallen @
Clarke's Law: "Any sufficiently advanced technology
will appear to be MAGIC."