Interesting People mailing list archives
IP: Why I haven't begun to be nasty to Netscape
From: David Farber <farber () central cis upenn edu>
Date: Sat, 23 Sep 1995 16:24:43 -0400
I think this raised some damn interesting points re responsibilty. If ecommerce is to be for real, companies who do it will have to behave like REAL financial companies with all the hard work that comes with this. djf To: jsw () neon netscape com (Jeff Weinstein) Cc: cypherpunks () toad com Subject: Why I haven't begun to be nasty to Netscape (was Re: The Next Hack) Reply-To: perry () piermont com X-Reposting-Policy: redistribute only with permission Date: Sat, 23 Sep 1995 15:35:20 -0400 From: "Perry E. Metzger" <perry () piermont com> Jeff Weinstein writes:
What else do you hope to gain by breaking a server key? I think the point has been made. Is there anything else that you would reasonably expect that we would do in response to a server key being broken that we have not already done?
Well, I don't know what the point was -- I don't think its a useful effort -- but I would like to make the following comment. One problem I've had is that this isn't some toy being built at NCSA any more -- its something that lots of real money depends on. If I treated my security critical code for my wall street clients the way you guys have treated a lot of your code, I'd expect to be blackballed and never work at anything more lucrative than shoe-shining again in my entire carrer. You've all been giving the very standard "We're overworked -- we didn't know -- I didn't look at that" sort of answers. Thats all fine and well -- but when the money gets stolen or the plane crashes it isn't good enough. Code like this has to be treated with enormous seriousness. That means code reviews. That means people follow systematic security proceedures -- and thats not just in the "security code" because that isn't where the break will come. It means that there are coding standards. It means people break their backs very very seriously checking everything and rechecking it, and then torture testing it. You folks are still operating as if you are a garage operation when it comes to this stuff, even though you are selling commerce servers that people depend on for their business to operate. You guys have gotten off quite lightly -- you screw up in a way that could have cost your clients real money and all that happened is some bad press and pressure to fix things. However, don't expect to be treated that well next time. Those of us who are adults in this business expect that we won't get second chances if we fuck a client good and hard, and you guys shouldn't feel as though you've got another couple of strikes to go. As I said, if I fucked up that way I'd expect to have my carrer permanently ruined. You got off *easy*. In my part of the universe, which is very close to the part you guys have started to tread in, people treat this stuff very seriously. As it happens, I know of some places in the financial community where people have started to act lazy. I'm expecting to see lots of people lose their carrers when something bad happens. Perry
Current thread:
- IP: Why I haven't begun to be nasty to Netscape David Farber (Sep 23)