Student at UMBC finds Netscape program bug Hackers' discussion led to the discovery

October 10, 1995|By MICHAEL DRESSER | MICHAEL DRESSER,SUN STAFF

Ray Cromwell seems like such an unassuming young man. You'd never guess that, in the dead of night, this mild-mannered college student with a round, friendly face flicks on his personal computer and mutates into Cromwell the Conqueror, Scourge of Bugs.

But the people at Netscape Communications Corp. know his true identity. The 23-year-old senior at University of Maryland Baltimore County is one of a handful of far-flung computer hackers who have found widely reported security flaws in the company's wildly popular program for navigating on the Internet.

His actions, and those of his fellow members of the loosely-knit computer cabal called Cypherpunks, sent shock waves through the software industry last month and forced Netscape to rush out a new version of the Navigator program. The stampede of network traffic among Internet users anxious to receive copies of the fixed program was so great it brought the Netscape computer system to a standstill.

And what does Netscape think of all these shenanigans?

"Obviously we're very pleased to be able to very quickly fix our software . . . " said Jeff Treuhast, security products manager for the Mountain View, Calif., firm. "The 'Net is the best place to test 'Net products."

While Mr. Treuhast's company might not be a household name for most Americans, among the millions who surf the World Wide Web on the Internet, Netscape is AT&T, Windows and Coca-Cola all wrapped up in one. The Netscape Navigator is widely regarded as the easiest way to find one's way around what was once an on-line labyrinth.

In its 19-month history, Netscape's World Wide Web "browser" software has seized about 80 percent of the Internet navigation market and spurred the booming growth of the Web. Its initial public stock offering created a market frenzy in August, with the stock vaulting from $28 to as high as $75 in its first day of trading.

One of the vital bragging points for Netscape Navigator -- and a big reason the company has signed such heavy hitters as AT&T Corp. and MCI Communications Corp. to licensing agreements -- is its security. The corporate boasting about those features made Netscape the No. 1 target of the Cypherpunks, Mr. Cromwell said.

The math major from southwest Baltimore describes the Cypherpunks as an Internet mailing list of people who share a common interest in cryptography and computer security. The group has a strong following among hackers such as Mr. Cromwell.

The word "hacker" has taken on negative connotations, but Mr. Cromwell insists he is a hacker in the original sense of the word -- someone with a passionate interest in computer systems and how they work or don't. To their admirers, hackers are the Jedi Knights of the Web, using the power of The Force to expose weaknesses in computer defenses. Those who go over to the Dark Side and use their computing abilities to vandalize or steal are stigmatized as "crackers."

Mr. Cromwell said his hacking had its roots in an argument among the Cypherpunks about Sept. 20 over whether the Navigator program might contain some common programming errors that could open the system to invasion.

"I was arguing against the possibility of a bug like that being in Netscape," he said. But the discussion got him to thinking.

"After I went off-line, I decided to fire up a copy of Netscape and test it," Mr. Cromwell said.

It was early on Sept. 22 that he found the bug.

In simple terms, the flaw was a blank on a "form" where the user puts the address, or domain name, where a Web document is supposed to go. The problem on Netscape was that the blank only allowed a finite number of spaces. An extremely long domain name would spill over into the next blank, which would tell the computer where to go next.

Using the example of a 256-character limit, Mr. Cromwell said he found that he could create a domain name where the 257th and 258th characters fell on the next blank. Those characters would be numbers that would send the program to a place in the document where an insidious snippet of computer code could be stored.

What this meant, Mr. Cromwell said, was that he could create a Web page that would ensnare unsuspecting visitors.

"At that point, I can do anything I want to their machine," he said -- including deleting files, stealing data, trashing their computer or inserting a harmful "virus" program.

Mr. Treuhast acknowledged that the sequence of events Mr. Cromwell described could have happened, but he added that it was a highly unlikely scenario.

Mr. Cromwell said he posted a message describing the flaw to three Internet news groups frequented by computer enthusiasts. Within an hour, he said, a Netscape employee posted a reply saying that the flaw would be fixed as soon as possible. A Netscape spokeswoman, Christina Lessing, confirmed Mr. Cromwell's account and said the fix had been made.

Mr. Cromwell's success with Netscape already is paying dividends. He said that IBM, where he did an internship in cryptography this summer, has him testing its products for security flaws.

As for Netscape, Mr. Cromwell said, the company is no longer the No. 1 target of the Cypherpunks. He said the Cypherpunks have noticed that rival Microsoft Corp. has been using the bug reports to criticize Netscape, and they resent seeing their work used for commercial advantage.

So Mr. Cromwell has a message for Microsoft chief executive Bill Gates: "You say your products are better," he said "Let's see if they stand the test of the Cypherpunks."

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.