| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Feb 2004 04:03:29 -0500 (EST) From: der Mouse <mouse@...ents.Montreal.QC.CA> To: Darren Reed <avalon@...igula.anu.edu.au>, bugtraq@...urityfocus.com Subject: Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer > That's not good enough. Sooner or later, the software industry is > going to have to change and declare that "no warranty" software > should be confined to isolated systems. It is not the software industry's place to decide that; that is for software consumers to decide...or not. > Tell me, can you connect any random piece of hardware to your phone > line, legally ? I think so. Unless you consider telco tariffs "law", and possibly even then. (Of course, this will vary with jurisdiction.) At most, I may be liable for damages caused - but it's hard to hurt even the CO end of a POTS line; this is a system designed in the expectation of lightning strikes. Disrupting the phone system as a whole is even harder. > Why should you just be able to connect any random piece of hardware > to the Internet ? The Internet is an agglomeration of private networks. The phone system isn't, or at least isn't in the same sense. This is the whole common-carrier argument over again. If you think the net is going to turn into a common carrier, fine, that may be a defensible point of view, but you shouldn't argue from analogy that assumes it without making that assumption explicit. > Tell me, if that is put on the platter as being the cost of defeating > worms that otherwise flood the Internet, can't you see most people > being willing to sacrifice it ? Yes, initially; I expect them to discover otherwise after they find out the consequences (and discovering also how hard it is to roll back such a change). I also fully expect that if "the Internet" is bludgeoned into common-carrier status, private - ie, unregulated - lines will promptly spring up in parallel with it (you _definitely_ can connect any old thing to a phone line, when it's a privately owned phone system (whose owner okays), rather than a common-carrier telco line)...and the common-carrier Internet will wither as the new, private-line, neo-Internet evolves back into more or less what we have. >>> And that of course begs the question, why should the rest of the >>> world be expected to trust you ? >> My record, of course, same as anyone else "the rest of the world" is >> "expected to trust". > That's meaingless and valueless if your software comes with a > disclaimer that provides no warranty or guarantee. I don't expect software to routinely come with warranty/guarantee in my lifetime or yours. If some government tries to mandate it, I believe that all that will happen is that software industry in the affected jurisdiction will wither and die. The state of the art is not yet to the point where such a thing is feasible, and I'm not convinced it _ever_ will be, much less anytime soon. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse@...ents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Powered by blists - more mailing lists