lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Feb 2004 04:03:29 -0500 (EST)
From: der Mouse <mouse@...ents.Montreal.QC.CA>
To: Darren Reed <avalon@...igula.anu.edu.au>,
	bugtraq@...urityfocus.com
Subject: Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer


> That's not good enough.  Sooner or later, the software industry is
> going to have to change and declare that "no warranty" software
> should be confined to isolated systems.

It is not the software industry's place to decide that; that is for
software consumers to decide...or not.

> Tell me, can you connect any random piece of hardware to your phone
> line, legally ?

I think so.  Unless you consider telco tariffs "law", and possibly even
then.  (Of course, this will vary with jurisdiction.)  At most, I may
be liable for damages caused - but it's hard to hurt even the CO end of
a POTS line; this is a system designed in the expectation of lightning
strikes.  Disrupting the phone system as a whole is even harder.

> Why should you just be able to connect any random piece of hardware
> to the Internet ?

The Internet is an agglomeration of private networks.  The phone system
isn't, or at least isn't in the same sense.

This is the whole common-carrier argument over again.  If you think the
net is going to turn into a common carrier, fine, that may be a
defensible point of view, but you shouldn't argue from analogy that
assumes it without making that assumption explicit.

> Tell me, if that is put on the platter as being the cost of defeating
> worms that otherwise flood the Internet, can't you see most people
> being willing to sacrifice it ?

Yes, initially; I expect them to discover otherwise after they find out
the consequences (and discovering also how hard it is to roll back such
a change).

I also fully expect that if "the Internet" is bludgeoned into
common-carrier status, private - ie, unregulated - lines will promptly
spring up in parallel with it (you _definitely_ can connect any old
thing to a phone line, when it's a privately owned phone system (whose
owner okays), rather than a common-carrier telco line)...and the
common-carrier Internet will wither as the new, private-line,
neo-Internet evolves back into more or less what we have.

>>> And that of course begs the question, why should the rest of the
>>> world be expected to trust you ?
>> My record, of course, same as anyone else "the rest of the world" is
>> "expected to trust".
> That's meaingless and valueless if your software comes with a
> disclaimer that provides no warranty or guarantee.

I don't expect software to routinely come with warranty/guarantee in my
lifetime or yours.  If some government tries to mandate it, I believe
that all that will happen is that software industry in the affected
jurisdiction will wither and die.  The state of the art is not yet to
the point where such a thing is feasible, and I'm not convinced it
_ever_ will be, much less anytime soon.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@...ents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Powered by blists - more mailing lists