lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 Feb 2004 19:44:07 +1100 (Australia/ACT)
From: Darren Reed <avalon@...igula.anu.edu.au>
To: mouse@...ents.Montreal.QC.CA (der Mouse)
Cc: bugtraq@...urityfocus.com
Subject: Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer


In some mail from der Mouse, sie said:
> 
> > How does anyone know that you're not a virus/worm writer ?
> 
> Anyone?  Well, _I_ do.
>
> Anyone else?  The same way they know that of anyone: look at my record.

That's not good enough.  Sooner or later, the software industry is
going to have to change and declare that "no warranty" software
should be confined to isolated systems.

Saying "look at my record" is bogus.  I'm sure history is full of
people who appeared to be doing "good things" but later turned into
rotten eggs.  The public, at large, needs isolation from that.

> > Sooner or later, arguments that "I must do be in complete control and
> > be able to do everything myself" are going to be considered
> > laughable.
> 
> Perhaps.  I will be perfectly willing to be laughed at by anyone
> espousing such a point of view.  The whole point of having computers,
> to me, is to tinker with their software.  If what I write can help
> anyone else, so much the better.

Then I suppose, using the other points I was making, do it in a
fashion that certifiably poses no risk to anyone else - i.e. tinker
with them in a quarantined/isolated environment.

> _Someone_ has to be trusted to write non-malware.  Why should it be any
> less me than anyone else?

Because you (or should I say individuals) are not what I would
consider well placed to provide the sort of backing in terms of
guarantees & warranty & liability protection that will sooner or
later come into being.  Much as industry elsewhere is regulated
in what standard of products is suitable for public consumption,
sooner or later the bell will toll for software and at that point
I expect the bar to be raised beyond the reach of the likes of you
or I or other free software projects.  Unless we want to continue
to put up with buggy software and have no avenue for recourse.

> > Let me give you a hypothetical situation...
> 
> > Some time from now, all major commercial OS's come with signed
> > binaries, libraries, etc and there's a major virus outbreak.
> 
> > How does the virus manage to get executed everywhere?  Well, it's not
> > a trusted application, for starters.  (If it were then the signature
> > would provide the start of an audit trail for someone to blame.)
> 
> Yeah, right.  Pull the other one - it's got bells on it.
> 
> If you think such signatures would be any more worth trusting than SSL
> certs are today, I think you're deluding yourself.  Anyone who bothers
> to cobble up something letterhead-like and fax it can get an SSL cert
> in practically any name desired - or so I'm given to understand; I've
> never tried it myself.  I don't for a moment believe these signatures
> will be significantly better.

If there is a process that is at fault then it gets fixed and there
is a trail of who is to blame for the inadequate checking.  Just as
there is a trail back to the supplier of a certificate if there is a
problem with one issued.  Whether or not software certificates become
that easy/meaningless is a problem for the software companies.

> > One reaction might be that government says you are not allowed to
> > network, either directly or indirectly, computers that allow unsigned
> > applications to run on them.
> 
> Completely unenforceable.  Practically all the network links, all the
> way from the peering points on down, are privately owned, and the
> exceptions are generally not accessible to the public for transport
> between third parties; you are postulating "government" telling private
> entities that they may not permit their own infrastructure to be used
> by whomever they may choose.  I predict most of those entities will not
> take kindly to such dicta.

Tell me, can you connect any random piece of hardware to your phone
line, legally ?

Why should you just be able to connect any random piece of hardware
to the Internet ?  How does anyone know that what you are connecting
won't somehow endanger its stability ?

Tell me, if that is put on the platter as being the cost of defeating
worms that otherwise flood the Internet, can't you see most people
being willing to sacrifice it ?

> > And that of course begs the question, why should the rest of the
> > world be expected to trust you ?
> 
> My record, of course, same as anyone else "the rest of the world" is
> "expected to trust".

That's meaingless and valueless if your software comes with a
disclaimer that provides no warranty or guarantee.


I'm not going to discuss points that are more "nuts and bolts", such as
how do programmers develop in such environments, etc as I believe it is
just machinery that will fall into place as required.

Darren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ