[4301] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Phillip M Hallam-Baker)
Sun Feb 9 00:45:17 1997
From: "Phillip M Hallam-Baker" <hallam@ai.mit.edu>
To: "Adam Shostack" <adam@homeport.org>,
"Robert Sheehy" <rsheehy@ac4.jjc.cc.il.us>
Cc: <skat@flask.com>, <WWW-SECURITY@ns2.rutgers.edu>
Date: Sat, 8 Feb 1997 22:07:47 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
> From: Adam Shostack <adam@homeport.org>
> Seems to me that the Java sandbox stands more in the way of
> this than the need for a certificate. Once you sign the code, you're
> golden with ActiveX. With Java, theres still a sandbox in place.
> Giving the user the control to say 'No, I don't want Java to take over
> my machine any time it runs' strikes me as a huge difference.
But can we trust the strength of the sandbox? It seems to me
that the Quicken issue demonstrates a somewhat cavalier attitude
to extending the abilities of the PC. Before PCs were connected to
the net the worst outcome was the loss of the PC and all data. Now
the potential downside is infinite.
Nathaniel Borenstein wrote a paper about the vulnerability of cryptographic
protection in finance systems. Allowing for the obvious interest in a
particular
conclusion I think that some of the points bear consideration.
We have to abandon the traditional model of computer security if we wish to
make systems secure on the net. The PC security model is now entirely
inadequate. The Active X vector is protected to a considerably greater
extent than CD-ROM. Perhaps people should get used to not loading a CD
unless it has a certificate.
Even certificates are only a palliative, a stopgap solution that is the
best we
can hope for until PC operating systems separate management privilege
from user privilege. When I programmed VMS system there were 32 distinct
privileges, as a rule I would enable only the ones I knew I needed for a
particular task. If a program failed for "lack of privilege" I would become
suspicious of why the privilege was needed.
The sandbox concept is a small scale version of the same concept.
Unfortunately
to do useful work a program has to have access to critical data. I remain
very skeptical of the idea that a sandbox can be constructed securely
unless
it is part of a radical operating system redesign.
Phill
