[4337] in WWW Security List Archive
Re: ActiveX Bank-Quicken Exploit
daemon@ATHENA.MIT.EDU (Phillip M Hallam-Baker)
Tue Feb 11 03:38:46 1997
From: "Phillip M Hallam-Baker" <hallam@ai.mit.edu>
To: "WWW Security List" <WWW-SECURITY@ns2.rutgers.edu>
Date: Tue, 11 Feb 1997 01:22:19 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
> Chaos Computer Club challenges the notion that hackers (modern
vernacular) have
> no redeeming virutes.
They trashed one of the systems at a site I used to work at (before I was
there).
From the description at the site these people have no redeeming values.
> They have in the past worked with financial institutions
> to reveal vulnerabilities with what at least appear to be nobel motives.
I've yet to find a financial services company that admits to hiring known
hackers and I'm in a position to be told the real story. They may claim
that this is the case but it doesn't make it so. even if they have been
hired they might well not have been if their employer knew they had form.
> As to solutions? Microsoft, Intuit and the users have to come to grips
with
> this. At a macro level this is almost a virus like issue. You don't run
> untrusted code on your machine, as you. Probably why unix viruses never
took
> off.
The question is "what is untrusted". Most UNIX software was distributed as
source code and compiled by the end user. Windows software tends to be
binaries - even if you are prepared to give out source the users probably
can't compile it. Account based protection is a good thing. If every system
was C2 compliant - not hard then computer security would be much easier.
NB: UNIX is not C2 secure merely "generally reckoned to be so" even the
C2 kits tend not to offer genuine compliance. The standard makes explicit
requirements for documentation that I've never seen a UNIX system attempt.
Similarly I fail to see how a system could possibly ship sendmail and claim
to be C2 compliant.
Phill
