[4757] in WWW Security List Archive
Re: Why do you think you can trust PC software? (was Re: Latest Java
daemon@ATHENA.MIT.EDU (Jay Heiser)
Tue Mar 11 11:27:25 1997
Date: Tue, 11 Mar 1997 09:21:58 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Dennis Glatting wrote:
> > > code is trustworthy. From a security perspective, signing a
> > > code blob offers little value other then verification of
> > > transport. It is a "trust me" model, which the Snake Oil FAQ
> > > offers appropriate commentary.
> >
> > I might be missing something here, but how do you trust ANY code?
> > Do you got to the store and buy commercial software in boxes and
> > put it on your computers? There isn't a piece of commercial
> > software in the world that meets the above criteria.
> There is a big difference. When you buy software in a store you
> know an origin and a monetary transaction takes place. That
> gives you traceability and, in most cases, legal means. It also
> gives you reproducibility, i.e., evidence. These things are
> less available to you over the net where code is often loosely
> traceable and you are less likely to have legal means.
>
> -dpg
There isn't a software vendor in the US who provides a guarantee that
doesn't specifically preclude liability. I'm not aware of anyone ever
sucessfully suing a vendor of packaged software for damages caused by
their product. The buyer assumes all the risk. Period.
I'm not going to argue for or against MS certification scheme. My
contention is that if properly implemented, a digital certificate
infrastructure should give you at least as high a level of assurance as
you get now with commercial software (which is saying very little).
Its much harder to counterfeit a certificate than to bootleg software.
You could steal those hologram stickers on the outside of a Microsoft
box and repackage your own evil software, but if you stole certificates
they could be revoked (granted, the theft would have to be discovered).
PCs are vulnerable to a host of security probs -- connecting them to the
web adds more vulnerabilities. Its not like they ever were an
especially safe environment. Believe me, users are going to execute
code over the net. We can make it safe & easy for them, or we can make
it hard, and they'll just circumvent security.
(see the next messg in this thread)
--
Jay Heiser, 703-610-6846, jay@homecom.com
Homecom Internet Security Services
http://www.homecom.com/services/hiss
For company & industry news...subscribe to newsletter@homecom.com
