1995-10-12 - Re: Basic Flaws in Internet Security and Commerce

Header Data

From: patrick@Verity.COM (Patrick Horgan)
To: herbs@interlog.com
Message Hash: 87047a4cb1944e2a10c4dfb691b1a58b339d4bca8ad62d505fc693d4b42dacb7
Message ID: <9510120401.AA15785@cantina.verity.com>
Reply To: N/A
UTC Datetime: 1995-10-12 04:04:51 UTC
Raw Date: Wed, 11 Oct 95 21:04:51 PDT

Raw message

From: patrick@Verity.COM (Patrick Horgan)
Date: Wed, 11 Oct 95 21:04:51 PDT
To: herbs@interlog.com
Subject: Re: Basic Flaws in Internet Security and Commerce
Message-ID: <9510120401.AA15785@cantina.verity.com>
MIME-Version: 1.0
Content-Type: text/plain


> 
> So: If you can't trust your path to your own file system, what can you
> trust?  (And this is without even talking about things like firmware
> upgrades and BIOS patches and all sorts of other potential approaches.)  Can
> we do no better than simply assume the local workstation file system can be
> trusted?
> 

Nah, it's not as bad as all that.  There's fixes to all of this, they're well
known, and actually in place at some places.  Because it's such a pain having
good security on all of the machines most sites choose to have really good
security on a firewall to keep the bad guys out, and through policy, isolation,
and less stringent security measures protect the machines inside the firewall.
That's not to say that everyone with a firewall has good security, far from it.
It's also not to say that everyone without a firewall is vulnerable, they're
not...I know folks with all of their machines buttoned up tight.  It's possible
to close most categories of holes, and to detect intrusions in progress.  You
say you're worried about the system being corrupted so that you can't trust
calls to the OS.  Some attacks do work this way, but you can prevent the attack
via a combination of good security and good practices.  And yes, secure 
authentication and transmission of data makes everything much simpler;)  Without
it you have to essentially pull up the drawbridge and trust no one outside the
moat, since there's no way of knowing if anyone, or any host is who or what they
say they are.  If anyone wants more specific information about how to protect
from various attacks I can help or give you references to the literature, but
I won't go into it here since I expect that most anyone you'd find on cypher-
punks knows all this at least in outline already.

Patrick
   _______________________________________________________________________
  /  These opinions are mine, and not Verity's (except by coincidence;).  \
 |                                                       (\                |
 |  Patrick J. Horgan         Verity Inc.                 \\    Have       |
 |  patrick@verity.com        1550 Plymouth Street         \\  _ Sword     | 
 |  Phone : (415)960-7600     Mountain View                 \\/    Will    | 
 |  FAX   : (415)960-7750     California 94303             _/\\     Travel | 
  \___________________________________________________________\)__________/





Thread