1996-02-01 - Re: Flaw in Netscape rejoinder (was Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards)

Header Data

From: Rishab Aiyer Ghosh <rishab@best.com>
To: jsw@netscape.com (Jeff Weinstein)
Message Hash: aa5b61d939953a8d05a3be935394ac2b65421fc31e23da5526e08c058442d7e6
Message ID: <199602011518.HAA22905@shellx.best.com>
Reply To: <311088AC.2891@netscape.com>
UTC Datetime: 1996-02-01 16:01:19 UTC
Raw Date: Fri, 2 Feb 1996 00:01:19 +0800

Raw message

From: Rishab Aiyer Ghosh <rishab@best.com>
Date: Fri, 2 Feb 1996 00:01:19 +0800
To: jsw@netscape.com (Jeff Weinstein)
Subject: Re: Flaw in Netscape rejoinder (was Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit Cards)
In-Reply-To: <311088AC.2891@netscape.com>
Message-ID: <199602011518.HAA22905@shellx.best.com>
MIME-Version: 1.0
Content-Type: text/plain


Jeff Weinstein wrote:
>   I think that you may have to rethink some of your assumptions that
> were valid back when you designed the system, but are no longer given
> the current growth and changing demographics of the internet.

This is all getting unnecessarily complicated. As I pointed out
in another post ("FV's blatant double standards") NO SYSTEM FOR
SECURITY IS SAFE when one allows for recipient compromise, i.e. 
privileged access to a recipient's system by a malicious program.

>   I'd really like to see some effort spent on closing some of the more
> gaping holes in the underlying systems.  Why should it be so easy
> for one program to snoop on the keystrokes directed to another?

Easy or difficult is not the point. In DOS it's possible for any program,
in Unix only for those with root access. Security fails when it is
not possible to make a distinctionbetween a program that _should_ 
have access and one that _shouldn't_. Anyone who's tried to teach
novice DOS users what to do when one of those anti-virus TSR tools
complains that something is doing something it shouldn't will know
how hard it is for _users_ to guard themselves.

> Why should it be so easy for a program downloaded from the net
> to patch a part of the operating system?

I would think that most viruses are transmitted by floppy
disk, even now, or by programs _intentionally_ downloaded
and _intended_ to patch the OS (such as a screen blanker). 
The possibility of mass net-based creepy-crawlies has been
remote due to the uniquely multi-platform nature if Internet
protocols; they're Unix-based, but end-users have PCs. Only
metaplatforms such as Java, perlCCI, Telescript could change
this.

Rishab

----------------------------------------------------------------------
The Indian Techonomist - newsletter on India's information industry
http://dxm.org/techonomist/                             rishab@dxm.org
Editor and publisher: Rishab Aiyer Ghosh           rishab@arbornet.org
Vox +91 11 6853410; 3760335;     H 34 C Saket, New Delhi 110017, INDIA





Thread