1996-11-21 - Re: Finjan “SurfinGate”

Header Data

From: Mike McNally <m5@tivoli.com>
To: Adam Shostack <adam@homeport.org>
Message Hash: 0de4f818e8218fec1f48ccade8fa5c876a190311d7d2a048f773267f1f1a24f8
Message ID: <3294C256.6B88@tivoli.com>
Reply To: <199611212036.PAA04813@homeport.org>
UTC Datetime: 1996-11-21 20:59:51 UTC
Raw Date: Thu, 21 Nov 1996 12:59:51 -0800 (PST)

Raw message

From: Mike McNally <m5@tivoli.com>
Date: Thu, 21 Nov 1996 12:59:51 -0800 (PST)
To: Adam Shostack <adam@homeport.org>
Subject: Re: Finjan "SurfinGate"
In-Reply-To: <199611212036.PAA04813@homeport.org>
Message-ID: <3294C256.6B88@tivoli.com>
MIME-Version: 1.0
Content-Type: text/plain


Adam Shostack wrote:
> 
>         Does it access a file?  ...

Maybe I should have been more clear.

It's certainly true that one could concoct software that looked for
some tell-tale signs in Java applets or ActiveX controls (though it'd
be a little tricker in the latter case, I suspect).  What worries me
is that this sort of tool might provide a false sense of security to
corporate IS types (people who pay my company lots of money).

(Oh, gee, I see now that the last line of your message was "It could
lead to a false sense of security."  Rare concensus on cypherpunks.)

Anyway, there are lots of products like this (lots of virus scanners
claim to defend against "all current and future viruses"), and they're
not quite the same as sleazy snake-oil pseudo-crypto outfits.  It
worries me, if only as somebody with money in a bank that might be
rendered vulnerable, that a tool like this might be installed under
the illusion that an impenetrable wall has gone up around the 
network.

Seems to me that putting together an ActiveX control that "sneaks" its
way through the firewall risk policy wouldn't be hard.  Unless the 
applet scanner actually simulates execution of the control under a
variety of input conditions (and we know that's not likely) (but prove
me wrong, please) there's not much it can do other than poke around and
check what other DLL's the thing wants to access.  It might be a bit
harder to be sneaky in Java, but I certainly wouldn't bet I could look
at an applet and guarantee its safety to any threshold (if I could, why
not just do that in the browser?).

Believing in the safety of precertified applets/controls is scary 
enough.  Trusting yet another piece of software in the loop just seems
a little wacky to me.


(Oh, and in case Finjan is a Tivoli partner, or for all I know another
IBM company, I'm not speaking for Tivoli.)
-- 
______c_________________________________________________________________
Mike M Nally * IBM % Tivoli * Austin TX  * How quickly we forget that
mailto:m5@tivoli.com mailto:m101@io.com  * "deer processing" and "data
http://www.io.com/~m101/                 * processing" are different!





Thread