1996-12-17 - RE: Securing ActiveX.

Header Data

From: Blake Coverett <blake@bcdev.com>
To: “‘Cypherpunks’” <cypherpunks@toad.com>
Message Hash: 8e4b7a74f09ef23bee45670329f4506efb5fb2ef0e6bbdda00ecc0968a02c877
Message ID: <01BBEB92.ADD153B0@bcdev.com>
Reply To: N/A
UTC Datetime: 1996-12-17 01:52:48 UTC
Raw Date: Mon, 16 Dec 1996 17:52:48 -0800 (PST)

Raw message

From: Blake Coverett <blake@bcdev.com>
Date: Mon, 16 Dec 1996 17:52:48 -0800 (PST)
To: "'Cypherpunks'" <cypherpunks@toad.com>
Subject: RE: Securing ActiveX.
Message-ID: <01BBEB92.ADD153B0@bcdev.com>
MIME-Version: 1.0
Content-Type: text/plain


Jim McCoy wrote:
> The other problem is that the proposed Authenticode system and other "signed
> applet" systems only provide accountability after the fact.  This is little
> help when your hard drive is toast and the only proof you had was a logfile
> which was the first thing erased...  

No, it's not really the accountability that's the issue.  It's the
ability to choose before the fact that I 'trust' the software's author.

> The illusion that only "trusted software
> puslishers" will be given blanket authorization is a pipe dream: users are
> sheep who will hit that "OK" dialog box as many times as necessary to get the
> tasty treat they are anticipating (and there is actual experimental evidence
> to back this up :)  

Yup, point well taken.  <story user=clueless>I popped into an empty users 
cube last week to borrow the phone.  On the monitor was a post-it note from
one of his co-workers that read, 'Please write your password here:' and of
course the helpful fellow had done just that.</story>  With real users I 
suspect only centrally administered security decisions that they can't override 
will be effective.  Hmm... wonder what I can retrofit into IE to accomplish that.

> I expect that the first post-Authenticode ActiveX virus
> will be one to modify the signature checking routines or add additional keys
> to the registry which makes the second round of the attack appear to be a
> valid OS update from Microsoft. 

Shh... we have enough kool dewds floating around here looking for ideas.

> The state of the art was up to it quite a while ago.  Check out KeyKOS and
> other OSes which use capability semantics for access control.  

I agree 100%.  The intent of my comments was that such security *is* 
possible, but it's not available in widely deployed mass-market OS's.
I'd love to hear feedback to the contrary, but it seems to me that it's
extremely difficult to layer that type of security onto an existing system.

-Blake (who's thinking about putting crazy glue into one user's floppy drive)





Thread