1996-12-17 - Re: Securing ActiveX.

Header Data

From: Adam Shostack <adam@homeport.org>
To: blake@bcdev.com (Blake Coverett)
Message Hash: 9492af03dda5e4f839d331f69c8d1d6b1d43910ef23a15b9688e13bda70e7c36
Message ID: <199612171754.MAA14421@homeport.org>
Reply To: <01BBEC03.C251AC10@bcdev.com>
UTC Datetime: 1996-12-17 17:57:26 UTC
Raw Date: Tue, 17 Dec 1996 09:57:26 -0800 (PST)

Raw message

From: Adam Shostack <adam@homeport.org>
Date: Tue, 17 Dec 1996 09:57:26 -0800 (PST)
To: blake@bcdev.com (Blake Coverett)
Subject: Re: Securing ActiveX.
In-Reply-To: <01BBEC03.C251AC10@bcdev.com>
Message-ID: <199612171754.MAA14421@homeport.org>
MIME-Version: 1.0
Content-Type: text/plain



	Why do people talk about sandboxes?  Sandboxes are places
where people play.  I want to run hostile code in a jail cell, with
carefully designed interfaces where my jailers can control the
messages it sends in and out.

	If this is a game, why is Microsoft spending hundreds of
millions of dollars to put ActiveX everywhere?  People are going to
start building safety critical systems with these toys, and should be
encouraged to engineer them for real world use.

	Crypto relevance?  Java is a pretty damned flexible tool for
writing pluggable cross platform modules, including crypto software.
It behooves us to make it solid.  See
http://www.brokat.de/welcomee.htm (English version) for plugable
crypto.  See Ross Anderson's Murphy's Law paper for why cross platform
is so important.  http://www.cl.cam.ac.uk/users/rja14/

Adam

Blake Coverett wrote:

| I would be happier running an ActiveX control with Peter Trei's
| signature on it than I would an unsigned control in a sandbox.
| (This kind of a trust decision is probably the normal case in the
| intranet world.  ActiveX as it sits is quite sufficient for rolling
| out internal intranet applications.) 


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume







Thread