On 08/25/2013 08:32 PM, Jerry Leichter wrote:
Where
mail servers have gotten into trouble is when they've tried to provide
additional services - e.g., virus scanners, which then try to look
inside of complex formats like zip files. This is exactly the kind
of thing you want to avoid - another part of the "mission creep" that
we tend to see in anything that runs on a general-purpose computer.
Absolutely agreed; the most reliable things are the least complex.
> That's 20th century thinking: The computer is expensive, keep
it busy. Twenty first century thinking should be: The computer
is cheap - leave it alone to do its job securely.
My thinking is more like: The computer has a multitasking OS. Whatever
else it needs to be doing will be in another process. So you lose nothing
if you keep each process simple. Or if it's a single-purpose box intended
to provide security; don't dilute its purpose. Keep it simple enough that
even installations of it in the wild, after unknown handling and in all
possible configurations, can be unambiguously, easily, and exhaustively
tested so you know they're doing exactly what they should be and no more.
Realistically, it will be impossible to get little appliances like
this patched on a regular basis - how many people patch their WiFi
routers today? - so better to design on the assumption there won't
be any patches.
Also agreed; online patches are the number one distribution vector of
malware that such a device would need to be worried about. Firstly
because whoever can issue such a patch is a central point of control/
failure and can be coerced. So send it out with an absolutely sealed
kernel.
Bear
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
