> (And before you mention the current worm infecting Linux apache sites, > that's also caused by bad design, not an problem that requires > hardware to fix.)
and > In any case, all of this is silly. Palladium is no more likely to be > bugless than the OS. If you break it, why is that less damaging than > breaking the OS? Bruce Schneier has a great take on this - secure systems should fail well. Pd is designed to fail well - failures in SW design shouldn't result in compromised secrets, and compromised secrets shouldn't result in a BORE attack. I've talked about the processes we are using to make sure that this is true but for a start we are gen'ing headers from formal specs. The specs are reviewed for architecture and security before spec changes are approved, and only then can you get a new header. We are doing a formal proof on parts of the design (those upon which the security model depends). This process should keep the bugs we do get from jeopardizing the security model. P ----- Original Message ----- From: "Perry E. Metzger" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, September 16, 2002 1:32 PM Subject: Re: Cryptogram: Palladium Only for DRM > > AARG!Anonymous <[EMAIL PROTECTED]> writes: > > One likely use of Pd for banking software would be to use the "secure > > vault" to lock up account number and password information. This would > > ensure that no other software than the banking client could access this > > data, > > That's what an MMU and file permissions are for. Palladium isn't > needed for such a thing. > > > so that if you got a virus it would not be able to empty your > > banking account. > > Why not simply design the OS so it is not a likely victim for viruses? > This is a general security problem, not one special to banking > operations. My own machine doesn't seem to get viruses -- but then > again it doesn't run Windows. Funny, that. > > (And before you mention the current worm infecting Linux apache sites, > that's also caused by bad design, not an problem that requires > hardware to fix.) > > > And if the virus infected the banking client software > > itself, that would change its hash which would keep it from being able > > to access the data. > > There are patches to NetBSD that happily prevent a program that does > not have a particular hash from executing, and similar code for > several other OSes I've seen. We need no hardware to do this. On the > other hand, who needs hash functions when an ordinary user can't alter > the executable because he doesn't have permissions? > > I know this is a new concept to windows users -- I had to give my CFO > admin privs on his XP box because Quickbooks refused to run otherwise > -- but it is indeed possible to work on a machine where you don't have > the right to write every file on the system. > > In any case, all of this is silly. Palladium is no more likely to be > bugless than the OS. If you break it, why is that less damaging than > breaking the OS? > > > Contrary to Niels Ferguson's comments, these kinds of applications > > are far from silly. > > I disagree. This is all like saying you need a rifle to shoot > cockroaches when swatting them with a shoe does fine and using poison > traps works even better. Using a rifle for the application is indeed > silly. > > > The next Nimda could empty your bank account and transfer its entire > > contents irreversibly to an overseas server. > > Not under US law it couldn't. You could just have the transfer > reversed as fraudulent. > > Beyond that, though, there is the little detail that Nimda and Klez > etc. are only possible because Windows is so poorly designed. I can't > GET an email virus, because my machine doesn't have those sorts of > design flaws. (It has plenty of others, but email viruses aren't a > problem for me.) > > No, it appears to me that the only real excuse for Palladium is to > allow third parties to take control of hardware I own to prevent me > from using it the way that I want to. I don't need it to keep my bank > account safe. > > -- > Perry E. Metzger [EMAIL PROTECTED] > -- > "Ask not what your country can force other people to do for you..." > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]