On Wed, Feb 25, 2015 at 8:59 AM, Peter Kurrasch <[email protected]> wrote:
> I'm not sure I totally follow here because informed consent requires the > ability to inform, and I don't think we have that yet. > > The way any attacker operates is to find gaps in a system and make use of > them. In my questions I'm trying the same approach: what are some gaps in > the Komodia solution and how might we exploit them ourselves? > There are multiple problems here. One of them is that what is obvious to folk in the PKI community is not necessarily obvious to folk in the Anti-Virus community. Another problem is that following the advice given out by Harvard Business School and setting up separate arms-length companies to work on speculative 'disruptive' products means that they are operating without the usual QA processes you would expect of a larger company. I don't want to get into specifics at this point. We can do finger pointing and blamestorming but what we really need is a solution. I think informed consent is a major part of the problem. Malware and crapware are a real problem. My problem with what Lenovo did isn't just that the code they installed had bugs, it is that they installed the stuff at all. If I pay $1,000 for a laptop, I do not expect the manufacturer to fill the inside of the case with manure. It is clearly worse if the manure carries a disease but the solution to the problem is to not ship the manure at all rather than trying to pasteurize it. So one part of the solution here is the Windows Signature edition program which guarantees customers the crapware free computer they paid for. Fixing the AV hole is harder. The problem as the Anti-Virus people see it is how to scan data for potentially harmful content, whether it is mail or documents or web pages. The AV world regards itself as being a part of the trusted computing base and thus entitled to have full access to all data in unencrypted form. AV code has from the start had a habit of hooking operating system routines at a very low level and taking over the machine. Now we in the PKI world have a rather different view here. We see the root store as being the core of the trusted computing base and that the 'user' should be the only party making changes. We do not accept the excuse that an AV product is well intentioned. However recall that it was Symantec bought VeriSign, not the other way round. We don't necessarily have the leverage here. The fundamental changeable aspect of the current model for managing the root store is the lack of accountability or provenance. As a user I have tools that tell me what roots are in the store but I have no idea how they got there. On the Windows store (which I am most familiar with), don't have any way to distinguish between roots from the Microsoft program and those added by programs. One quick fix here would be for all trust root managers to use the CTL mechanism defined by Microsoft (and pretty much a defacto standard) to specify the trusted roots in their program, thus enabling people to write tools that would make it easy to see that this version of Firefox has the 200+ keys from the program plus these other five that are not in the program. Right now it takes a great deal of expertise to even tell if a machine has been jiggered or not. That is the first step to knowing if the jiggering is malicious or not and done competently or not. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
