On Fri, 19 Nov 1999, Per Gustav Ousdal wrote:
> Yes, lot's of positive sides to self utdating too, I suppose :/ Also, I
> guess that one could argue that redirection is possible regardless of
> wether the software update process is automated or not. So the security
> implications of an automated process is really just that: That it is
> automated and thus could work as a sort of backdoor. The real security
> problem is how the internet works (limitations of TCP/IP, Bind, etc): No
> way of guaranteing that when I request www.somewhere.com, that this is
> where I'll end up. Correct?
>
> They are addressing this in IP/NG, are they not?
IPv6 has some optional mechanisms to address this. More important in the
short- to mid-term is DNSSEC. Followed rather quickly by some sort of PKI.
> > The problem is that it's possible to write HTTP-enabled software that
> > bypasses such controls. The end-user perhaps won't even be aware of the
> > fact.
>
> I C :/ Is it possible to explain why/how?
Sure, the easiest way is to send the data in an image format. Looks from
the logs like someone viewing a Web page. Add things like steganography
for hiding data in images and you can get quite creative.
> > Given the traffic/bandwidth requirements of the future, this is going to
> > be a losing game with streaming media. I'd prefer to look at things that
> > will work for the next several years, not just a few months.
>
> Well, in that case: Has it ever occured to you that you might be in the
> wrong business? ;) Just kidding, I see your point. Still think it is
It occurs to me every day - but someone's got to do it, and I'd rather it was
someone with my level of paranoia, even if it is a doomed holding action.
> important to do what we can to limit the threats.
>
> Any ideas for a real solution?
Several, but they're not (a) easy, (b) quick, or (c) likely to be adopted.
My mid-term fix is to move my infrastructure to machines that have a more
serious TCB than general-purpose operating systems. For Linux, I'm
looking at protection models in RSBAC (http://www.rsbac.de/) and trying to
help advocate/steer development in ways that I find "good." If I can
raise the bar on Web sites, name servers and key servers, then I've done
some good.
> > > I'd really like to see a (at least partially) solution here, since there
> > > seems to be no end to this type of virus these days.
> >
> > The solution is office applications that don't execute foreign content.
>
> Yes. Is that practical/possible in todays world?
Practical? Certainly. Possible? Definitely. Going to happen?
Probably not.
> The MS dominance a threat to security?
Unfortunately for viruses definitely :( Pitty too, because out of any
company in the world, they have the oppertunity to raise the bar both in
application and OS security.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
