gboyce wrote: <<good and correct stuff snipped>> > Perhaps it would be a better method to try to instead verify if a system > has been compromised, and disallow the system to use your application if > the system is known to be compromised.
See my very recent response to exactly the same misguided suggestion from Jan Nielsen. A rather clever chap called Turing had something to say about the impossibility of this (at least, for the types of computers we are talking about). > I'm not sure if anyone has spent any time researching the feasibility of > third party verification of client systems. ... Like the Trusted Computing Initiave (or whatever they call themselves these days)??? > ... Some form of required > virus/spyware scanning before allowing a client to use a service. ... That is _far_ from inadequate for this purpose -- see Turing... > ... Of > course, this may severely limit what operating systems are able to connect > to the service. Not necessarily. Well, the AV check suggestion might, but a properly designed and implemented "trusted computing base" style system could be CPU and OS agnostic (at least, if we can all agree up front on who we are all going to trust forever to be the gatekeepers of the TCB!). Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
