Ken Ambrose said:
> On Fri, 23 Mar 2001, Bob Bell wrote:
>
> > On Fri, Mar 23, 2001 at 08:26:38AM -0500, Taylor, Chris <[EMAIL PROTECTED]> wrote:
> > > Just for those of you who have not seen the bulletin, there is yet another
> > > reason to look towards Linux.
> >
> > My understanding is that this has nothing to do with Microsoft
> > Windows. This will likely only affect you if you go to a website, and
> > your web browser ask you if you want to accept a certificate. Since it
> > says "signed by Microsoft Corporation", you might be more inclined to
> > say "yes". However, here the certificate actually belongs to a
> > third-party, and could conceivably be signing malicious code.
>
> Well, no. It's certainly not MS's "fault", per-se, but it certainly can
> affect Windows users: frequently (especially with newer Windows versions),
> you are informed that a given software package is either not signed by a
> trusted authority (and defaults to not installing it), or that it *is*
> signed by a trusted authority, and defaults to installing. So, as the
> CERT report said, even a reasonably technologically proficient end-user
> could be fooled and install software that they thought was trusted.
> Here's a quote from the MS page:
>
> "The certificates could be used to sign programs, ActiveX controls, Office
> macros, and other executable content. Of these, signed ActiveX controls
> and Office macros would pose the greatest risk, because the attack
> scenarios involving them would be the most straightforward. Both ActiveX
> controls and Word documents can be delivered via either web pages or HTML
> mails. ActiveX controls can be automatically invoked via script, and Word
> documents can be automatically opened via script unless the user has
> applied the Office Document Open Confirmation Tool."
>
> Bottom line: ouch.
And MS has been saying that with Windows XP, drivers will be signed by MS,
so you can know you can trust them, and to protect the "rights" of RIAA et
al (by requiring you to only have sound drivers that implement SDMI/
whatever). Of course, this assumes you can trust who signs the keys.
>
> -Ken
>
> >
> > This is not related to MS Windows. The error here was made by
> > VeriSign, not Microsoft, who was tricked into believing that the
> > individual who registered the certificate was an authorized Microsoft
> > employees. The only thing that one could possibly blame Microsoft for
> > is that Internet Explorer doesn't automatically check to see if a
> > certificate has been revoked by VeriSign. However, I'm not sure if any
> > other browsers do, either. It may also be true that these certificates
> > are limited to ActiveX controls, but they just as well could have been
> > issued for other purposes.
Actually, it's also an indication of what's wrong with MS's security
stance: it's a "trust us" stance (signed code). It's like trusting that
the guy who shows up at your door saying he's from the phone company
really is from the phone company, so you let him have free run of your
house (actually, it's like giving him a key to your house, because he
says he's from the phone company, and you should trust him!). Every time
the flaws in this scheme show up, MS says "don't worry, we'll get it right
next time."
At least with Java, Sun decided on a "trust but verify" sandbox technique:
If you trust he's from the phone company, you give him access to the
phone only, and only for purposes of calling Veridon't. Still not
perfect, but much better.
Bottom line is to always assume anything coming into your system is
untrusted and malicious, until verified by INSPECTION to be different.
jeff
-----------------------------------------------------------------------
Jeffry Smith Technical Sales Consultant Mission Critical Linux
[EMAIL PROTECTED] phone:603.930.9739 fax:978.446.9470
-----------------------------------------------------------------------
Thought for today: creep v.
To advance, grow, or multiply inexorably. In
hackish usage this verb has overtones of menace and silliness,
evoking the creeping horrors of low-budget monster movies.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
