rvj wrote:
>
> >As for detecting subsequent
> > tampering on your own machine, there's no way (that I know of) for a
> > remote attacker to modify code on your machine
>
> I was thinking of in-house tampering - possibly modifying scripts etc - I
> think there is real likely hood of this.
>
> If say a package is installed as a JAR then I would have thought that that
> the installer program could at least keep its byte count in say the
> component registry
>
> When the Mozilla starts the package Mozilla could at least check the byte
> count of the file against value in the component registry.
Yes, but anything that has access to replace or modify the component could
presumably also modify the component registry to match. Or, as Mitch
suggested, could replace the code that does component verification with a
work-alike that ignores differences.
Once someone has access to change things on your machine the game is over.
-Dan Veditz
