At 1:57 PM +0100 4/6/06, Dinis Cruz wrote: >> At least one aspect of that is a design defect in TCP/IP, allowing >> unprivileged users to create a port to receive inbound connections.
> If an application is a File Compression utility, then there is no reason >why it should have access to the TCP stack. And if they do need access to >it (for example to check for updates), then those exceptions should be >very well controlled and monitored. The problem then, is how to prevent an unprivileged user from setting up a File Compression utility to access TCP and establish a port to which an incoming connection can be made without authentication. This is back to the issue of which programs can be trusted -- and the answer to that should be _not_ programs provided by an unprivileged user. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
