Interesting People mailing list archives
more on It seems that even "secure" financial transactions with Internet Explorer aren't safe
From: David Farber <dave () farber net>
Date: Tue, 06 Jul 2004 20:00:53 -0400
Begin forwarded message: Resent-From: dfarber+ () ux13 sp cs cmu edu From: Brad Templeton <btm () templetons com> Date: July 6, 2004 3:04:32 PM EDT Resent-To: dfarber () cmu edu To: dave () farber net Cc: capek () us ibm comSubject: Re: [IP] more on It seems that even "secure" financial transactions with Internet Explorer aren't safe
On Tue, Jul 06, 2004 at 11:27:00AM -0400, dave () farber net wrote:
safe. Only Ken Thompson's "Don't trust any software that wasn't ENTIRELYcreated by someone you trust" (my paraphrase) dictum is worth anything. And that's a hard thing to do in practice, of course.
Even capitalizing "ENTIRELY" in that statement is not enough. Thompson wrote early on of the ability to modify the compiler or operating system that somebody you trust uses to insert trojan code in a way that's very difficult to detect. Thompson modified the compiler so that it would insert the trojan every time it compiled itself, and the source code to the trojan would not appear in the released compiler source, nor in the source of programs it was modifying to compromise security. The truth is today, there are very few places you couldn't compromise with a dedicated effort and a little money. And you might have a lot of money available to you if the prize is worth a lot (access to financial passwords, company secrets, control of voting machines.) It's possible, but very difficult to remain immune to those attacks, and next to impossible if you have to worry about insiders trying to play games with you. Every person at your company who installs software on an OS with any insecurities (and that includes all of them, not just Windows) must confirm with digital signatures techniques involving signatures that came over independent and uncompromised channels that the software is clean, and that the people who gave it to you followed the same level of hygene. But who doesn't download and install software today? Very few of us. ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on It seems that even "secure" financial transactions with Internet Explorer aren't safe David Farber (Jul 06)