Firewall Wizards mailing list archives
Re: signed applets a solution?
From: Bennett Todd <bet () rahul net>
Date: Thu, 18 Dec 1997 04:46:39 -0800
1997-12-18-03:06:02 Hal:
[...] In sum, its like the old saying: can't live with it, can live without it.
Sure, you can live without it. Easily. The only ones who can't are people like web site reviewers for Wired magazine, and truly jaded fools who have no work to do and are using their office computer as a babble box. Servicing the first customer segment is easy; just set 'em up in the DMZ. And servicing the second segment is even easier; just say ``get serviced''.
[...] Its not always possible to enforce a policy that restricts something user don't perceive as a problem.
That's a critically important point. I agree 100%. If the user has been allowed to retain a perception that (e.g.) ``applets don't threaten the security of my organization'', then the security admin hasn't done their job. That's why I really love the super-easy-to-use exploits; my favourite way get people with the program is to set up a sacrificial machine wherever it needs to be to demo the problem (in the case of applets, out in the DMZ); let the user log in to it; then let them run exploits. E.g. have them visit the hostile applets web site. Back in a previous generation of security worries, when crack was young and ypx was obscure, I had trouble motivating some people to schedule doing the /var/yp/securenets fix. So I wrapped crack and ypx in nice packaging, added a glue script called ``logonto'', and demonstrated ``logonto machinename'' doing exactly that --- stealing a copy of the passwd map, successfully cracking it, and logging on with the first account crack popped out. Suddenly securenets was a priority and crack was in use. If the users don't know any better, the security admin needs to start doing their job. -Bennett
Current thread:
- RE: signed applets a solution? Hal (Dec 17)
- Re: signed applets a solution? Bennett Todd (Dec 19)