Re: signing applets a solution? Never!

[Darren Reed <darrenr () cyber com au>]

In some mail I received from Marcus J. Ranum, sie wrote
> > There are proposals (W3) incorporating some thing like the web of trust for
> > an applet so you can at least see if the author is thought reliable by
> > someone you trust to say so. 
>
> Applets are a subset of the whole problem of trusting the source
> of any application. Why should people be more worried about
> running an applet than a browser plugin? Or a word processor
> you bought at a store? Or Windows?
>
> One of the things that scares me is that sooner or later someone
> will hack the planet by getting a job working for some big software
> vendor...

To add to the "scariness", in a local magazine article on hackers,
one hacker was quoted as his goal being to break in and get access
to source code so they could insert backdoors which only they know
about.  This wasn't your average hacker who read CERT bullitins or
bugtraq just to try discover new holes and get into as many sites
as possible, this type seem to have purpose.  It would be stupid to
assume that this goal of getting access to source code is never
realised.

Among some of the other interesting bits and pieces, according to
the article, the seasoned hacker prefers breaking into and staying
inside a reasonably secure site as they tend to be free of the
"foot soldier" hackers and are more reliable to use as a base of
some sort.  Staying relatively invisible doesn't seem to hard for
them, it seems...

Darren