Re: Call for discussion

[Szilveszter Adam <adam () hif hu>]

Jason Coombs wrote:
> A closed source database application offering known good hashes and forensic
> details of files published by vendors... These people are headed in a positive
> direction, but the closed source part bothers me for some reason.

<...huge snip...>

Of course I was not surprised to see that Tripwire Inc was behind this 
intiative. It could really boost use of their technology and give it a 
higher profile in general.

But I as I come to think of it, this idea seems less and less feasible 
to me. The problems as I see them are:

- You would need to include *huge* number of files for this database to 
be a meaningful resource. Just look at how many files are there eg in an 
average software package. All of them need to be added to the database, 
and when a new version comes out, you have to do it again. How long are 
you going to keep the info? Ideally, it should be held close to 
infinitely, since no one can tell when a particular version is no longer 
used anywhere. The database technology would need to be very efficient 
to be able to quickly give you results, since verification times must be 
as short as possible etc.
- While this approach may function somewhat with closed-source software 
whose vendors agree to directly forward the relevant info to the 
database, it will not work well for other closed source software, since 
there is no known-good baseline to work from. There were cases when a 
vendor's distribution medium was infected with a virus for example. So 
simpy saying "this must be good, it came on the official CD" is not enough.
- In the open-source world, this approach would not work at all. While 
closed-source software only has a limited number of publicly available 
versions, with open source, you can have as many as there are users. 
Therefore, the only method in this case is to use a *local* repository 
to store your own hashes (the quoted text hints at this when talking 
about "appliances") but this is already possible today and nothing new.
- Generally, accessing this database for checking of authenticity over 
the Internet (if offered) is problematic (not to mention the ability to 
add new hashes to it, there the security implications are so grave that 
I dare not to speculate about them) since there is no really good way to 
make sure that the results you get are really authentic, and safe from 
tampering. This may be solved when the database is local and under your 
control. But again, this is something that already exists.
- Is it just me, but while people seem kicking and screaming about how 
NGSCB/TCPA will limit their freedoms and make them dependent on outside 
influence for their systems to work, this proposed system would meet no 
resistance from tha same people? Sure, there would be no obligation to 
use it, but you had better do so, if you wanna be "secure", right?...

Just my HUF 0.02...

Regards
Sz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html