Interesting People mailing list archives

more on It seems that even "secure" financial transactions with Internet Explorer aren't safe

From: David Farber <dave () farber net>
Date: Tue, 06 Jul 2004 20:00:53 -0400



Begin forwarded message:

Resent-From: dfarber+ () ux13 sp cs cmu edu
From: Brad Templeton <btm () templetons com>
Date: July 6, 2004 3:04:32 PM EDT
Resent-To: dfarber () cmu edu
To: dave () farber net
Cc: capek () us ibm com

Subject: Re: [IP] more on It seems that even "secure" financialtransactions with Internet Explorer aren't safe


On Tue, Jul 06, 2004 at 11:27:00AM -0400, dave () farber net wrote:

safe. Only Ken Thompson's "Don't trust any software that wasn'tENTIRELY
created by someone you trust" (my paraphrase) dictum is worth anything.
And that's a hard thing to do in practice, of course.



Even capitalizing "ENTIRELY" in that statement is not enough.  Thompson
wrote early on of the ability to modify the compiler or operating
system that somebody you trust uses to insert trojan code in a way
that's very difficult to detect.   Thompson modified the compiler so
that it would insert the trojan every time it compiled itself, and
the source code to the trojan would not appear in the released compiler
source, nor in the source of programs it was modifying to compromise
security.

The truth is today, there are very few places you couldn't compromise
with a dedicated effort and a little money.  And you might have a lot
of money available to you if the prize is worth a lot (access to
financial passwords, company secrets, control of voting machines.)

It's possible, but very difficult to remain immune to those attacks,
and next to impossible if you have to worry about insiders trying
to play games with you.  Every person at your company who installs
software on an OS with any insecurities (and that includes all of
them, not just Windows) must confirm with digital signatures techniques
involving signatures that came over independent and uncompromised
channels that the software is clean, and that the people who gave it
to you followed the same level of hygene.

But who doesn't download and install software today? Very few of us.

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Current thread:

more on It seems that even "secure" financial transactions with Internet Explorer aren't safe David Farber (Jul 06)