Vulnerability Development mailing list archives

Re: Newbie in Jeopardy

From: nimrod () MAIL FINJAN COM (Nimrod Vered)
Date: Sat, 9 Oct 1999 09:51:21 +0200


Mia,

You are absolutely right about not trusting signed applets. The problem w/
those signatures is that they are given w/ out looking at the source code it
self. Not to mention the fact that there are some cool certifications
available on several hackers web sites. All you have to do it download the
certification and sign your applet w/ it.

In this particular case (Sony.com) it seems that it is a legit
certification, but can Sony guarantee that no disgruntled employee has
entered his payload to this signed applet?

My advice to you is don't run Mobile Code w/ out run-time monitoring
solution on your desktop.

Nimrod (www.finjan.com)

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Me Uh,
K.
Sent: Wednesday, October 06, 1999 22:28
To: VULN-DEV () SECURITYFOCUS COM
Subject: Newbie in Jeopardy

from our FAQ:
(http://securityfocus.com/forums/vuln-dev/intro.html)
<quote>
The VULN-DEV list exists to allow people to report
potential or undeveloped holes. The idea is to help
people who lack expertise, time, or information about
how to research a hole do so.
</quote>

I am all of those things, so I don't know if this is
really a <potential> hole that should be reported.
(but that's why lists are moderated by people who know
more than me, isn't it? :)
Anyway - tying to play muti-player Jeopardy on Sony's
game site (http://station.sony.com) requires that you
grant their applet 2 seperate High Risk Security
privileges: (both signed by Sony's certificates,
validated by Verisign)

Reading, modifcation or deletion of any of your files
-AND-
Contacting and Connecting with other Computers over a
network

Now, I've got NO experience with security, but it
seems to me that this could be a seriously bad
combination, that could lead to total compromise of
your machine, if say, Sony's network wasn't as
well-organized as they'd like to believe.  (And to
think Dad said that nothing bad could ever come of
Jeopardy:)
Suggestions/advice/ect on how I can investigate this
potential security risk?
Am I wasting my time?

(obviously, in and of itself, the security of sony's
video games are not particularly important, but I
figure it's a great learning experience, and would
make a fabulous tutorial regarding Java security
analysis)

-mia k. (who just wants to waste her lunch hour
spouting phrases like 'What is the South Nile Delta
without having to worry about having her computer expolde)
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com

Current thread:

Re: Guestbook perl script (error fix) Blue Boar (Oct 04)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)
  - Newbie in Jeopardy Me Uh, K. (Oct 06)
    - Re: Newbie in Jeopardy Nimrod Vered (Oct 09)
  - Re: Guestbook perl script (error fix) Erik Parker (Oct 08)
  - SSH and X11 forwarding Rob Quinn (Oct 08)
  - fbsd 3.3 ospf_monitor research Brock Tellier (Oct 08)
    - Re: fbsd 3.3 ospf_monitor research Jeff Bachtel (Oct 10)
    - Re: fbsd 3.3 ospf_monitor research Andrew Reiter (Oct 11)
    - restoretextmode problems robert (Oct 11)
  - NT SysKey should be breakable Mikael Olsson (Oct 08)
    - Re: NT SysKey should be breakable Mikael Olsson (Oct 09)
    - 2 dodgy network programs Antonomasia (Oct 09)
    - Re: 2 dodgy network programs Nick 'Zaf' Clifford (Oct 09)

(Thread continues...)