Vulnerability Development mailing list archives
Re: Newbie in Jeopardy
From: nimrod () MAIL FINJAN COM (Nimrod Vered)
Date: Sat, 9 Oct 1999 09:51:21 +0200
Mia, You are absolutely right about not trusting signed applets. The problem w/ those signatures is that they are given w/ out looking at the source code it self. Not to mention the fact that there are some cool certifications available on several hackers web sites. All you have to do it download the certification and sign your applet w/ it. In this particular case (Sony.com) it seems that it is a legit certification, but can Sony guarantee that no disgruntled employee has entered his payload to this signed applet? My advice to you is don't run Mobile Code w/ out run-time monitoring solution on your desktop. Nimrod (www.finjan.com) -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Me Uh, K. Sent: Wednesday, October 06, 1999 22:28 To: VULN-DEV () SECURITYFOCUS COM Subject: Newbie in Jeopardy from our FAQ: (http://securityfocus.com/forums/vuln-dev/intro.html) <quote> The VULN-DEV list exists to allow people to report potential or undeveloped holes. The idea is to help people who lack expertise, time, or information about how to research a hole do so. </quote> I am all of those things, so I don't know if this is really a <potential> hole that should be reported. (but that's why lists are moderated by people who know more than me, isn't it? :) Anyway - tying to play muti-player Jeopardy on Sony's game site (http://station.sony.com) requires that you grant their applet 2 seperate High Risk Security privileges: (both signed by Sony's certificates, validated by Verisign) Reading, modifcation or deletion of any of your files -AND- Contacting and Connecting with other Computers over a network Now, I've got NO experience with security, but it seems to me that this could be a seriously bad combination, that could lead to total compromise of your machine, if say, Sony's network wasn't as well-organized as they'd like to believe. (And to think Dad said that nothing bad could ever come of Jeopardy:) Suggestions/advice/ect on how I can investigate this potential security risk? Am I wasting my time? (obviously, in and of itself, the security of sony's video games are not particularly important, but I figure it's a great learning experience, and would make a fabulous tutorial regarding Java security analysis) -mia k. (who just wants to waste her lunch hour spouting phrases like 'What is the South Nile Delta without having to worry about having her computer expolde) __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com
Current thread:
- Re: Guestbook perl script (error fix) Blue Boar (Oct 04)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)
- Newbie in Jeopardy Me Uh, K. (Oct 06)
- Re: Newbie in Jeopardy Nimrod Vered (Oct 09)
- Re: Guestbook perl script (error fix) Erik Parker (Oct 08)
- SSH and X11 forwarding Rob Quinn (Oct 08)
- fbsd 3.3 ospf_monitor research Brock Tellier (Oct 08)
- Re: fbsd 3.3 ospf_monitor research Jeff Bachtel (Oct 10)
- Re: fbsd 3.3 ospf_monitor research Andrew Reiter (Oct 11)
- restoretextmode problems robert (Oct 11)
- Newbie in Jeopardy Me Uh, K. (Oct 06)
- NT SysKey should be breakable Mikael Olsson (Oct 08)
- Re: NT SysKey should be breakable Mikael Olsson (Oct 09)
- 2 dodgy network programs Antonomasia (Oct 09)
- Re: 2 dodgy network programs Nick 'Zaf' Clifford (Oct 09)
- Re: Guestbook perl script (error fix) Matt Carothers (Oct 08)