Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: signing applets a solution? Never!

RE: signing applets a solution? Never!

From: Hal <hal_at_mrj.com>
Date: Fri, 12 Dec 1997 11:57:38 -0500

I took some time to read the paper you referenced. Yes, there are infinite sources of cleverness and clever people. NCSC strove to perfect a clean environment carefully closing each avenue by which a trojan horse might be introduced. A perfect example of deconstructionism and it failed. Too expensive, formal proofs-of-security not up to the job, administration, a nightmare. So then what's left? Industry is simply moving ahead gates ajar!

I heard recently about a large military think tank which had forbid any applets at all except onces that they had checkout and cached internally. Nothing directly from outside. This worked for about a month and was dropped. Their users wouldn't put up with it. So they decided to take the risk, roll the dice, (whatever metaphor you like) and hope (or trust) that they weren't going to get wacked. Still they search for a solution as do we all.

BTW (I don' remember the study title Thompson asked about but I do remember that the trojan horse was carefully disguised as a microcode fix. It was packaged exactly as other routine patches, even to the extent of reproducing exact matches of internal company control forms and wrapping.. The package was "placed" into the on-sight Customer Engineer's in-basked who then installled it in the target Multics.
Very neat.)

----------
From: Pauline van Winsen - Uniq Professional Services[SMTP:Pauline.van.Winsen_at_uniq.com.au]
Reply To: Pauline van Winsen - Uniq Professional Services
Sent: Thursday, December 11, 1997 7:41 PM
To: darrenr_at_cyber.com.au; jk_at_stallion.ee
Cc: firewall-wizards_at_nfr.net
Subject: Re: signing applets a solution? Never!

>
> When talking about security of binary products, I believe it is hard to
> believe that programmers do not sometimes program backdoors into their
> programs. It probably depends on the software company, but in many places
> it should be fairly easy to put something into the code without company or
> fellow programmers finding out about it.

& for a classic example check out:

http://www.cs.umsl.edu/~sanjiv/sys_sec/security/thompson/hack.html

one of my all time favourite security papers.

cheers,
pauline

Pauline van Winsen pauline_at_uniq.com.au
Uniq Professional Services Pty Ltd www.uniq.com.au
PO Box 70, Paddington, NSW 2021, (Sydney) Australia
Phone: +61-2-9380-6360 Fax: +61-2-9380-6416 Pager: 016 287 000
"You'll need a dress for dancing. Unless you're going steady with
someone in the Diplomatic Corps, you won't really need a full-length
ball gown."
   Fashion Sense - The Single Woman - Book 2, Woman's World, circa 1964.
Received on Dec 13 1997

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]