On 3/27/06, Pavel Kankovsky <peak_at_argo.troja.mff.cuni.cz> wrote:
> On Mon, 27 Mar 2006, Brian Eaton wrote:
>
> > I wasn't sure if Windows actually supported mandatory access controls,
> > so I poked around on Microsoft's web site a bit. Yes, Windows
> > supports MAC.
>
> MS Windows does not support MAC. Its future version (i.e. Vista) might
> support some half-baked (*) pseudo-MAC.
Thanks for the info. I'm not a windows expert by any mean, just going
by what I read on their web site. ;-)
> > In his original note, Dinis raised a good point: even a restricted
> > browser has access to all kinds of sensitive personal information,
> > such as passwords to web sites. MAC would not prevent an exploit from
> > stealing that kind of data.
>
> Nonsense. MAC was invented by soldiers and spooks to protect
> confidentiality. (The use of MAC to protect integrity is, in fact, an
> afterthought.)
>
> Properly implemented and configured MAC can prevent the leakage of
> confidential (i.e. sensitive personal) information to (unauthorized) web
> sites.
You lost me here. How would you design a MAC policy that lets firefox
remember my password for a web site, but doesn't let arbitrary code
running via a buffer overflow get at that same password?
Regards,
Brian
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 27 2006
Intro
