Re: Hypothetical design question

["Paco Hope" <bhope () cigital com>]

On 1/29/04 11:29 AM, "David A. Wheeler" <[EMAIL PROTECTED]> wrote:
> If someone has a wonderful executable they need me to run, they can place
> it on a web site.  I now know that at least they can control that web site,
> which is a much better proof of identity than a maybe-spoofed email.

Sigh. It's hardly an indication that the code is worth executing or that
they control any web site.  I can go register securecoding.net (which
appears to be available right now), and go put my favorite virus up for you
to download. I can even buy a valid SSL certificate for that domain so that
you'll be downloading it over a 'secure' connection. Then I'll forge an
email message that appears to be from "Ken van Wyk" (sorry, Ken :) that says
"here's a mock-up of my new email client. Go download it from my
securecoding.net web site."  So what? I'm still executing arbitrary code on
your machine. Authenticity of web sites is no better than authenticity of
email.

If you fall back to an argument about the author's identity and/or code
signing, that still doesn't help you.  Such systems merely help identify who
wrote the buggy code.  They don't stop signed, authenticated buggy code from
doing bad things. The last thing you'll see before my attack program
reformats your hard drive is "Valid signature from Paco Hope..."

Authenticity of code origin does not have any relationship to quality or
purpose of code.

> I can talk to them to ensure that the executable is okay, I can wait and
> execute it later, the executable can be removed from the site if it's
> malicious, and so on.  Yes, that's still vulnerable, and sandboxing
> the executable as well is a good idea, but that lowers risks far
> better than thinking that emailed executables was ever a good idea.

I suppose I agree, but now you're using out-of-band mechanisms to learn
about the author's identity. That is, if he responds to your query on his
known email address, and if he responds to your phone call on the phone
number you know, and if his voice sounds like his voice as you remember it,
then for some reason the code he's trying to send you is worth running.  I
don't buy it as a "methodology." It can't scale and it is easily
circumvented.

Paco
-- 
Paco Hope
Senior Software Security Consultant
Cigital, Inc. http://www.cigital.com/
[EMAIL PROTECTED] -- +1.703.404.5769



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------