[E-Lang] Java 2 "Security" (was: Re: Welcome Chris Skalka and ScottSmith of Johns Hopkins)

Marc Stiegler marcs@skyhunter.com
Wed, 3 Jan 2001 09:14:06 -0700


Software signed by Microsoft is more trustworthy than unsigned apps that
appear in your email inbox. Software signed by Marc Stiegler is more
trustworthy than software signed by Microsoft--I do not have 3000 employees
writing code that I cannot check personally (which resulted in the trojan
horse in a Microsoft DLL last year). Most of the people in the world,
however, unaware of Marc Stiegler's trustworthiness, would trust Marc
Stiegler software arriving at random in their inbox less than they trust
software signed by Microsoft, despite the inferior trustworthiness of
Microsoft code. Therefore, Marc Stiegler trustworthy software would be
forced to run under stricter security than would Microsoft software, just as
untrustworthy unsigned software would be forced to run under stricter
security. So the security goes down as the local guess of trustworthiness of
the signature goes up, which in turn goes up and down independently of the
actual trustworthiness.

Security is about ensuring what can't happen. Local guesses about
trustworthiness, reflected in signing, is about the security failures you're
willing to let slide :-)

Humanity is very very fortunate that signing hasn't caught on. Signing might
slightly reduce the occurrence of "script kiddies". It would be the dream
machine, however, for professional crackers interested in acquiring quiet,
invisible machine control. By luring people into a false sense of "security"
with signatures, they would be able to compromise more machines more easily.
And of course, once they'd compromised a machine, they could start using the
signature of the person who owned the machine to compromise others--this is
the strongly-authenticated version of the Love Bug :-)

--marcs


----- Original Message -----
From: Ken Kahn <KenKahn@ToonTalk.com>
To: Marc Stiegler <marcs@skyhunter.com>; Scott Smith <scott@cs.jhu.edu>;
Mark S. Miller <markm@caplet.com>
Cc: <e-lang@mail.eros-os.org>
Sent: Tuesday, January 02, 2001 9:39 PM
Subject: Re: [E-Lang] Java 2 "Security" (was: Re: Welcome Chris Skalka and
ScottSmith of Johns Hopkins)


> From: Marc Stiegler <marcs@skyhunter.com>
> >
> > Lastly, I do hope everyone understands that the ability to "sign"
applets
> > and applications has nothing to do with security. Signing apps is what
> > marketing people propose when technical people explain that real
security
> is
> > not possible; it allows the tool developer to blame the victim when a
> signed
> > app engages in malicious action (hey, the victim authorized the app,
> didn't
> > he? It's his own fault).
> >
>
> I guess I don't understand. When I accept something signed by say
Microsoft,
> then unless the key used to sign it was stolen and not revoked then I can
> trust it as much as a CD-ROM I bought from Microsoft. While that may not
be
> enough security for some purposes or contexts, to me that is a lot more
> security than if I run some unsigned code.
>
> Maybe it would even be possible to successfully sue the signer of the app
if
> it engages in malicious action.
>
> Best,
>
> -ken
>