On 08/25/2013 08:32 PM, Jerry Leichter wrote:
Where mail servers have gotten into trouble is when they've tried to provide additional services - e.g., virus scanners, which then try to look inside of complex formats like zip files. This is exactly the kind of thing you want to avoid - another part of the "mission creep" that we tend to see in anything that runs on a general-purpose computer.
Absolutely agreed; the most reliable things are the least complex. > That's 20th century thinking: The computer is expensive, keep
it busy. Twenty first century thinking should be: The computer is cheap - leave it alone to do its job securely.
My thinking is more like: The computer has a multitasking OS. Whatever else it needs to be doing will be in another process. So you lose nothing if you keep each process simple. Or if it's a single-purpose box intended to provide security; don't dilute its purpose. Keep it simple enough that even installations of it in the wild, after unknown handling and in all possible configurations, can be unambiguously, easily, and exhaustively tested so you know they're doing exactly what they should be and no more.
Realistically, it will be impossible to get little appliances like this patched on a regular basis - how many people patch their WiFi routers today? - so better to design on the assumption there won't be any patches.
Also agreed; online patches are the number one distribution vector of malware that such a device would need to be worried about. Firstly because whoever can issue such a patch is a central point of control/ failure and can be coerced. So send it out with an absolutely sealed kernel. Bear _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography