Sorry, for answering so late. I've been busy reading Marcus' papers
(http://www.clark.net/pub/mjr/pubs/)
Wow, that's really interessting stuff! Hi Marcus, sorry 'bout bothering you 'bout the
*.ps version, finally discovered the *.pdf documents :) Didn't see them until this
weekend, 'coz sufing on the Cell phone I don't have time (money) to read www pages
properly, but this weekend I was home and could use my parents phone line ;) DL all
the docs :)
> > Yes, lot's of positive sides to self utdating too, I suppose :/ Also, I
> > guess that one could argue that redirection is possible regardless of
> > wether the software update process is automated or not. So the security
> > implications of an automated process is really just that: That it is
> > automated and thus could work as a sort of backdoor. The real security
> > problem is how the internet works (limitations of TCP/IP, Bind, etc): No
> > way of guaranteing that when I request www.somewhere.com, that this is
> > where I'll end up. Correct?
> >
> > They are addressing this in IP/NG, are they not?
>
> IPv6 has some optional mechanisms to address this. More important in the
> short- to mid-term is DNSSEC. Followed rather quickly by some sort of PKI.
OK, is there an RFC (or something) on DNSSEC? (Do you happen to know which one?) What
is a PKI?
> > > The problem is that it's possible to write HTTP-enabled software that
> > > bypasses such controls. The end-user perhaps won't even be aware of the
> > > fact.
> >
> > I C :/ Is it possible to explain why/how?
>
> Sure, the easiest way is to send the data in an image format. Looks from
> the logs like someone viewing a Web page. Add things like steganography
> for hiding data in images and you can get quite creative.
Yes, I C
> > > Given the traffic/bandwidth requirements of the future, this is going to
> > > be a losing game with streaming media. I'd prefer to look at things that
> > > will work for the next several years, not just a few months.
> >
> > Well, in that case: Has it ever occured to you that you might be in the
> > wrong business? ;) Just kidding, I see your point. Still think it is
>
> It occurs to me every day - but someone's got to do it, and I'd rather it was
> someone with my level of paranoia, even if it is a doomed holding action.
Probably a wise decision :)
> > important to do what we can to limit the threats.
> >
> > Any ideas for a real solution?
>
> Several, but they're not (a) easy, (b) quick, or (c) likely to be adopted.
>
> My mid-term fix is to move my infrastructure to machines that have a more
> serious TCB than general-purpose operating systems. For Linux, I'm
> looking at protection models in RSBAC (http://www.rsbac.de/) and trying to
> help advocate/steer development in ways that I find "good." If I can
> raise the bar on Web sites, name servers and key servers, then I've done
> some good.
Hmm, TCB?
> > > > I'd really like to see a (at least partially) solution here, since there
> > > > seems to be no end to this type of virus these days.
> > >
> > > The solution is office applications that don't execute foreign content.
> >
> > Yes. Is that practical/possible in todays world?
>
> Practical? Certainly. Possible? Definitely. Going to happen?
> Probably not.
Agree. I guess I meant to ask, does such an "office suit" exist?
> > The MS dominance a threat to security?
>
> Unfortunately for viruses definitely :( Pitty too, because out of any
> company in the world, they have the oppertunity to raise the bar both in
> application and OS security.
Problem is, they don't have to: I think they can produce almost any rubbish these
days, and it'll sell :( I get very annoyed when when people talk about Bill Gates like
this saint that made computers userfriendly (i.e. invented the GUI), thus bringing
technology forward, yet this attitude is VERY common. What BS! I remeber the first
attampts at windows, what a JOKE! I also remember the far supperior OS(GUI) that
existed at that time (AMIGA, MacIntosh). Windows was trailing for a long time. Only
thing Bill G. did was some "licensing magic", and change the / to \ :( He is a
buisness man, not a hacker....
Regards,
Per
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
