Jim McCoy wrote:
The other problem is that the proposed Authenticode system and other "signed applet" systems only provide accountability after the fact. This is little help when your hard drive is toast and the only proof you had was a logfile which was the first thing erased...
No, it's not really the accountability that's the issue. It's the ability to choose before the fact that I 'trust' the software's author.
The illusion that only "trusted software puslishers" will be given blanket authorization is a pipe dream: users are sheep who will hit that "OK" dialog box as many times as necessary to get the tasty treat they are anticipating (and there is actual experimental evidence to back this up :)
Yup, point well taken. <story user=clueless>I popped into an empty users cube last week to borrow the phone. On the monitor was a post-it note from one of his co-workers that read, 'Please write your password here:' and of course the helpful fellow had done just that.</story> With real users I suspect only centrally administered security decisions that they can't override will be effective. Hmm... wonder what I can retrofit into IE to accomplish that.
I expect that the first post-Authenticode ActiveX virus will be one to modify the signature checking routines or add additional keys to the registry which makes the second round of the attack appear to be a valid OS update from Microsoft.
Shh... we have enough kool dewds floating around here looking for ideas.
The state of the art was up to it quite a while ago. Check out KeyKOS and other OSes which use capability semantics for access control.
I agree 100%. The intent of my comments was that such security *is* possible, but it's not available in widely deployed mass-market OS's. I'd love to hear feedback to the contrary, but it seems to me that it's extremely difficult to layer that type of security onto an existing system. -Blake (who's thinking about putting crazy glue into one user's floppy drive)