Adam Shostack wrote:
Does it access a file? ...
Maybe I should have been more clear. It's certainly true that one could concoct software that looked for some tell-tale signs in Java applets or ActiveX controls (though it'd be a little tricker in the latter case, I suspect). What worries me is that this sort of tool might provide a false sense of security to corporate IS types (people who pay my company lots of money). (Oh, gee, I see now that the last line of your message was "It could lead to a false sense of security." Rare concensus on cypherpunks.) Anyway, there are lots of products like this (lots of virus scanners claim to defend against "all current and future viruses"), and they're not quite the same as sleazy snake-oil pseudo-crypto outfits. It worries me, if only as somebody with money in a bank that might be rendered vulnerable, that a tool like this might be installed under the illusion that an impenetrable wall has gone up around the network. Seems to me that putting together an ActiveX control that "sneaks" its way through the firewall risk policy wouldn't be hard. Unless the applet scanner actually simulates execution of the control under a variety of input conditions (and we know that's not likely) (but prove me wrong, please) there's not much it can do other than poke around and check what other DLL's the thing wants to access. It might be a bit harder to be sneaky in Java, but I certainly wouldn't bet I could look at an applet and guarantee its safety to any threshold (if I could, why not just do that in the browser?). Believing in the safety of precertified applets/controls is scary enough. Trusting yet another piece of software in the loop just seems a little wacky to me. (Oh, and in case Finjan is a Tivoli partner, or for all I know another IBM company, I'm not speaking for Tivoli.) -- ______c_________________________________________________________________ Mike M Nally * IBM % Tivoli * Austin TX * How quickly we forget that mailto:m5@tivoli.com mailto:m101@io.com * "deer processing" and "data http://www.io.com/~m101/ * processing" are different!