On Thu, Oct 23, 2008 at 07:29:52AM -0400, Nick Holland wrote:
> mak maxie wrote:
> > http://www.computerworld.com.au/index.php?id=264209080&rid=-219
> >
> > Microsoft Windows is the only operating that supports signed binaries.
>
> Ah, so that's why Windows has proven so resistant to spyware
> and malware! I've always wondered!
>
>
> That's evidence of a Slow News Day.
> Obviously, I need better press relations, I've been saying
> "running an alternate OS does not lead to automatic security",
> for a very long time, and I've been hardly the only one.
>
> What's next? "Newsflash: Water is wet! Fire is Hot!
> youtube at 11:00"
>
> (Anyone else remember back in the 1980s when viruses were
> running rampant on Macs, and one PC commentator said, "I
> don't even think it is possible to write a virus for the PC".)
>
> Signed everything is obviously no solution. Stupid people
> can still blow the hell out of virtually any security
> system they can administer. Remember the OpenSSH "exploit"
> in binary-only form which 1: required that you run it as
> root. 2: said, "Yep, I just exploited your OpenSSH!" by
> sophisticated use of printf(). 3: while running, it
> e-mailed your network config and password configs to
> someone so they could later demonstrate a real exploit:
> stupid administrators).
>
> I just saw a demonstration of the limitations of "signing".
> An administrator got overly happy for the successful
> acquisition and installation of a SSL cert for a webserver,
> sent a note of rejoycing and thanks to about 20 people,
> with the SSL cert in the middle of the e-mail.
> D'oh! A whole bunch of people just got the ability to
> spoof that website. Worse? Only two people out of the
> approximately twenty noticed the importance of what had
> happened.
To make the story work, the mentioned mail should have included the
SSL private key, of course. Or did it? I'm, always amazed when people
use the works key and cert as if they are the same. It goes so against
the nature of RSA causes short-circuits in my brain when that happens
;-)
-Otto
>
> The problem is, people consider security an annoyance to
> work around and be grateful when the hoops have been jumped
> through, not something that has to be taken seriously.
>
> Technology is no solution for stupidity. Plain and simple.
> you heard it here 1056th. I'll be waiting for the media
> interviews.
>
> Nick.
