[prev in list] [next in list] [prev in thread] [next in thread]
List: cryptography
Subject: Re: [Cryptography] the TOFU lie - or why I want my meat...
From: Tom Mitchell <mitch () niftyegg ! com>
Date: 2015-04-15 4:13:22
Message-ID: CAAMy4URjKqGMhCtyGjqPXvjMg0FMWpd-omBqEJ+19zYE10TchQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Tue, Apr 14, 2015 at 5:16 PM, Bill Frantz <frantz@pwpconsult.com> wrote:
> I'll start with the standard rant about the word "trust". Standing alone,
> "trust" is meaningless.
>
One problem is that much of the dependency is a binary blob perhaps used by
applications ( .so, .dll, .a )
linked to an application. Consider Google Chrome with a built in version
of flash. An application
might drag in any chunk of code to this end...
One improvement might be to turn it into a system service or blended
service.
The blended service could solve some compatability issues. As a system
service it might get the unique attention it needs.
As a service it could have a better memory and better system audit.
For example I have no notion what answers or who gave them to me
were used to validate connections. Same is possibly true at state.gov
Audit may prove to be the most important first step. By tracking answers
and
looking for changes over time a site manager *.gov, *.google.com or
sony.com
could learn some things. But not from a set of .dll or .so dependant
applications
with ephemeral memory.
A first step might be to pound through all the trusted sites and add
a firewall rule to audit, block, log... eventually trust each in turn.
This could be easy or difficult to prototype and test on some operating
systems.
A prototype could gather data to make the case for more exhaustive work.
--
T o m M i t c h e l l
[Attachment #5 (text/html)]
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Apr 14, 2015 \
at 5:16 PM, Bill Frantz <span dir="ltr"><<a href="mailto:frantz@pwpconsult.com" \
target="_blank">frantz@pwpconsult.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I'll \
start with the standard rant about the word "trust". Standing alone, \
"trust" is meaningless.<br></blockquote><div><br></div><div>One problem is \
that much of the dependency is a binary blob perhaps used by applications ( .so, \
.dll, .a )</div><div>linked to an application. Consider Google Chrome with a built \
in version of flash. An application</div><div>might drag in any chunk of code to \
this end...</div><div><br></div><div>One improvement might be to turn it into a \
system service or blended service.</div><div>The blended service could solve some \
compatability issues. As a system</div><div>service it might get the unique \
attention it needs.</div><div><br></div><div>As a service it could have a better \
memory and better system audit. </div><div>For example I have no notion what \
answers or who gave them to me</div><div>were used to validate connections. Same is \
possibly true at <a href="http://state.gov">state.gov</a></div><div><br></div><div>Audit \
may prove to be the most important first step. By tracking answers \
and</div><div>looking for changes over time a site manager *.gov, *.<a \
href="http://google.com">google.com</a> or <a \
href="http://sony.com">sony.com</a></div><div>could learn some things. But not \
from a set of .dll or .so dependant applications</div><div>with ephemeral memory. \
</div><div><br></div><div>A first step might be to pound through all the trusted \
sites and add</div><div>a firewall rule to audit, block, log... eventually trust \
each in turn.</div><div><br></div><div>This could be easy or difficult to prototype \
and test on some operating systems.</div><div>A prototype could gather data to make \
the case for more exhaustive \
work.</div><div><br></div><div><br></div><div><br></div></div><br \
clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"> T o \
m M i t c h e l l</div></div> </div></div>
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic