The Active Network

Amazon.com

Who do YOU trust? ....Insure to Assure

January 11, 2000

According to Merriam-Webster, the words ensure, insure, and assure are "interchangeable in many contexts" with assure stressing the removal of doubt and suspense from a person's mind, while insure stresses taking action beforehand to guarantee a certain outcome. In our brave new e-World, we want to be assured that we can trust our fellow e-Citizens, but for many of us, that time won't come until we can be insured against losses. How can we go about this?

First step: understand that you ARE trusting many, many nameless people!

The "Stop Foolish Paranoia!" article pointed out that the media often encourages groundless paranoia about obscure information security problems and simultaneously overlooks issues more likely to cause harm. The article went on to outlined several issues with a higher degree of risk: failure to update your software to fix known problems, failure to use and guard your passwords and backups, and blind disregard for the risks of software from untrustworthy sources, e.g. Trojan Horses. Let's focus on the problem of trusting the source of your software:

My wife's Win98SE PC currently contains 2944 *.dll files and 935 *.exe files. These files are probably the work-product of over two thousand programmers from several dozen companies. When Paul Revere made his products of silver, he stamped each with a mark that showed that he took responsibility for the quality of the product. This was typical of the craftsmen of the era. Today, we have the potential for each of these modules to have the name of the responsible company, the product name, date of compilation and version number. ...but we have nothing to actually require this information be present let alone correct.

Further, we have nothing to verify the integrity of the module. An attacker could have easily tampered with the module to insert a virus or worse and changed the checksum to hide the fact. Further, there are hundreds of interesting and useful programs available by download from shareware and freeware repositories, often downloaded and virtually never independently checked for security concerns. Finally, all of these modules are certainly tied back to End User License Agreements (EULA) that fully absolve the provider from any responsibility what-so-ever with regard to the suitability, functionality, etc. of the software.

Any of these modules from any of these sources, possibly modified by any number of intermediaries with access to shareware repositories, could compromise far more personal data than any browser "cookie" or any sophisticated intercept of Internet traffic could hope to do. Yet, we fear the loss of our data in the extreme while ignoring the integrity of our computer platforms. The failure of which can easily introduce a Trojan Horse that operates with our full rights and privileges! ....rights and privileges we freely gave away when we chose, explicitly or implicitly, to install the dangerous software.

Second step: begin today to insist on and lobby for digitally signed software!

Microsoft delivers digitally signed downloads from their support and Windows Update web sites. Anyone can and should do the same to ensure their software deliveries via 3rd party websites do not become infected. Unfortunately, this currently only signs .exe, .cab, .ocx, and .class files. Integrity is verified when the file is downloaded by a suitable browser. In Windows 2000, Microsoft has proposed each driver module include a digital signature to verify the driver has been tested by Microsoft and verified compatible. This is nice, but the next step needs to be taken: each driver and kernel module critical to security should be digitally signed and verified by the system during boot. The verification process should "bootstrap" from an initial few files that can be executed from ROM to assure against any possible tampering.

Third step: pressure the large vendors to act responsibly!

The EULA wording is so totally pro-vendor and anti-consumer as to be offensive on the face of it. No major company would actually be that anti-customer in any other field. The "software is black magic" mentality of the early days of computing may well have justified the wording in the last century, but now software is an essential component of daily life! It clearly is time for more of a legal commitment from our software vendors. I hope we don't have to lobby congress in order to make this happen.

Fourth step: establish 3rd-party assurance for shareware, freeware, and other forms of freelance software.

The Open Source movement argues that their software is inherently more trustworthy because it is open to public inspection. I grant that the source is open, but unless a method is developed to verify that a given binary module is derived from the public sources, there can be no trustworthy binary distributions. And what about the shareware and freeware developers? Is "open source" the only way for a freelance programmer to be trusted? A better solution would be some form of alliance in which all commercial users of a given piece of software become shareholders by virtue of licensing the software. The cost of the commercial license would pay for the secure management of the sources, including certification and digital signing of binary distributions. Thus the risk associated with using the software in business-critical environments would be distributed among the owners/users themselves.

Fifth step: encourage the development of a software insurance industry!

The final step is to treat software developers the way we treat home-repair contractors: make sure they are bonded (i.e. insured) against failure, accidental or deliberate. This will require underwriters to have access to sources, appropriate skills of software analysis to independently assess the trustworthiness of the software, a scheme similar to the Windows 2000 digital signature scheme to assure that the user is executing the object modules derived from the certified sources, and an actuarial basis for determining the probability of failure in spite of these controls. This will come in time once users of software realize the importance of demanding this level of assurance from their software vendors.

Welcome to the world of 21st century software!

Copyright 2000 Information Security Analysis LLC. All Rights Reserved.
 
http://www.infosecana.com/flinkink 


Return To The Flink Ink Section

 

This site is not related to the Microsoft Corporation in any way. Windows and the Windows logo are trademarks of the Microsoft Corporation. ActiveWindows is an independent site. The information and sources here are obtained from series of hard work & research.