OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ogle Ron (Rennes) (OgleRthmulti.com)
Date: Sat Oct 27 2001 - 17:01:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Your analogy would make Microsoft liable for damages to the end user. But
    this isn't the case because the contract is between Macromedia and Microsoft
    unless the original user license covers all software downloaded at a latter
    point that would be signed by an entity known as "Microsoft" and was
    recognized by the certificates originally stored in the original OS install.
    If this is the case, then the user is still using software "AS-IS" with no
    implied warranties or guarantees that the software will do you what you
    want.

    At this point, the user should understand that there is no contract, and
    it's user beware. Of course, the big problem for ActiveX is that the user
    gets an all or nothing approach to security and protection. Even with a
    signed ActiveX application, it still can be used for illicit purposes.

    Java is still the only technology that will allow the user to restrict the
    application from doing the most harm from their system. As a user and
    consumer, you can make your voice be heard by buying applications that meet
    your security requirements.

    Ron Ogle
    Rennes, France

    > -----Original Message-----
    > From: Razvan Peteanu [mailto:razvan-peteanuhome.com]
    > Sent: Wednesday, October 24, 2001 7:28 PM
    > To: webappsecsecurityfocus.com
    > Subject: Re: Active-X, plug-ins etc
    >
    >
    > This raises the issues of _why_ one trusts a vendor and
    > whether the trust is
    > transitive. When a user accepts signed code, he basically
    > assumes that code
    > will not perform malicious actions and can not be used to
    > facilitate such
    > actions. The accountability is on the signer's side, not on
    > developer's. If
    > a user trusts the signer, then it does not matter whether the
    > code has been
    > written by someone in the same company or by other parties.
    > In the real
    > world, when one a contract is signed, it does not matter who typed and
    > printed it, but who signs it.
    >
    > If signing the software is treated responsibly, then it is
    > not possible for
    > code written by "Jow Hacker" to be signed by Macromedia.