Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Whistler to include 'block all unsigned apps' security mode

14 views
Skip to first unread message

David Mohring

unread,
Nov 10, 2000, 3:00:00 AM11/10/00
to
Quoting http://www.theregister.co.uk/content/1/14592.html
>The system doesn't just deal with incoming files - it applies to "every
>piece of code executing on the machine." There's a list of 40 different
>kinds of executables, and policies can be set to define which of them
>can be run, the most secure policy being to run only signed applications.

With a pro-active digital signature system, a larger organization
( or small remotely managed site ) can ditch the third party resident
anti-virus programs *alltogether*.

Someone from Microsoft must have been reading my posts!!!
See
http://x61.deja.com/[ST_rn=ps]/viewthread.xp?AN=628264384
http://x61.deja.com/[ST_rn=ps]/viewthread.xp?AN=672311516

http://www.deja.com/[ST_rn=ps]/threadmsg_ct.xp?AN=673714160&fmt=text
Quoteing myself in the latter from "Re: Linux ( and Unix ) virus :Overview"
thread, on what you can do to secure an opensource linux/BSD system

+>Hardwiring configuration, allowing administrators to hard lock options
+>for users and applications on a case by case basis, constraining scripting
+>engines, digital signatures, constrained user shells and file selection
+>widgits , preventing user applications from creating/modifing
+>executables/scripts, etc etc etc, all now possible.
+>( Even down to digital signature checking for every executable,
+> dynamic library and script before execution - cached checksum
+> with refetch from trusted servers on failure )

David Mohring - Vindicated

David Mohring

unread,
Nov 10, 2000, 3:00:00 AM11/10/00
to

Geoff Winkless

unread,
Nov 10, 2000, 3:00:00 AM11/10/00
to
"David Mohring" <her...@heretic.ihug.co.nz> wrote in message
news:slrn90nk4n....@heretic.ihug.co.nz...

> Quoting http://www.theregister.co.uk/content/1/14592.html
> >The system doesn't just deal with incoming files - it applies to "every
> >piece of code executing on the machine." There's a list of 40 different
> >kinds of executables, and policies can be set to define which of them
> >can be run, the most secure policy being to run only signed applications.
>
> With a pro-active digital signature system, a larger organization
> ( or small remotely managed site ) can ditch the third party resident
> anti-virus programs *alltogether*.

Oh yeah, lovely. Let's build our entire system around the assumptions that:

a) all digital certificates are uncrackable;
b) the digital certificate vendors' sites are uncrackable; and
c) the digital certificate vendors are completely honest and reliable.

All it takes is for -one- of these pragma to be wrong (a disgruntled
verisign employee, for example) and you are -totally- screwed.

Back to the drawing board.

Geoff

David Mohring

unread,
Nov 10, 2000, 3:00:00 AM11/10/00
to

Solution - DON'T use/trust the vendors digital certificates.
Resign all the applications used within your organization using an
administrators signature/certificate.

You could even Ghost (see http://www.ghost.com/ ) client machines
from a single drive image with the applications resigned, every
couple of months.

>Back to the drawing board.
>

http://members.aol.com/plucky55/drwngbd2.wav

David Mohring - http://members.aol.com/plucky55/brliance.wav

0 new messages