Re: Working Within the System

From: Michael S. Lorrey (retroman@turbont.net)
Date: Sun Apr 30 2000 - 21:05:20 MDT


Matt Gingell wrote:
>
> The point I'm making is that ActiveX has a security model based on
> trust and authentication, rather than by restricting what an applet is
> able to do. This was a conscious and deliberate design decision, and
> Microsoft has never pretended otherwise or represented ActiveX
> security as analogous to Java sandboxing.

Sure, however the 'trust' issue has been twisted by detractors as being
a 'security hole'.

> (The sandbox
> is an environment where Java applets run. Applets running in a sandbox
> have very limited functionality because they cannot access resources
> on the user's system.) Imagine, for example, a check-writing
> application that couldn't even save files to your disk but instead
> required you to re-enter the information each time you wrote a check."

Which is a ludicrous analogy, since using encrypted cookies is perfectly
sufficient for that particular need.
>
> Certainly an executable can be sandboxed as effectively as bytecode,
> given sufficient operating system support. But that isn't the way ActiveX
> works, or the way it was ever intended to work. I come down on the other side
> of that particular design decision - in my view 'trust' requires eternal
> vigilance, the cost of which in practice is indifference. How many times a day
> do you click away the 'Anyone could read what you just typed' box while dealing
> with forms? Have you ever refused anyone's authentication certificate? Now, of
> course, I have only myself to blame if something gets though - but I don't find
> that a particularly great comfort.

Of course the ignorant blame everyone else or Microsoft if they
ignorantly let their system get corrupted. Trust is not a commodity in
great supply on the net. Its one thing to give out your credit card
number, when you can get any fraudulent purchases reversed, but letting
someone else into your computer is like letting them into your whole
life (in many cases, thats exactly what it is.) The primary reason why
ecommerce has grown as slowly as it has (and I do mean slowly. 50% a
year is nothing when you are still talking less than 1% of the entire
economy.) is that people are paranoid about the hacker boogieman, and
computer companies are to blame for this for creating fear mongering
commmercials in order to sell product.

For most newbies, trust only lasts as long as their first participation
in a chat room.....



This archive was generated by hypermail 2b29 : Thu Jul 27 2000 - 14:10:02 MDT