|« May 2013|
An amusing, but irrelevant, incident: A week after the [Slammer] worm, I was invited to speak about it live on CNN. The program was eventually preempted by the Columbia tragedy, but not before the CNN producers invited Microsoft to appear on the segment with me. Microsoft's spokesman -- I don't know who -- said that the company was unwilling to appear on CNN with me. They were willing to appear before me, they were willing to appear after me, but they were not willing to appear with me. Seems that it is official Microsoft corporate policy not to be seen in public with Bruce Schneier.
There's a new security hole in Microsoft software. An ActiveX control, supplied and signed by Microsoft, can run arbitrary programs on your computer. Microsoft has issued a fixed control, but there's still a problem: sites can request the vulnerable version, and it will be fetched and reinstalled.
Microsoft's solution: remove Microsoft from your list of trusted providers (if you ever put them there, that is).
It's tempting just to chortle at this, but it illustrates serious problems with the code-signing approach in general. Way back in January 1997 I wrote that the ActiveX security architecture wasn't actually a security architecture; at best it's a blame-assignment architecture. I believe that even more today.
I've worked on projects that do code signing. And there are big security holes in the whole process. Think about how organizations work. Too many people will have access to the signing key. Signing becomes part of the automated build process, and it stays there even if security audits fall by the wayside. (Assuming, of course, that there ever were security audits.) You have to be careful with trusting individuals. Why would you ever grant blanket trust to a corporate entity?
Ken Thompson was right. The problem of trust runs deeper than technology.