WHMurray@DOCKMASTER.ARPA (12/10/89)
I suspect that Y. Radai misses the point of Bob Bosen's posting. The point is, why re-invent the wheel thinking up new authentication schemes when standard ones of known strength already exist. He was not making knew claims about how effectively such schemes can be implemented. However, there is a more subtle point. In the most general, non-trivial (read PC), case, a virus designer cann always get his program executed by duping users. The law of large numbers suggests that, as Abraham Lincoln said, you can always fool some of the people some of the time. If the population is sufficiently large, that will be enough to insure the life of the virus. Again, in the most general non-PC case, an effective way to get a program executed is to make it appear to come from a known and trusted source. The Christmas cards are a good example. When the copies are distributed they are distributed under the source ID of the last victim. Since the names of the targets are taken from the address book (NAMES file) of the source, this ID is likely known by many of the victims. Another example is the re-shrink-wrapped software of a reputable vendor on the shelf of a naive or irresponsible distributor. Many of us are likely to be duped into executing such software. How can we know that the software is what the vendor shipped? How can the vendor demonstrate, even to his own satisfaction, that he did not ship it? Digital signatures (which are not simply CRCs) provide at least a partial answer to these questions. They provide compelling evidence that a data object originated in a particular place and that they have not been contaminated since leaving that point. They do not and cannot protect us against all lies and all malice. They may not protect us at all if we refuse to apply them or reconcile them. However, they make it possible to protect the innocent. If we refuse to accept data objects that are not signed by the source, then they will help to fix accountability for malice. In the presence of such accountability the quantity of malice can be expected to be less than it would be the absence of such signatures. Finally, the ability of a virus to spread in a population, as opposed to its ability to detect and bypass the controls in a member of the population, depends upon there being exploitable similarities among the members of the population. The insistence of Mr. Radai et. al. that, since it is possible to detect and bypass any control, that all is futile does not stand up. By subtle changes to my machine and its use, I can make it sufficiently different from the population at large, to make it effectively immune from practical attacks. If we were all doing that, viruses would be far less successful. That I cannot make it theoretically resistant to hypothetical attacks, may be of little interest. It is time to stop condemning the useful out of hand. Those who insist upon doing so are contributing to the problem rather than the solution. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840
RADAI1@HBUNOS.BITNET (Y. Radai) (12/18/89)
When I submitted my contribution on Signature Programs (Issue 256) I wouldn't have been surprised to be criticized for something I wrote, but I hardly expected to be criticized for something I *didn't* write! According to William Murray (#257), > The insistence of Mr. Radai et. al. that, >since it is possible to detect and bypass any control, that all is >futile does not stand up. .... >It is time to stop condemning the useful out of hand. Those who insist >upon doing so are contributing to the problem rather than the solution. Just where, Mr. Murray, did you find in anything which I wrote, that I "insist" that "all is futile" or that I "condemn the useful"??? I never said anything remotely resembling these things. The point I was making was: Security of the algorithm is not enough; what's important is the security of the implementing program. Where's the futility in that? Well, maybe Mr. Murray thinks that these conclusions are somehow implied by the position that it's possible to detect and bypass any control. (Actually, I never said even *that*, but for sake of argu- ment, let's suppose that I did.) Just how is that supposed to imply that all is futile?? My actual opinion is quite the opposite: it's that even if we can't create a perfect checksum or other anti-viral program, we should make an effort to think of all possible holes in the system, and the more we block, the better. There is absolutely no implication of futility or condemnation of the useful either here or in my original posting. In the future, Mr. Murray, please try to read more carefully before attributing positions to others. There were also some peculiar claims in the paragraph following Mr. Murray's opening line "I suspect that Y. Radai misses the point of Bob Bosen's posting." However, I'll leave it to Bob himself to decide which of us missed the point of his posting, Mr. Murray or me .... Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI1@HBUNOS.BITNET P.S. I have not been receiving Virus-L regularly for the last cou- ple of months. If there have been more recent (and hopefully more re- levant!) replies to my posting which call for an answer from me, please be patient.