Re: ActiveX security hole reported.

• To: Sean Robert Wilkins <srw134@email.psu.edu>
• Subject: Re: ActiveX security hole reported.
• From: Jeremey Barrett <jeremey@forequest.com>
• Date: Fri, 16 Aug 1996 09:29:04 -0700 (PDT)
• cc: www-security@ns2.Rutgers.EDU
• In-Reply-To: <1.5.4.32.19960816090357.00683694@email.psu.edu>

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 16 Aug 1996, Sean Robert Wilkins wrote:

> Now i should start and say i am surely not saying there are no security
> problems here, BUT actually a person who is running around the web with
> software of this type should know at least the basic security around the
> dialogs. Now not that everyone knows everything, but a basic level should be
> known, this is why MS's messages are so descriptive to Netscapes, to
> compare. And actually there are some places to get your code signed for a
> reasonable rate, about the same rate as it is to have say ASP verify a
> shareware program. These companys are in the Internet position of a notary. 
> 
>         Actually i had a question of you are you a big fan of Java? or its
> scripting. MS based or SUN?? There is always going to be a back door
> somewhere.. or an invisible security problem..

I think Java is a pretty good model, yes, it is not without flaws either.
But the Java security model is to make everything inaccessible, and then
to allow specific capabilities based on some criteria, like signed code,
or something. (here we have the same signing problem as with ActiveX.)

Currently, no capabilities are extended to Java applets other than to connect
back to their originating host.

The ActiveX security model is none at all, zero, zilch. If you allow an
ActiveX control to run, it could do *anything*.  That is very bad IMO.
The fact that an ActiveX control has the ability to shut down your machine,
or do any number of other much nastier things, is not a back door, it's
a front door, and it's wide open.

>         Another thing about this the angry or sarcastic tone of this message
> is not appriciated or neccasary so please don't use it, This is a news group
> for debating maybe but none of that stuff...

Forgive me, but it is very irritating when a company such as M$, rather
than supporting a standard and aiding in its development, develops a
completely separate, non-portable, not-well-designed competitor for
the standard, and then pushes it like its the greatest idea ever in
computing.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jeremey Barrett
Senior Software Engineer                        jeremey@forequest.com
The ForeQuest Company                           http://www.forequest.com/

PGP Key fingerprint =  3B 42 1E D4 4B 17 0D 80  DC 59 6F 59 04 C3 83 64
PGP Public Key: http://www.forequest.com/people/jeremey/pgpkey.htm
                
		"less is more."  -- Mies van de Rohe.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhShxS/fy+vkqMxNAQGtOwQAqrQd54jzLDroiONy2Rfa4fOGuR5bCIac
1ydxS/rZlHozh5e7C7hN8YoNb1cq+Rdj9wikAwIWHB/ytee6exFMd++B1KcIa5Tt
kFPMpW9ZX2XSdZjKTjk0j/5FHZU7mWhTPfgW2okRcZN+7M4HK6UAcQ6ZU4mjavE5
QoE15eBcVw4=
=lLQw
-----END PGP SIGNATURE-----

• Re: ActiveX security hole reported.
• From: Sean Robert Wilkins <srw134@email.psu.edu>

• Previous: Re: Active X security hole reported
• Next: Re: Getting off
• Index(es):
  • Index
  • Thread