Date: Tue,  4 Mar 97 23:18:55 EDT
From: Jerry Leichter <leichter@lrw.com>
Subject: Re: Comments and corrections on Authenticode (Atkinson, RISKS-18.85)

Bob Atkinson argues that digital signatures on downloaded code, at the least,
allow you to identify someone who sent you "bad code" for legal action.

There is so much wrong with this claim that it's hard to imagine anyone would
make it.  To mention just two things:

        1.  The "evidence" - the digital signature - that would presumably
                be used against the attacker is stored ... on the very machine
                that is being attacked.  On a system like Windows 95, which
                provides absolutely no internal protection, that evidence will
                last for a few milliseconds.  (Admittedly, a protected system
                like NT *could* write secure logs of signatures that had been
                recently accepted.  However, it'll be quite some time - if it
                ever happens - before the existing base of unprotected systems
                is replaced by protected ones.)

        2.  Mr. Atkinson makes the assumption that the malicious code can
                be identified.  Sure, if it immediately does something that
                you can see, things are easy.  But if it does something
                indirect; or waits until executed the 100th time; or modifies
                some *other* program so that *it* later does something nasty;
                then tracking the down the source of the original corruption
                will be extremely difficult.  Hell, tracking down "memory
                poisoning" *bugs* is extremely difficult - and these are
                random events that make no direct attempt to cover their
                tracks.

The traditional boxed software set from a local store is safe for many
reasons - but some of the important ones related to the inherent limitations
of the traditional distribution medium.  It's fairly difficult and expensive
to put together the boxes, documented, printed CD's, and such.  Distributing
them to stores adds much more expense - and at each step of the way, there
are people to talk to, papers to sign, money to change hands, records to be
made.  The advantage of on-line distribution is that it cuts away all these
layers and delays and costs.  But in doing so, it also makes attacks much
cheaper, easier, and more anonymous.  A signed piece of code shares one
characteristic with software in a box: A mark that can, with reasonable
though varying confidence, be ascribed to the person who created the boxed
set/signed software object.  But the two are different in so many other
fundamental ways that to attempt to argue the acceptability of one on the
basis of experience with the other is simple sophistry.

"People want nifty things on their machines; they don't want security
mechanisms getting in the way."  People haven't yet been badly burned.  Look
how many years it took to get even rudimentary safety devices into cars.

Jerry