Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'The only solution to trojan horse programs' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
The only solution to trojan horse programs
Authored by: ducasi on May 12, '04 05:10:12PM

There is only one solution to trojan horses that really works.

Code signing.

If your malicious code wasn't signed (by yourself, by Apple or by someone you trust) it wouldn't be allowed to run.

Microsoft are into code signing in a big way. Their trusted computing initiative takes it to the extreme that even the OS itself needs to be signed before the computer will start up.

Apple have chosen not to go down this road.

There are obvious issues about freedom, usability, cost and security that crop up. I think the most important thing would be to make it easy for you to sign your own programs without having to jump through hoops.

It could be make to work, but it would be a dangerous road to go down...



[ Reply to This | # ]
The only solution to trojan horse programs
Authored by: Spades on May 12, '04 05:58:28PM

It's all about trust. Cryptographic signatures are a very strong method of establishing trust, but you can still trick people into believing that your electronic identity is trustworthy. It probably doesn't need to go that far in most cases. Just be smart about what you trust. P2P is an extremely untrustworthy source. Don't get applications from it. Period.



[ Reply to This | # ]
The only solution to trojan horse programs
Authored by: nickfitz on May 13, '04 05:14:29AM

Code signing.

If your malicious code wasn't signed (by yourself, by Apple or by someone you trust) it wouldn't be allowed to run.

Microsoft are into code signing in a big way.

One needs to be able to trust the people who sign the code to be who they say they are. Therefore, you need to be able to trust the certificating authority only to issue certificates to the right people. And this doesn't always happen: 'VeriSign, Inc.... issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation".'

In other words, no matter what system is in place, it only takes a little social engineering to circumvent it.



[ Reply to This | # ]