[ On Monday, December 17, 2001 at 09:40:06 (+0000), Philip Hazel wrote: ]
> Subject: Re: [Exim] Exim and IBM DB2
>
> I am aware of the security arguments about dynamic loading. We spend our
> lives making choices between convenience and security, and not only in
> computing. (I know people who will not give their credit card numbers
> over the telephone. I suppose it makes their lives a bit more secure,
> but I see them being heavily inconvenienced.)
I appreciate your answer very much Philip!
Way back when the public Internet was nearly brand new (you know, just a
few years ago! :-) I was interviewed on @Discovery.ca (the Canadian
version of the cable-TV The Discovery Channel's daily science and
technology news show) about Internet security concerns. I said in that
interview that I would not be concerned about giving my credit card
number over the Internet, not even in a clear-text e-mail message. By
comparison I said I'd be much more concerned about giving it to some
gas(petrol) station attendant to let him cart it into the cash register
without my following him and observing his every move. I still, for the
most part, stand by that advice, and that's because credit cards are,
for the most part, protected by the financial might of the credit card
companies (i.e. the tiny ~3% tax we all pay for their insurance) and not
by the secrecy of the number. Of course there are additional risks
created by the power of widespread public electronic communications
(i.e. the Internet) which make exposure of your card number on the
Internet somewhat more costly to the card issuer, and potentially more
costly to you if you've chosen a poorly protected card. Since we're all
going to pay that ~3% tax anyway (most retailers collect it on the
sticker price so you pay even if you pay cash unless you can talk them
out of it) we may as well all take advantage of the convenience.
However.....
> If you are really, really
> paranoid, you will only use a computer that you have built yourself, and
> for which you have either written or understood from source every single
> piece of software. I don't think many people go that far. On the whole,
> we trust the manufacturers of the hardware. We trust the purveyors of
> the OS and the compiler. (But see Ken Thompson's talk/paper on trusting
> compilers, way back when he got a Turing Award - some time in the
> 1980's, I think - published in CACM. Reading the source code is
> sometimes not enough.) We trust the libraries and other ancillary
> programs. We trust applications that we load from the Internet and
> elsewhere.
The issue of dynamically loaded code, at least in what I imagine is the
way it might be used in this particular case, isn't a matter of
convenience, and the risks are very much higher than you make them out
to be.
> Everybody has some line at which they stop trusting, depending on their
> nature and their experience. (If you've been burgled, you tend to go in
> for stronger doors and better locks.) There is a fuzzy area where some
> people are happy to go, whereas others are not. That is their choice.
> Dynamic loading for a program such as Exim falls into this area, it
> seems. That means I must learn a bit about how it works if/when I
> implement it, and write some careful documentation pointing out the
> pitfalls so that people can make an informed choice.
I think if you study the research, and weigh the risks against the
alternatives, that you'll find there are many viable ways to implement
the same kinds of features.
--
Greg A. Woods
+1 416 218-0098; <gwoods@???>; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>