remote-attestation is not required (Re: The bank fraud blame game)

Adam Back adam at cypherspace.org
Wed Jul 4 03:45:40 EDT 2007


I think you misread what I said about "BIOS jumper required install".

Ie this is not a one click install from email.  It is something one
user in 10,000 would even install at all!  It would be more like
people who program and install custom BIOSes or something, people who
reverse-engineer security products.  Point is to allow audit of
running code by a few paranoid people to keep things honest.

The whole point of the separate program space is that it DOES NOT get
infested with viruses like windows does.  The software running in it
will be very very simple, have minimal UI, minimal code etc.

Obviously there would be no software connection between anything
received in email and changing the software in the physical or virtual
software compartment.

Adam

On Tue, Jul 03, 2007 at 05:53:19PM -0000, John Levine wrote:
> >I do not believe the mentioned conflict exists.  The aim of these
> >calculator-like devices is to make sure that no malware, virus etc can
> >create unauthorized transactions.  The user should still be able to
> >debug, and inspect the software in the calculator-like device, or
> >virtual software compartment, just that installation of software or
> >upgrades into that area should be under direct explicit user control.
> >(eg with BIOS jumper required to even make any software change!)
> 
> In view of the number of people who look at an email message, click on
> an attached ZIP file, rekey a file password in the message, and then
> run the program in the file, thereby manually installing a virus, it's
> way too dangerous to let users install any code at all on a security
> device.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list