[Cryptography] the TOFU lie - or why I want my meat...

[Tom Mitchell]

On Tue, Apr 14, 2015 at 5:16 PM, Bill Frantz <frantz at pwpconsult.com> wrote:

> I'll start with the standard rant about the word "trust". Standing alone,
> "trust" is meaningless.
>

One problem is that much of the dependency is a binary blob perhaps used by
applications ( .so, .dll, .a )
linked to an application.  Consider Google Chrome with a built in version
of flash.  An application
might drag in any chunk of code to this end...

One improvement might be to turn it into a system service or blended
service.
The blended service could solve some compatability issues.  As a system
service it might get the unique attention it needs.

As a service it could have a better memory and better system audit.
For example I have no notion what answers or who gave them to me
were used to validate connections.  Same is possibly true at state.gov

Audit may prove to be the most important first step.   By tracking answers
and
looking for changes over time a site manager *.gov,  *.google.com or
sony.com
could learn some things.   But not from a set of  .dll or .so dependant
applications
with ephemeral memory.

A first step might be to pound through all the trusted sites and add
a firewall rule to audit, block, log... eventually trust each in turn.

This could be easy or difficult to prototype and test on some operating
systems.
A prototype could gather data to make the case for more exhaustive work.





-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150414/d1356412/attachment.html>