I don't trust sandboxes either.
But I do trust signed code that has been thoroughly reviewed.
We would be talking about a few hundred lines of code here,
not tens of thousands.
Phill
-----Original Message-----
From: David F. Skoll [mailto:dfs(_at_)roaringpenguin(_dot_)com]
Sent: Tuesday, March 11, 2003 4:12 PM
To: asrg(_at_)ietf(_dot_)org
Subject: RE: [Asrg] DCC and IP checksums
On Mon, 10 Mar 2003, Hallam-Baker, Phillip wrote:
But consider what happens when you use mobile code to describe the
hash function.
Oh, yes, let's consider that.
You have enormous security violations all over the Internet.
"Mobile Code" is a non-starter from a security standpoint. I
don't trust
sandboxes, and I don't think most SMTP server owners do either.
This is how satelite TV companies keep card piracy at
acceptable levels.
PThey don't shut off a pirate card immediately, they let a number
of customers develop then they kill it when doing so does maximum
damage to the pirate's reputation.
They have a closed system and can trust their own mobile code.
The apamware companies have a big problem that script
writers do not,
they want to make money from their code. So it takes them
much longer
to react than the opposition.
From my observations, a lot of simple anti-spam tricks that worked a
year ago (and are even widely-known, e.g., as part of
SpamAssassin), still
work pretty well. So I think you have a point about the
reaction time.
--
David.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg