Can you trust your next download?

http://www.strom.com/awards/59.html

My wife is a big fan of The X Files TV show, and part of my interest is how hard it is to separate what is fact from what is opinion (or just plain speculation) about the paranormal. The same can be said when it comes to trying to deal with what I call The Active X Files, and understanding what to do about the stuff you download from the net.

This week saw the headlines about a rogue viewing application on a porn site. In reality, this was a program designed to connect to the Internet by way of first making a call to Moldova. So, along with bringing you pictures of the unclothed, you got a very expensive international phone bill. And before I could even check my own phone bill came word of another rogue application, this one that uses the electronic funds transfer feature of Quicken to debit your account and credit the German Chaos Computer Club's account. The Chaos folks chose to use ActiveX to deliver their hack.

The net is getting to be a nasty place. But you knew that already. So what can you do when you want to download something? Whom can you trust?

To get to the bottom of this, allow me to switch into J-mode and dig up the primary sources for your reading pleasure. I realize that most of us don't want to go through all this trouble to find out the Truth, or at least the Facts - that's why we trust journalists. Or maybe we don't trust anyone, in this particular case.

I first heard about the rogue Active-X application from a friend, who sent me one of the various newsgroup postings about the Chaos hack.

So rather than take this at face value, I called my contacts at Microsoft and Intuit and tried to get to the bottom of what actually happened. Before I knew it, I was interviewing others, trying to verify what they said with what was posted on the net. In the meantime, Microsoft this week produced some pages of their own to spin the situation, taking the high road to promote ways to improve applications security.

Elsewhere on Microsoft's web site you'll find information and propaganda about how Active X and Internet Explorer can be made more secure from these rogue applications.

Now for some perspective: If we go back to last summer, an enterprising programmer by the name of Fred McLain developed an intentionally rogue Active X application he called Exploder. This would turn off your computer once you downloaded it. You can find out directly from Fred here.

Okay, so you have the case. Now if you were watching Mulder and Scully, they would try to get at the truth behind all these events. So, let's try to not confuse the facts with opinions:

Fact 1: Microsoft has set up a process whereby any Active X application can carry a special digital signature. The signature is provided by Verisign. Verisign asks software authors to adhere to a code of ethics; saying the author "shall exercise reasonable care consistent with prevailing industry standards to exclude programs, extraneous code, viruses, or data that may be reasonably expected to damage, misappropriate, or interfere with the use of data, software, systems or operations of the other party." You can read more about this from their own web site, and see the pledge for yourself under Section 4.3.

Fact 2: The Chaos Active X application was unsigned. McLain's Exploder was signed, but the certificate was revoked by Verisign because he didn't adhere to the pledge above. According to Greg Smirin, a product manager at Verisign, his was the first certificate revoked "for cause." (Other people lost their keys and asked to have their own certificates revoked.)

Fact 3: Finding out whether or not a certificate is still valid is a separate step that will require some specialized knowledge. If you know the author's exact name, you can search Verisign's web site and find out the status of a particular certificate. (A Microsoft representative mistakenly told me that a list of revoked certificates were posted on a page there. They aren't.) Here is the path to McLain's information.

Fact 4: Before you download anything from the net, your browser puts up a dialog box asking you what you want to do. Generally, this is to name the file and put it someplace on your hard disk. You can configure IE and Navigator for that matter to show you a warning that what you are about to do is unsafe. Or you can configure them to not present this warning, depending on the make and model of the browser software.

Okay, you have the facts before you. Now you can make up your own mind about what to do. Here are some of my opinions: Microsoft says users shouldn't download any unsigned applications, and indeed I would say that is a good idea. However, a signature doesn't really mean much, as McLain's application shows. Microsoft is confusing the presence of a certificate with its validity.

Microsoft points out that rogue Java applications have the potential to do damage to your system, just as rogue Active X applications. Yes, but so what?

Finding a revoked certificate isn't as easy as finding out if a credit card number is stolen. And most of us won't take the time to navigate the Verisign site to find out whether we have just downloaded an application carrying a valid certificate. Microsoft and Verisign have to come up with a better system if they want people to trust certificates in the future, especially as the number of them revoked for cause increases. Same is true for the Java side of things.

My recommendations? Protect yourself, and consider all the ways you get stuff from the net. I use Norton Anti- Virus software on the PCs that I download anything from the net (or run any foreign floppies on), and have it set up to scan all downloads and floppies as a matter of course. I also use WordPad to read all foreign Word .DOC files that I get as email attachments: WordPad doesn't do macros, so it is another line of defense against those things that re-arrange your hard disk.

So, is Active X more or less secure than plug-ins or Java applets? Well, it really doesn't matter, does it? Anything that you download from the net is suspect. Microsoft says you wouldn't pick up a random floppy off the street and run the software on it, so why should you do so with an untrusted application? I agree -- however, getting to the bottom of whom you can trust is not a simple process, as my fact-checking has shown.

Go in peace.

Site-keeping and self-promotions dep't

My review of Interse's MarketFocus 3, a fully-featured and high-priced web analysis tool, appeared this past week in Infoworld.

David Strom
david@strom.com
+1 (516) 944-3407
back issues
entire contents copyright 1997 by David Strom, Inc.