[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: The Perils of Pluggability
|
From: |
Christopher Nelson |
|
Subject: |
RE: The Perils of Pluggability |
|
Date: |
Tue, 11 Oct 2005 09:23:19 -0600 |
>
> > > Extensibility is not a synonym of vulnerability.
> >
> > Of COURSE it is!
> >
> > Actually, it isn't. Me extentions to vulnerable program A do not
> > affect you.
>
> Counterexamples:
>
> My hacked system may attack yours.
> My hacked extension may consume resources that impact
> other users.
> My hacked extension may corrupt my documents. You may read them,
> impacting your behavior. Recent examples include web site hacks
> that generated millions of dollars in payout through stock
> manipulation.
>
> Or don't these count as ways in which I am affected?
>
> They don't. Just because your system attacks mine doesn't
> mean that it will break the security of my system; so no harm
> done there. If your hacked extentions consume much
> cpu/memory then this is easy to solve, quotas for system
> resources (I find quotas idiotic, so I don't support them).
> If your extention "consumes" the NIC or something, then there
> is not much one can do, a NIC isn't a shared resource.
I suppose then, that Denial of Service attacks that cost companies
millions of dollars in lost revenue don't count either. Also,
deliberately hostile viruses that simply soak up all available processor
time and make the machine nearly unusable don't count either. I mean,
your DATA isn't being harmed, so where's the problem?