[Anima-bootstrap] minor point about malware

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 07 January 2017 15:17 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7367A1288B8 for <anima-bootstrap@ietfa.amsl.com>; Sat, 7 Jan 2017 07:17:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id phk-iUc2O7kt for <anima-bootstrap@ietfa.amsl.com>; Sat, 7 Jan 2017 07:17:01 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 287DA126579 for <anima-bootstrap@ietf.org>; Sat, 7 Jan 2017 07:17:00 -0800 (PST)
Received: from dooku.sandelman.ca (199-7-157-15.eng.wind.ca []) by relay.sandelman.ca (Postfix) with ESMTPS id 22BFE1F8FB for <anima-bootstrap@ietf.org>; Sat, 7 Jan 2017 15:16:58 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 075992593; Sat, 7 Jan 2017 23:56:15 +0900 (KST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima-bootstrap@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Sat, 07 Jan 2017 09:56:15 -0500
Message-ID: <17208.1483800975@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/YMSGRc5kSToia99pKZUPStNiig0>
Subject: [Anima-bootstrap] minor point about malware
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jan 2017 15:17:02 -0000

Max, we write:

>   In a "trust on first use" model, where
>   this threat is ignored, the attacker has an opportunity to install a
>   persistent malware component.

I wonder if we have confounded two things in this statement.
The process by which the pledge trusts the network operator (and therefore
provide super-user control and configuratoin credentials to the network) with
the process by which the pledge trusts new firmware updates.

I can see that for many devices that do not have signed software updates,
if an operator has configuation control, then they also have software
update control.  Even in the context of signed updates, if the choice
of update to run includes ability to run an old version with an exploit
that malware is possible.

I'm not sure what I want to do about the above statement, I am just
uncomfortable that we may be confusing some less technical readers into
believing that we solve problems we are not (and probably can not).

Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-