Mail Bag
Mail Bag
| Monday, December 15, 1997 |
Date: Mon, 15 Dec 1997 07:44:27 +1100
From: Derek Murphy
Subject: Quake2 DLL Security Issues
I read with interest your comments about Quake2 DLL security and projects like OpenQuake to verify the contents of such DLLs and provide CRCs etc.
I suspect its all a moot point anyway. How many executable programs did you download today off the Net, unzip & then run? I bet there was at least one! And that one program could have been something malicious (pretending to be something useful) that blew away your hard drive.
Somehow - I dont think a malicious DLL is going to get too far around the net before it's been detected and taken away. No-one will ever trust that author again and problem solved. The point here is that the first time you ever run a new program, you are placing a trust in the author of said program. You dont know what the hell a new program is going to do before you run it and have a look.
Lets suppose I sent you a program attached to this email that claimed to be a "written from scratch" openGL driver for 3dfx that had a 50% speed increase over the current miniport. I'd bet you would run it - if for no other reason than curiosity and the hope that such a claim might possibly be true! When you run it, BOOM, I got ya. But now you know not to pass this program around because it killed your system.
This is the same for any new program you download of the Net, whether it be a graphics driver, Quake2 DLL or some other type of program.
Anyway, just my 2c worth to show that people already place a large amount of trust in software authors by downloading and running stuff off the Net right now. Some new mechanism for verification of Quake2 DLLs seems pointless to me.
Murf