Read one? Dude, I can't even *spell* EULA. Oh, wait... Anyway, I guess we
have different auditors... Before I joined Anchor, I had a private
development company. My base included financial/banking institutions-- I
designed varied algorithms to calculate finance rates, verify disclosed
rates against "true" rates (as dictated by Appendix J of the FTC's Reg Z
documentation), balloon payments, mid-term rates based on odd-days before
first payment and all kinds of other crap that made my head hurt... I then
wrote the code that integrated said algorithms into various applications as
well as stand alone apps.
Never once was I asked to provide file hashes for my executables, even from
the auditors. They did, however, require sit-down audits with me and the
source code to verify my math theory, implementation, and exception
handling...
So I guess we just have two different viewpoints- from mine, any audit that
uses a file hash to verify operational integrity is worth about as much as
hen poop on a pump handle. ;)
t
http://www.ISAserver.org
True, but have you ever read a EULA? Basically it says that a bunch of monkeys could have banged on the keyboard and accidentally had it compile into a program and that they aren't liable if it makes your computer start on fire.
The integrity of the bits is all an auditor cares about; since there is no warranty as to what the software does, if anything at all. If it can prove that the software on the disk that I have is what Microsoft says it should be, then it's good enough. It's the software's fingerprint, nothing more, nothing less. Right now, I can't even be sure it's the correct software that they are referencing. If I don't know that, then what it does is a moot point.
-----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, October 05, 2005 10:57 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA get EAL4+ rating
http://www.ISAserver.org
Good point.
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, October 05, 2005 10:47 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA get EAL4+ rating
http://www.ISAserver.org
I'm not so sure... If the true concern is surviving an audit, a published file hash is worthless, really. I can publish the hash of any of my Hammer o' God tools, but unless you have the source code and compile it yourself, you have no way of knowing what I'm really doing in my code when you run it. The presence (or absence) of a hash has nothing to do with the integrity of a tool's operation, purpose, or effect - it's only the integrity of the bits.
t
----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, October 05, 2005 6:58 AM
Subject: [isalist] RE: ISA get EAL4+ rating
http://www.ISAserver.org
Good point.
Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls
________________________________
From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] Sent: Wednesday, October 05, 2005 8:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA get EAL4+ rating
http://www.ISAserver.org
That Integrity Check Tool is a joke. Where's the published known good file hash for me to verify that it has not been tampered with before I downloaded it? Sure as heck isn't on the web page that you can download it from.
Using an unverified tool to verify another piece of software would have any auditor laughing at you pretty dang quick.... Just like a cashier at a store shouldn't be comparing the back of your credit card to your signature but to your state/government (hopefully checked and) issued ID, since anyone can sign a credit card after it's been mailed out.....
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, October 04, 2005 10:00 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA get EAL4+ rating
http://www.ISAserver.org
I did ;-P
Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls
________________________________
From: Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxx] Sent: Tuesday, October 04, 2005 9:57 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA get EAL4+ rating
http://www.ISAserver.org
same to you :p
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, 5 October 2005 12:54 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA get EAL4+ rating
http://www.ISAserver.org
Blog.
Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls
________________________________
From: Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxx] Sent: Tuesday, October 04, 2005 9:51 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA get EAL4+ rating
http://www.ISAserver.org
got a link?
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, 5 October 2005 12:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] ISA get EAL4+ rating
http://www.ISAserver.org
'nuf said.
Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com
------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmulholland@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com
------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this network has been scanned for viruses
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmulholland@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tradtke@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx