Sponsored By

Trust And Web Ad Services

Well-respected, highly secure Websites commonly infect the people who surf them. So if they are so secure, then why does this keep happening?

Gadi Evron

June 5, 2009

2 Min Read

Well-respected, highly secure Websites commonly infect the people who surf them. So if they are so secure, then why does this keep happening?In 1984, Ken Thompson, the co-inventor of Unix, wrote a paper for the ACM called "Reflections on Trusting Trust." In it, he stipulated how he could insert a backdoor into the compiler so that even if your code is safe, after being compiled it will get back-doored.

While his paper is about compilers, the concept is trust. How far can you trust anything? How far can what you trust, in turn, trust anything further down the line?

If you write your own programs, then you can be reasonably sure they have no backdoor. Do you also write your own compiler? How about the operating system? The motherboard? The CPU?

There's no end to trust. No matter how paranoid you are, eventually you have to take a leap of faith.

With Websites, this appears to be outsourced advertising services. Websites load these advertisements for their visitors, and often allow them to run dangerous JavaScript, to boot. When users get infected because they accessed your Website, you will be blamed, if not sued.

Much like with other types of partners, make sure you know what kind of content you will see, and what technology they will use. With some, perhaps you can limit their access to a simple jpeg image file. With others, perhaps you can push your liability onto them by asking for assurance on the content being benign.

Trust is what's at stake. How much you trust your content provider and other partners needs to be cleared ahead of time and verified later on.

In your contract, make sure liability is clear. If you choose to accept only jpeg image files, then verify that's what they really are, and then allow no other content. Remember, if you're not careful, it is your own face you will be defacing.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

About the Author(s)

Gadi Evron

CEO & Founder, Cymmetria, head of Israeli CERT, Chairman, Cyber Threat Intelligence Alliance

Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for his work in Internet security and global incident response, and considered the first botnet expert. Gadi was CISO for the Israeli government Internet operation, founder of the Israeli Government CERT and a research fellow at Tel Aviv University, working on cyber warfare projects. Gadi authored two books on information security, organizes global professional working groups, chairs worldwide conferences, and is a frequent lecturer.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights