Brian, on Windows NT today it is possible to run applications that
watch keystrokes, simulate keystrokes, and do other things that would
normally constitute a security violation. The key is that not just any
application can do these things. You cannot accidentally load a trojan
horse which will capture your password, because applications that want
to do that kind of thing must be explicitly installed by the system
administrator and given permission to do them. Without that step, the
operating system functions to watch all keystrokes would simply fail.
This is also the solution to the dilemma of running accessibility aids.
If they do things that violate security, they must be installed by the
system administrator. (Of course, on a single-user workstation the
user is the administrator, but they would normally keep a separate
account for doing administrator tasks, to prevent them from
accidentally breaching security during normal operation.) And if you
think about it, this is not a big leap from what's already true in
other areas: a display driver, for example, inherently violates
security by monitoring all output to the screen, which is why only the
system administrator gets to install a new display driver.
As for security aspects of ActiveX technologies in general, I'll only
say that ActiveX Accessibility leverages several other ActiveX
technologies, but don't let the name fool you: they're not all the
same. If someday it were shown that ActiveX controls on web pages was
a bad thing, that would not have any effect on the ability to use
ActiveX Accessibility for cooperation between an application and an
accessibility aid on the same machine.
Greg
----------
From: buhrow@lothlorien.nfbcal.org[SMTP:buhrow@lothlorien.nfbcal.org]
Sent: Tuesday, May 14, 1996 1:52 PM
To: Multiple recipients of list
Subject: ACTIVEX, MICROSOFT, ACCESSIBILITY, AND THE POLITICAL STRUGGLE
Hello fellow research gurus. I don't know how many of you are familia
r
with the ActiveX technology that Microsoft has been developing. This
technology is based upon their OLE (Object Linking and Embedding)
technology. Along with their off screen model, which is currently
being
re-worked, this technology promises to make Windows 95, NT, and
Nashville
accessible to blind and partially sighted users. This technology, in
its
simplest form, is a collection of software hooks that access technology
vendors can use to access information which is on the screen of the
computer and present it to the blind user. However, this technology is
more powerful than that, allowing software to probe the bowels of the
operating system looking for useful information, read files from the
disks
on which it is running, and, I believe, launching helper applications
to
allow the access application to take advantage of multi-media
presentations
to present its information. In short, ActiveX is a powerful way of
programatically accessing the operating system, and either extracting
information from it, or making it perform certain tasks.
Most of you are also probably familiar with Java, that web-based
programming language developed by Sun Microsystems and which is touted
to
be the only platform independent language in which the compiled
software
can run on a variety of unrelated hardware. The idea is that when one
down-loads a web page, instead of the contents consisting of HTML
commands
to manipulate the text which appears on the user's screen, one gets a
compiled collection of instructions which comprise a web application
which
runs on the cpu where the browser is running. Theoretically, this
application can do anything that a standard application can do. It can
open files, print displays, drive printers, launch applications, etc.
Although Sun has tried to develop Java and Java interpreters which
secure
the machines on which they run from unwanted security breaches, several
prominent university types have pointed out that the very power of Java
means that there will always be some risk of unwanted activity from
hostile
applications. The difference, is, however, that because transmission
and
execution is so transparent, and can happen as one surfs over a web
paged
on his way to something more interesting, the risk of infection is far
greater than it was with any disk based virus.
Rather than talking about Java and ActiveX explicitly, however, I
would
like to talk about one of the challenges of accessibility that face us
in
this brave new era. This is the political challenge of convincing
potential employers, universities, government institutionns, and
friends
that it is in their best interest to install the ActiveX accessibility
tools and to configure their systems to allow access tools free reign
over
the computing environment. I was reading a paper yesterday in which
the
author asserted that the security problems of Java were serious, but
that
they were nothing when compared with the security implications of
ActiveX.
Because, as Sun says, the network is the computer, and because many of
the
facilities these software hooks use communicate using networking
facilities
inside the operating system, many of the advantages an accessibility
application gains by running on the same machine as the productivity
tool
are available to machines connected to the machine running ActiveX via
the
network. Conversely, a well crafted application running on the ActiveX
machine could potentially launch atacks against other machines on the
local
corporate network. If this machine is rnning ActiveX and Java, the
poor
user could be giving away the company store as he or she searches the
web
for the answer to some customer question.
Another security implication of this technology is that if the blind
user
needs to use a machine which also provides essential services to a
corporation, for the purpose of administering it, that machine either
has
to be re-configured in such a way as to be accessible during the time
it is
being used by the blind person, or it has to be configured in an
accessible
manner all of the time. Neither of these conditions is really
desirable,
either for the corporation, or the blind user. For example, if the
blind
user has to go through a twenty minute procedure to make the machine
accessible in order to use it, and a twenty minute procedure when he is
finished, it would be hard for him to argue that he could accomplish
the
same amount of work in the same amount of time as a sighted user.
However,
if the machine is always configured to be accessible, then their is
an increased risk of attack from an unwanted outside source.
These issues are not new and are not limited to users who need
alternative
access to computers, but to date, I have heard virtually no discussion
of
the security issues surrounding access technology, and what steps are
to be
taken to insure access while providing adequate security. To give you
a
real life example of what I mean, let me tell you about a small
incident
that took place during the Access 95 conference Microsoft put on last
July
and which many of you attended. As many of you know, Microsoft is
touting
NT as its answer to the business problem of providing services to many
people with one machine. If a machine is providing many services to
many
people, then the operating system, NT, is responsible for insuring that
users of a particular service do not have access to information or
applications being used by other services unless access has been
explicitly
granted. With this frame work in mind, a programmer stepped up to the
podium of the conference last July and began talking about the steps
Microsoft was taking to make NT accessible. After he had been talking
for
a while, one of the screen access vendors stopped him to ask him if
there
was a global way of capturing input from the primary keyboard of the
machine. The programmer paused, ehtn admitted that there was indeed a
way
for aan application to see everything that went by on the computer's
keyboard. Nothing more was said on the subject, but the ramifications
of
that statement are far reaching when one considers that the computer in
question might be located in a secure area, where administrators feel
comfortable typing confidential information into the machine, never
knowing
that an accessibility program running on the machine is shuttling their
keystrokes off to some industrious hacker in the next building.
I do not pretend to understand all of the nuances of this problem, but
I
believe we, as blind technologists, need to understand the implications
of
the technology being developed for our use, and what needs to e done to
make it secure. The last thing we want as blind professionals is a
technology which cannot be accepted in the corporate world because it
leaves all of the electronic doors unlocked for any trespassers to stop
in
and have a look.
I'd like to see some feedback on this topic, and to generate
discussion
on how we might further this process.
-Brian
This archive was generated by hypermail 2b29 : Sun Dec 02 2012 - 01:30:04 PST