Related link: http://www.microsoft.com/technet/security/bulletin/MS02-065.asp

There’s a new security hole in Microsoft software. An ActiveX control, supplied and signed by Microsoft, can run arbitrary programs on your computer. Microsoft has issued a fixed control, but there’s still a problem: sites can request the vulnerable version, and it will be fetched and reinstalled.

Microsoft’s solution: remove Microsoft from your list of trusted providers (if you ever put them there, that is).

It’s tempting to just chortle at this, but it illustrates serious problems with the code-signing approach in general. Way back in January 1997 I wrote that the ActiveX security architecture wasn’t actually a security architecture; at best it’s a blame-assignment architecture. I believe that even more today.

I’ve worked on projects that do code signing. And there are big security holes in the whole process. Think about how organizations work. Too many people will have access to the signing key. Signing becomes part of the automated build process, and it stays there even if security audits fall by the wayside. (Assuming, of course, that there ever were security audits.) You have to be careful with trusting individuals. Why would you ever grant blanket trust to a corporate entity?

Ken Thompson was right. The problem of trust runs deeper than technology.

I’ve been amazed at how well Google’s news service works. But no matter how good the technology is, occasional mistakes are inevitable when computer programs try to compile and correlate news headlines from lots of different sources. Today, some of the seams really showed.

In the “Top Stories” section at the top of the page, there’s always a subsection called “In the News” that contains a short list of topical links: topics that seem to be getting a lot of coverage, but haven’t made it to the prestige positions that include headlines and pictures. The links in “In the News” aren’t headlines. Instead, they’re topic keywords that have been extracted from the headlines by the Google software. Things like “Tel Aviv,” “Harry Potter,” and “NATO Summit.”

Today I noticed three topics in particular: “Our Man Flint,” “Magnificent Seven,” and “Academy Award.” It’s clear what’s going on there — news outlets are writing about the death of James Coburn, and Google is picking up on references to his achievements and most famous films in the headlines. But when I clicked on the topics, things got even more interesting.

The page for Our Man Flint was 10-for-10. All the stories were about Coburn. Academy Award was somewhat mixed, since there are other Oscar winners in the news this week.

But I was really surprised when I clicked the link for Magnificent Seven. Just looking at the first ten hits, I learned:

• Spain beat Bulgaria 7-1 in international soccer competition.
• Turner Classic Movies will air The Magnificent Seven Sunday night (along with The Great Escape and Charade) in a tribute to Mr. Coburn.
• Munster defeated Caerphilly 41-0 in Celtic League rugby.
• The names and stories of the seven great horses in the history of the Melbourne Cup.
• All seven members of the team from the Philippines swept through the sixth round of the World Youth Chess Championships.
• The five linemen and two tight ends are the real reason Buena has dominated High School football in Ventura County this year.
• The McCaughey septuplets turned five this week.
• Hollywood producer Marvin Mirisch (one of whose films was The Magnificent Seven) died this week.
• Oh, and James Coburn died, too.

I don’t mean to take anything away from what Google has achieved. All things considered, it works amazingly well. And quite frankly, occasional strange juxtapositions like this can be good — they add an element of the serendipity that’s present in a real newspaper, where you can occasionally run across a fascinating article that you never would have looked for.

Think about it.
I’ll probably watch at least one of those Coburn movies on TCM Sunday night. The story about the horses was interesting, and I was surprised to learn that five years have gone by since the McCaughey septuplets were born. And it’s interesting that the producer of the film and one of its stars died during the same week.

I learned one more thing, too. All of those stories included the words “Magnificent Seven” — most of them in the headline. The name of the film has entered our language. That, in itself, says something about the legacies of James Coburn and Marvin Mirisch.

Have you seen any intriguing seams in Google’s news service?