[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Our Own Worst Enemy?

To: "'Michael H. Warfield'" <mhw@xxxxxxxxxxxx>
Subject: RE: Our Own Worst Enemy?
From: Ilan Shacham <ilans@xxxxxxx>
Date: Wed, 20 Dec 2000 10:41:12 +0200
Cc: "'Tony Bartoletti'" <azb@xxxxxxxx>, ietf-pkix@xxxxxxx
Wow, ok, Mike, I'm glad I gave you a chance to let off some
steam... :-)

Perhaps my wording wasn't very good - what I meant was that if we
assume the list virus scanner is updated, most likely any virus
that passes it will also pass those on subscriber's organizations
virus scanners, and will therefore not fill up the list with 
warnings from each of them, which is what Tony was pondering about.

I agree with you that limiting messages to plain text would do the
trick (well, maybe not, who knows what else is coming up...),
and on a list of this kind I see no problem with that, but I'm not 
sure this is the correct forum to discuss it.

Ilan

-----Original Message-----
From: Michael H. Warfield [mailto:mhw@wittsend.com]
Sent: יום שלישי 19 דצמבר 2000 17:24
To: Ilan Shacham
Cc: 'Tony Bartoletti'; ietf-pkix@imc.org
Subject: Re: Our Own Worst Enemy?


On Tue, Dec 19, 2000 at 11:19:06AM +0200, Ilan Shacham wrote:
> True, But if the list engine included virus checking BEFORE sending
> the message to everyone in the list, we could solve this whole
> problem.

	No...

	<Minor Rant>

	No offense but what level of reality did you just come down off of?

	Virus checking HELPS (maybe) but it CAN'T "solve this whole
problem".  It can not, and will not, even in principle.  At worse, the
next time a virus slips through that it doesn't recognized or using
an encoding it doesn't recognize people will naturally assume that it
must be OK since it passed the virus filters.  (Been there, done that,
heard the sob stories.)

	Repeat after me...  Virus checking can NEVER prove something is
safe, it can GENERALLY indicate that something is PROBABLY dangerous
if not handled properly.  The virus scanner at my office keeps pissing
me off because I have to routinely handle cybertoxins like this and it
keeps filtering them out.  So they get zipped and encoded and encrypted
with all sorts of tricks to bypass the virus checker (HINT! HINT!).  Since
I run Linux and never use a mail program that allows active contect,
these things are pretty much safe for me to handle (And I want to thank
this list, I hadn't captured a sample of that macro worm yet.  :-) )

	On the mailing lists I run, we ban all HTML and most attachments,
PERIOD.  Even with the virus scanner front end, it is impossible to
keep up with the thousands of new viruses that are coming out, even if
we updated our signature files daily (assuming the anti-virus vendors
were updating daily).  The mailing lists get the double shield of blocking
any vehicle which can carry cybertoxins.  Ok...  Well...  Maybe not any.
We don't shield you if you are still vulnerable to the old ANSI bomb,
but there are things that are just TOO old to worry about.  :-)

	Over the last year, we have had a half a dozen virus incidents,
in spite of having ingress filtering on Unix, egress filtering on Unix,
and mailbox scanning on Exchange with multiple different virus scanners
and virus scanners on the individual NT workstations with centrally
managed signature files.

	The scanners are guarenteed to be always at least a little bit
out of date (look at how fast the "I love you" worm or explore.zip spred)
and the technology is not always well integrated (The virus scanner on
Exchange consistantly falls behind the spred of the toxin when one gets
that far).  When one of these incidents does occur, easily 2/3 of all
the victims fall back on the argument "well, I thought it was safe
because we have virus scanners, why did I get hit".  "Well, $#@$#@#@ DUH!
Why did you open the $#@$# thing?"

	It still remains a social problem and technology is not going
to protect fools who don't use common sense and run stupid shit.  In
this case, stupid shit consists of the entire domain of active content
in E-Mail and their potential carrier vehicles.

	Think about this now...  The latest spammer trick is to send
out HTML E-Mail with a "web bug".  That's a single pixel image that
points back to their web site.  Drop one of those on a mailing list
and you find out where people are reading the mailing list on.  You
also generally find out what their system type and browser type
is.  Get them to retrieve it by anonymous ftp, and you can also
reap a lot of E-Mail addresses.  Anyone who is reading E-Mail from a
mailing list with an HTML enabled reader or with active content enabled
or decided to just peek at that "greeting card" just out of curiosity,
is a DAMN FOOL.

	No...  Virus scanning is not the solution.  At best it's a leaky
bandaid that will cover some fools and trick other fools into thinking
they are safe.  Are the list managers then liable if their bandaid
doesn't cover what you think is enough and your system is corrupted by
something their filters let through?

	Application Programmer's Saying:  "Programming is a race between
Software Engineers who try to develop idiot proof programs and the
Universe which is trying to develop bigger and better idiots".

	Software Engineer's Saying:  "So far, the Universe is winning".

	</Minor Rant>

	If you want to do something effect then ban all mail on this list
containing HTML or HTML attachments, any Microsoft extensions (.doc, .exe,
.shs, .bat, .com, .xls...) or just plain block anything that is not
Mime type "plain/text" or simple text.  Then you might have a start at
covering the majority of possibilities.  It might even raise the quality
of the list.  :-)

> Ilan

> -----Original Message-----
> From: Tony Bartoletti [mailto:azb@llnl.gov]
> Sent: יום שני 18 דצמבר 2000 21:41
> To: ietf-pkix@imc.org
> Subject: Our Own Worst Enemy?
> 
> 
> This is fascinating, and just a bit depressing.
> 
> Simply email a virus to a public email discussion list, and watch it 
> transform into a mailbox-choking spam attack as every subscribing 
> organization's virus scanners echo their warnings back to the list.
> 
> :(
> 
> ___tony___
> 
> 
> Tony Bartoletti 925-422-3881 <azb@llnl.gov>
> Information Operations, Warfare and Assurance Center
> Lawrence Livermore National Laboratory
> Livermore, CA 94551-9900

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
Follow-Ups:
- Re: Our Own Worst Enemy?
  - From: Jean-Marc Desperrier
Prev by Date: Why don't using Permanent Identifier on QC certificates?
Next by Date: Re: Our Own Worst Enemy?
Previous by thread: Re: Our Own Worst Enemy?
Next by thread: Re: Our Own Worst Enemy?
Index(es):
- Date
- Thread