RE: [ga] Reliability of the Internet - the silent battle - part 2

[Roeland Meyer <rmeyer@mhsc.com>]

|> From: Thomas Roessler [mailto:roessler@does-not-exist.org]
|> Sent: Wednesday, November 07, 2001 7:02 AM

|> Of course, the problem you are trying to describe has nothing at all 
|> to do with attachments "as such": It's more about inappropriate 
|> interpretation of attachments in implementations, and about users 
|> who carelessly execute every program sent to them.  This leads, in 
|> turn, to software trying to second-guess malware, with all evil side 
|> effects this may have.

That was a secondary side-issue that only came up because Peter was using
NAV, which only checks the email wrapper and not the actual payload. I now
have three trusted sources which confirmed that the payload was, in fact,
absent. I might further point out that only one of them was what I consider
an ally, another is a political opponent, and the third is undetermined.
But, all three are well-known systems adminstrators that presently run their
own systems. If anything, this indicates the fallacious methods used by
Norton Anti-Virus and their validity (Not!). Symantec has been chastised for
this before and their marketing department has posted some babble in defense
of their methods. This doesn't make them technically correct.

|> The problem is also (and, one may say, even more so) about using and 
|> being used to inappropriate data formats when transferring data. 
|> Word documents can contain macros, which can basically control a 
|> windows PC. That's a problem in any circumstance where such 
|> documents cross trust boundaries - be it, possibly, on local 
|> networks, be it on the web, or be it via e-mail. That is, making 
|> word documents available for download is in no way better than 
|> attaching them to e-mail messages.

I beg to differ. Whilst I agree about the inappropriateness of using Word
DOC files for general information distro. My reasons are quite different. A
virus-scanned word DOC file, on a known and trusted web-site, is quite safe
and not inherently evil, IMHO. However, for a lot of other reasons, I prefer
to convert such documents to PDF. This is especially true with collaborative
docs that have revision tracking turned on. From a user prespective, this
also increases the trust and PDF files, prior to Acrobat5, do not contain
any macros.

|> The same argument does, of course, apply to any "active" content 
|> being spread on the net, including even HTML when clients on the 
|> receiving end are configured without paying attention to trust 
|> boundaries.  (With windows, you should possibly have another look at 
|> your Security Zones settings, and make sure that e-mail content is 
|> considered to come from some zone which has sufficiently paranoid 
|> security settings.)

The problem is the completion or spread, of the distro. Many sites strip all
attachments from non-internal sources. I am not advocating that approach
myself (I prefer a more targeted approach). However, I am aware of many
sites that practice such methods. In such an environment, a document sent in
DOC format will not reach all of the intended recipients. That was, in fact,
my main point.

|> This means that any data formats having "active" components are 
|> totally inappropriate when publishing information which is supposed 
|> to cross trust boundaries.  If you want to publish or spread large 
|> documents, use plain text (which is sufficient for most things), or 
|> use HTML or PDF (and hope that your correspondents either don't know 
|> about the possible dangers, or are using sufficiently safe viewers).

The ethics behind your last perenthetical statement bothers me (I'll leave
the rest unsaid). However, for a lot of reasons having nothing to do with
security, and in spite of the fact that my Outlook/Exchange system processes
HTML quite well, I never send HTML mail and would prefer not to receive it.
I certainly avoid replying to it because quotations are such a PITA.

|> Concerning Peter de Blanc's "complaint" about Roeland's message, and 
|> the news item about f-prot being integrated with listserv which was 
|> forwarded by Danny: Filtering viruses and worms at mailing list 
|> distribution points is pointless, and a cosmetic "solution" _at_ 
|> _best_.  Because, either users rely on software which isn't 
|> susceptible to the worms and viruses generally distributed - in this 
|> case, filtering is unnecessary.  Or they are using software which is 
|> susceptible.  

I might agree with not scanning the list message attachments before they go
out to the list, on a posting controlled list. However, I most certainly do
NOT agree with placing unfiltered content on a public web-site. The address
"comments@icann.org" is available to anyone in an unfiltered fashion. There
are many word DOC files in that archive. I would wager that none of them are
even filtered for LUV-BUG macro virii. IMHO, they should be filtered.

|> In this case, they are acting irresponsibly when not 
|> using local filtering solutions anyways.  

A lot of folks reference "responsibility" in this context. The context
domain is so large that it is really irrelevent. MHSC end-users shouldn't
have to run client-side filters and they don't. Responsibility isn't the
issue here. Such filters are run on MHSC sendmail and MS-Exchange mail hubs,
before they ever see the message. Even then, some sites aren't filtered at
all. Rather, they are completely prevented from connecting in the first
place (vadmin.com, junhoo.com, etc). There are also a few /24's that aren't
even allowed past our routers, let alone into our mail hubs. 

End-users have neither the authority or training for that level of
filtering. Frankly, I would prefer business folks to continue doing what
they are paid to do and leave filtering to those that are getting paid to do
it. There are both division of labor and aggregate labor costing issues
here. Also, client-side filtering sometimes/often conflicts with local
server filters, resulting in total mail-delivery failures. Thereby, causing
more workload in the SysAdm department.

|> In this case, central scanning will possibly delay infection (and 
|> learning of an important lesson) a bit - but such users will 
|> eventually be hit directly. That effect is nothing worth spending 
|> any money or effort for.

I disagree that teaching end-users such lessons, in such a manner, is
cost/beneficial.

|> Thus, scanning for malware at list servers only helps to reduce 
|> bandwidth consumption (a bit), and it does of course help to cover 
|> up the fact that quite a few virus-scanning gateways are of so poor 
|> quality that they aren't even able to properly determine where to 
|> send an error message.

Quality is an issue of that organization. Poor quality sites tend to lose
viewership.

--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html