Re: [ga] Reliability of the Internet - the silent battle - part 2

[Thomas Roessler <roessler@does-not-exist.org>]

On 2001-11-07 03:04:31 -0800, Roeland Meyer wrote:

>I am sorry if it caused you concern. The DAT file, while not
>normally executable, shouldn't have been there. I thought my
>methods had removed it. My filters had already renamed it to the 
>DAT type, which is a non-executable type under windows, and I 
>manually deleted the attachment from the message. 

Whatever your filter did, it was only visible on your system.  Your 
message had an application/mixed attachment with a file name ending 
in .doc.com, which contained a 16-page word document at offset 
137216.


Of course, the problem you are trying to describe has nothing at all 
to do with attachments "as such": It's more about inappropriate 
interpretation of attachments in implementations, and about users 
who carelessly execute every program sent to them.  This leads, in 
turn, to software trying to second-guess malware, with all evil side 
effects this may have.


The problem is also (and, one may say, even more so) about using and 
being used to inappropriate data formats when transferring data. 
Word documents can contain macros, which can basically control a 
windows PC. That's a problem in any circumstance where such 
documents cross trust boundaries - be it, possibly, on local 
networks, be it on the web, or be it via e-mail. That is, making 
word documents available for download is in no way better than 
attaching them to e-mail messages.

The same argument does, of course, apply to any "active" content 
being spread on the net, including even HTML when clients on the 
receiving end are configured without paying attention to trust 
boundaries.  (With windows, you should possibly have another look at 
your Security Zones settings, and make sure that e-mail content is 
considered to come from some zone which has sufficiently paranoid 
security settings.)


This means that any data formats having "active" components are 
totally inappropriate when publishing information which is supposed 
to cross trust boundaries.  If you want to publish or spread large 
documents, use plain text (which is sufficient for most things), or 
use HTML or PDF (and hope that your correspondents either don't know 
about the possible dangers, or are using sufficiently safe viewers).


Concerning Peter de Blanc's "complaint" about Roeland's message, and 
the news item about f-prot being integrated with listserv which was 
forwarded by Danny: Filtering viruses and worms at mailing list 
distribution points is pointless, and a cosmetic "solution" _at_ 
_best_.  Because, either users rely on software which isn't 
susceptible to the worms and viruses generally distributed - in this 
case, filtering is unnecessary.  Or they are using software which is 
susceptible.  In this case, they are acting irresponsibly when not 
using local filtering solutions anyways.  In this case, central 
scanning will possibly delay infection (and learning of an important 
lesson) a bit - but such users will eventually be hit directly. That 
effect is nothing worth spending any money or effort for.


Thus, scanning for malware at list servers only helps to reduce 
bandwidth consumption (a bit), and it does of course help to cover 
up the fact that quite a few virus-scanning gateways are of so poor 
quality that they aren't even able to properly determine where to 
send an error message.


-- 
Thomas Roessler                        http://log.does-not-exist.org/
--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html