Secure Coding mailing list archives
RE: Hypothetical design question
From: "Alun Jones" <alun () texis com>
Date: Wed, 28 Jan 2004 17:43:20 +0000
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paco Hope Sent: Tuesday, January 27, 2004 6:55 PM I hate to be all curmudgeony about it, but my outlook on the whole thing is bleak. It's the OS that's broken, not the email client. Email is just a vector for getting attack code in that is ultimately attacking the OS. You can make the email client more resistant, but it doesn't address the real problem. If email isn't the easiest way to get attack code in, they'll find another way (maybe go back to macro viruses).
The problem is mostly to do with people. Does the current virus exploit any security flaws in software? Heck, no, and most don't. Let's face it, even if you take out the ability to click on an attachment to open it, or double-click, or whatever, as long as people can save it and run it, they will. Perhaps you could solve it by designing an OS where only the administrator can install new code to run, but there's a significant cross-over between data and code. Is a VBScript file code or text? It depends on how you open it. In one instance, it's a text file, in another, it's interpreted and actions are taken, so it might as well be code. And that's without touching on things like buffer-overflow attacks that can turn even MP3 files into virus-carriers. Perhaps the problem here comes from the email protocol itself, which insists on routing email without a shred of evidence proving identity of the sender, or approval by a human being? Most email-borne viruses are based on exploiting flaws in humans, not in email clients or operating systems. Can you fix a flaw by writing code at some system other than the location of the flaw? No, it's a workaround. And we don't seem to be any better at eradicating the flaw itself. My prediction - viruses will always be with us, especially while we treat them as a technological problem, and not a social one. Alun. ~~~~ -- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | [EMAIL PROTECTED] Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
Current thread:
- Re: Hypothetical design question, (continued)
- Re: Hypothetical design question Paco Hope (Jan 27)
- Re: Hypothetical design question Andreas Saurwein (Jan 28)
- RE: Hypothetical design question Dave Paris (Jan 28)
- RE: Hypothetical design question Andreas Saurwein (Jan 28)
- RE: Hypothetical design question Dave Paris (Jan 28)
- RE: Hypothetical design question Michael S Hines (Jan 28)
- Re: Hypothetical design question Kenneth R. van Wyk (Jan 29)
- Re: Hypothetical design question Andreas Saurwein (Jan 28)
- Re: Hypothetical design question Paco Hope (Jan 27)
- Re: Hypothetical design question Paco Hope (Jan 28)
- Re: Hypothetical design question Dave Aronson (Jan 28)
- Re: Hypothetical design question Andreas Saurwein (Jan 28)
- RE: Hypothetical design question Michael S Hines (Feb 02)
- Re: Hypothetical design question Louis Solomon [SteelBytes] (Feb 03)
- RE: Hypothetical design question Jason Wilcox (Feb 03)
- RE: Hypothetical design question ljknews (Jan 28)
- RE: Hypothetical design question Dave Paris (Jan 29)
- RE: Hypothetical design question ljknews (Jan 29)