Secure Coding mailing list archives

RE: Hypothetical design question

From: "Alun Jones" <alun () texis com>
Date: Wed, 28 Jan 2004 17:43:20 +0000

-----Original Message-----
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paco Hope
Sent: Tuesday, January 27, 2004 6:55 PM
I hate to be all curmudgeony about it, but my outlook on the 
whole thing is
bleak. It's the OS that's broken, not the email client. Email 
is just a
vector for getting attack code in that is ultimately 
attacking the OS. You
can make the email client more resistant, but it doesn't 
address the real
problem. If email isn't the easiest way to get attack code 
in, they'll find
another way (maybe go back to macro viruses).


The problem is mostly to do with people.  Does the current virus exploit any
security flaws in software?  Heck, no, and most don't.  Let's face it, even
if you take out the ability to click on an attachment to open it, or
double-click, or whatever, as long as people can save it and run it, they
will.

Perhaps you could solve it by designing an OS where only the administrator
can install new code to run, but there's a significant cross-over between
data and code.  Is a VBScript file code or text?  It depends on how you open
it.  In one instance, it's a text file, in another, it's interpreted and
actions are taken, so it might as well be code.  And that's without touching
on things like buffer-overflow attacks that can turn even MP3 files into
virus-carriers.

Perhaps the problem here comes from the email protocol itself, which insists
on routing email without a shred of evidence proving identity of the sender,
or approval by a human being?

Most email-borne viruses are based on exploiting flaws in humans, not in
email clients or operating systems.  Can you fix a flaw by writing code at
some system other than the location of the flaw?  No, it's a workaround.
And we don't seem to be any better at eradicating the flaw itself.  My
prediction - viruses will always be with us, especially while we treat them
as a technological problem, and not a social one.

Alun.
~~~~
-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | [EMAIL PROTECTED]
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Current thread:

Re: Hypothetical design question, (continued)
- Re: Hypothetical design question Paco Hope (Jan 27)
  - Re: Hypothetical design question Andreas Saurwein (Jan 28)
    - RE: Hypothetical design question Dave Paris (Jan 28)
    - RE: Hypothetical design question Andreas Saurwein (Jan 28)
    - RE: Hypothetical design question Dave Paris (Jan 28)
    - RE: Hypothetical design question Michael S Hines (Jan 28)
    - Re: Hypothetical design question Kenneth R. van Wyk (Jan 29)
    - Re: Hypothetical design question Paco Hope (Jan 28)
    - Re: Hypothetical design question Dave Aronson (Jan 28)
    - Re: Hypothetical design question Andreas Saurwein (Jan 28)
  - RE: Hypothetical design question Alun Jones (Jan 28)
- Re: Hypothetical design question Louis Solomon [SteelBytes] (Feb 02)
  - RE: Hypothetical design question Michael S Hines (Feb 02)
    - Re: Hypothetical design question Louis Solomon [SteelBytes] (Feb 03)
    - RE: Hypothetical design question Jason Wilcox (Feb 03)
- RE: Hypothetical design question Robert Shields (Jan 28)
- RE: Hypothetical design question Nick Lothian (Jan 28)
  - RE: Hypothetical design question ljknews (Jan 28)
- RE: Hypothetical design question Nick Lothian (Jan 28)
  - RE: Hypothetical design question Dave Paris (Jan 29)
  - RE: Hypothetical design question ljknews (Jan 29)

(Thread continues...)