[ILUG] Porting MyDoom to Linux
chris.higgins at darach.ie
Wed Feb 4 15:09:31 GMT 2004
On Wed, 4 Feb 2004 14:26:11 +0000
kevin lyda <kevin+dated+1076336775.0877ea at ie.suberic.net> wrote:
> On Wed, Feb 04, 2004 at 01:56:24PM +0000, Chris Higgins wrote:
> > True - but only because we see the difference between
> > data to be interpreted as a program, and data
> > to be interpreted by a program.
> if we want to discuss security seriously then yes, we have to make
> this distinction.
Do we ? Are we not better to assume that 'untrusted' means
just that - and not attribute more or less trust based on
what we think the data is , isn't that one of the core problems
in the MS Outlook mail client - it trusts the file-type
information too much, and passes data onto a helper which
ignores the file type information and works it out for itself
and is then happy to act based on new information learned ?
> provide the user with rope and wood, but don't
> supply them with a noose and gallows. yes, they can construct them,
> but they might also create a gazebo and hammock.
Or a pile of rope and wood :-)
> > If it's postscript, then 'viewing' amounts to 'executing untrusted
> > code'.
> yes, but as i said it was fuzzy.
Which is why I lean towards the 'untrusted' is 'untrusted' camp.
> it is possible for the interpreter
> to catch those malicious actions. something that isn't quite as easy
> if you just run straight binary code.
Yeah, but in the network world we put in firewalls to cut out
as much traffic as possible to help the end hosts in their job
filtering just the traffic that they have to.
Most firewalls are starting to look at content based filtering,
rather than just trusting that because it's port 80 it must be
WWW traffic. Why shouldn't the systems be doing the same thing ?
(with the caveats that we don't want the MUA virus checking
the mail before it passes it to the virus checker)
> > That kinda puts most of the useful attachments into the 'beyond'
> > camp(if I understand your inside/outside boundary)
> again, perhaps i'm looking at this from a different perspective. this
> isn't "end-user." i'm more interested in what mua and distro people
> are doing. as linux users we should push distro makers to consider
> these concerns - the same way people pushed the distro makers to make
> installs more secure out of the box.
No problem here - but I try make sure that I use my linux box
to do work as well, and that involves being the 'end-user', and
admin'ing a couple of machines for our office end users.
> i assume with the gui apps that the helpers are probably in
Sylpheed processes a minority of the attachments itself, but
farms the rest out to metamail as it's helper.
> and it seems to me that linux has easier vulnerabilities then the mua
> anyway. the slapper (thanks paulj/rick) worm exploited apache (and
> some of it's helpers), and the mta has always been a fun target in the
> linux/unix world.
Your points are valid, I'm not trying to disagree with you - I just
prefer to see systems make firm decisions on what they know to be
true - rather than code in assumptions based on what 'might/should'
be true. So I see 'untrusted' as nothing other than 'dangerous'
until it has been properly parsed by a tool which is 'scared'
of the input data at all times. ( I don't like being
anthropomorphic towards the machines, but sometimes I feel
they get annoyed if you aren't :-)
> kevin at ie.suberic.net ....... financial math: if bill gates & 10,000
> homeless http://ie.suberic.net/~kevin/cgi-bin/blog .. guys are in a
> room, the average net worth of each of them is over $1,000,000. now,
> why do you care what the average bush tax "cut" was again? ...........
Chris Higgins Cisco Learning Partner
Darach Technology Ltd tel: +353-1-6204370
email: chris.higgins at darach.ie fax: +353-1-6204371
More information about the ILUG