OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: SOAP, plague, love

[ Lists Home | Date Index | Thread Index ]
  • From: Ken MacLeod <ken@bitsko.slc.ut.us>
  • To: <xml-dev@xml.org>
  • Date: 06 May 2000 09:30:06 -0500

Eldar Musayev <eldarm@microsoft.com> writes:

> I don't understand why we give so much attention to this article.
> 
> First, the guy does not completely understand what he is writing about.
> The latest worm is not about firewalls, but about human stupidity,
> .vbs are executable just like .exe files, and I wonder how many people
> would double click .exe file?

Good firewalls can filter out those.  What a firewall can filter out,
users don't have to worry about.  So it _is_, in fact, about firewalls
too.  Mail/HTTP virus sniffers are also part of a firewall strategy,
but shouldn't have been necessary in this case (simply chopping out a
vbs/exe from an attachment).

I'm aware of several sites that were not hit by this worm _because_ of
their firewalls.

> Probably mail programs should ask if you really want execute the
> attachment, just like browsers do, when you click some link to
> non-HTML file on Internet, and I wonder why this feature was not
> implemented a long time ago (this is not just Outlook, but other
> modern mail agents too)

That too, of course.  For those people who aren't behind good
firewalls.

> As to SOAP as a back door, excuse me... That's just CGI (well,
> servlet, ASP, whatever...). It does exactly what you want and your
> only concern is to provide it only to whom you want.  Of course, CGI
> may be made insecure, is CORBA better? I don't think so.  If SOAP
> server should serve only intranet, use non-standard port, if not,
> CORBA will do the same.

(My other post points out the CGI similarity and the associated
liability.)

There are alternatives to exposing all sorts of brand new
applications.  The general idea is: the fewer _unique_ services
(protocols, data formats) you expose, the less likely to have security
issues.

So, instead of exposing twenty unique application APIs on your server,
use a single data storage API (HTTP with static data, restricted SQL,
Java/Linda/Tuple-Spaces, etc., whatever you prefer) and build your
clients and backend processes around that.  Now you only have one
application to assess.

> It may be good to be paranoid, when you are security admin and you
> have IT director or CEO nearby to kick you, if your paranoia starts
> to cost business, but it's certainly not good to share it with the
> whole world.

When it comes to a choice between known stronger Internet models and
known weaker Internet models, of course an admin, the IT director, and
CEO will go for the known stronger one.  But you're saying that if
something is known to be weak, but it's the most popular application
(Word, VBS), it's OK?

Our local gas/electric utility's customer service locations were shut
down for this latest worm.  A policy of "we won't let in VBS or EXEs"
would be a good choice.  Considering Word virii, a policy of "no Word
docs until Microsoft gives us a clear way of filtering macros" would
be good too.  It's unfortunate Microsoft doesn't consider that an
issue.

  -- Ken

***************************************************************************
This is xml-dev, the mailing list for XML developers.
To unsubscribe, mailto:majordomo@xml.org&BODY=unsubscribe%20xml-dev
List archives are available at http://xml.org/archives/xml-dev/
***************************************************************************




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS