OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   RE: SOAP, plague, love

[ Lists Home | Date Index | Thread Index ]
  • From: Eldar Musayev <eldarm@microsoft.com>
  • To: xml-dev@xml.org
  • Date: Mon, 8 May 2000 10:07:10 -0700


 > -----Original Message-----
 > From: Ken MacLeod [mailto:ken@bitsko.slc.ut.us]
 > Sent: Saturday, May 06, 2000 7:30 AM

In fact I agree with a lot of what you said. Like:

 > > The latest worm is not about firewalls, but about human stupidity,
 > Good firewalls can filter out those.  What a firewall can filter out,

First, that's not exactly firewalls, that's intelligent mail gateways.
And yes, they must filter it out. And I completely agree with you
that vbs and js attachments in corporate environments should be just
filtered out at all. In some cases ANY executable attachment should be
because if you really need to transfer executable, you probably can zip it,
which also gives a victim (sorry, recipient) another chance to think, if 
he really wants to execute it.

But when I talk about human stupidity, the problem stays. The person
who runs unknown content from attachment can as easy download it from 
Internet or bring it on a floppy from home. Security holes are inevitable 
as long as there is human factor and useful function.

Continuing my autoindustry analogy, we cannot make highways safe
just by perfecting a car, we have to have traffic rules for that.
One of them on Internet is "Don't run unknown content", and a lot
of people would get the ticket last week.

 > > It may be good to be paranoid, when you are security admin and you
 > > have IT director or CEO nearby to kick you, if your paranoia starts
 > > to cost business, but it's certainly not good to share it with the
 > > whole world.
 > When it comes to a choice between known stronger Internet models and
 > known weaker Internet models, of course an admin, the IT 
 > director, and
 > CEO will go for the known stronger one.  But you're saying that if
 > something is known to be weak, but it's the most popular application
 > (Word, VBS), it's OK?

No, I am not. See:
 > > It may be good to be paranoid, when you are security admin and you

I agree, that it's a good idea to chop incoming executable content.

What I am saying is that:
 > > it's certainly not good to share it [paranoia] with the
 > > whole world.

When policeman in Texas thinks you look like a known criminal
he jumps out of car with a gun aimed at your head and say you to put 
hands on a wheel. Well, not nice, but it's probably his job.
But it's hardly appropriate for a journalist to propose that everybody 
should act like this. That's true for the work of a system admin as well.

 > Our local gas/electric utility's customer service locations were shut
 > down for this latest worm.  A policy of "we won't let in VBS or EXEs"
 > would be a good choice. Considering Word virii, a policy of "no Word
 > docs until Microsoft gives us a clear way of filtering macros" would
 > be good too. It's unfortunate Microsoft doesn't consider that an
 > issue.

I don't know about the last thing, I work for XML group, but as 
a former security expert with a good experience in this field, I can only
praise the measures you took. Yes, no executable content in attachments
is quite reasonable for corporate environments. I wonder why it did not 
become a common practice a long time ago.
But this does not argue with my point of view.

Best regards,

This is xml-dev, the mailing list for XML developers.
To unsubscribe, mailto:majordomo@xml.org&BODY=unsubscribe%20xml-dev
List archives are available at http://xml.org/archives/xml-dev/


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS