xml-dev - Re: [xml-dev] Can A Web Site Be Reliably Defended Against DoS Attacks?

Re: [xml-dev] Can A Web Site Be Reliably Defended Against DoS Attacks?

[ Lists Home | Date Index | Thread Index ]

To: Dare Obasanjo <dareo@microsoft.com>
Subject: Re: [xml-dev] Can A Web Site Be Reliably Defended Against DoS Attacks?
From: Alaric B Snell <alaric@alaric-snell.com>
Date: Wed, 04 Feb 2004 23:56:16 +0000
Cc: Rich Salz <rsalz@datapower.com>,"Bullard, Claude L (Len)" <clbullar@ingr.com>,jcowan@reutershealth.com, xml-dev@lists.xml.org
In-reply-to: <830178CE7378FC40BC6F1DDADCFDD1D1D51856@RED-MSG-31.redmond.corp.microsoft.com>
References: <830178CE7378FC40BC6F1DDADCFDD1D1D51856@RED-MSG-31.redmond.corp.microsoft.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030704 Debian/1.4-1

Dare Obasanjo wrote:
> That solution basically amounts to creating a user hostile system where users can't run applications unless allowed to by the system administrator.

Most large businesses want to create just precisely that!

 > As for the home user, I don't see how this ultra-cumbersome approach 
would even get off the ground let alone fly with the average IMing, 
music downloading teenager.
 > Even if you did all that they'd just go through all the steps and 
launch the application.

The problem is that applications can be launched without being 
installed. If there was no way of running executable code in an 
application other than having the attachment being a software package 
wrapped up in a distribution file format that was handled by a standard 
system app (like RPM or apt or whatever), so you had to say "yes I want 
to install this software" and so on, THEN actually go and run it, then 
people won't be fooled into thinking they're just opening a file. Which 
is what MyDoom tries.

Obviously, if somebody can install software on their machine - either 
the owners of the machine permit it, or they own the machine themselves 
- then they can always be socially engineered into installing and 
running arbitrary applications. But that's not what MyDoom has done. 
MyDoom is claiming that the attachment isn't an executable, because the 
action of opening a document is the same as the action of running an 
executable under so many GUIs!

On the command line, one is not so easily fooled. If an attachment 
claims to be Unicode text or whatever, you will save it them run:

emacs <filename>

If it asks you to directly execute the attachment with:

./<filename>

...the user might think "Why's that then?" :-)

> How many people would have believed that requiring a user to download
 > a zip file, unzip it's contents then launch the contained executable
 > would be a virus vector that would actually work let alone be one of 
the fastest spreading of all time?

The same people who thought that popping up those dialogs saying "This 
web page contains ActiveX controls signed by XYZ Corporation. Do you 
want to trust content signed by XYZ Corporation?" was a stupid idea :-)

ABS

References:
- RE: [xml-dev] Can A Web Site Be Reliably Defended Against DoS Att acks?
  - From: "Dare Obasanjo" <dareo@microsoft.com>

Prev by Date: RE: [xml-dev] Choose your RSS
Next by Date: RE: [xml-dev] Choose your RSS
Previous by thread: RE: [xml-dev] Can A Web Site Be Reliably Defended Against DoS Attacks?
Next by thread: Re: [xml-dev] Can A Web Site Be Reliably Defended Against DoS Attacks?
Index(es):
- Date
- Thread