[
Lists Home |
Date Index |
Thread Index
]
From: 'Liam Quin' [mailto:liam@w3.org]
>The point of XP is that the default
>home install lets you skip setting an Administrator password,
>without a good warning it seems, and enables file sharing.
Yes. There are issues of the design of the Microsoft platform
where the range of applications and application users is
perturbing the scale of application deployment. In English,
to make it as easy as possible, they have increased the
system vulnerability. That scale of deployment coupled
to the intrinsic TCP/IP vulnerability is a significant
factor in our shared pain.
>> That is the point and thanks. As long as the Internet design
>> is that flaky, it is risky to tie the cetain systems
>> together with it. The WWW and the
>> press have to acknowledge this and to heck with the hindmost.
>We should work to make it more robust. But "mission critical"
>means something different to someone designing a nuclear bomb or
>a space rocket to bury WMDs on Mars :-) than it does to someone
>selling argyle socks.
Right. The policy makers have to be aware. The situation map
looks ever more complex as more dimensions are added. Yet
at the root of the problem is the shared protocol and infrastructure.
If one starts looking at the complexity, one misses that there
is a shared root, a metaphorical zero point, and that solving
that should be the emphasis.
>> >Or disconnect the user and send a bill. That would get
>> >people setting Administrator passwords on their XP systems,
>> >and turning off file sharing, and being careful before
>> >clicking on attachments!
>>
>> I agree with part of that, but once again, you indulge
>> the witless part of the agenda: let's clobber Microsoft.
>> Let's distract the discussion by invoking the devil.
>No, I am not calling Microsoft the devil, Len - nor, I hope,
>am I being devoid of intelligence here ;-)
They might be. That just isn't the root of the problem. The
MS issues are distractions. One can make the fever go down
if MS and MS system users exhibit better behaviors, but my
exact point is that trying to solve this problem by promoting
better social behavior is a more complicated solution than
addressing the root cause.
>> XP systems are vulnerable but so are Linux
>> systems. So are Unix systems. So are Solaris systems.
>I happen not to
?like some of Microsoft's (past) business practices,
>I happen not to like some of SCO's (current) business
>practices, but this is technical, not political.
I agree.
>It's a new class of vulnerability: the easy ability to
>install remote malicious software on massive numbers of
>computers sitting outside firewalls.
The vulnerability is the same as it has been since TCP/IP
became the dominant protocol. What we have now is an
environment emerging for various reasons that has enhanced
the vector opportunity (easy to do; gets done a lot).
>If the dominant OS were MacOS or Solaris, we'd need to push
>on Apple or Sun to be very responsive with such problems.
Yes. But again, that is the social aspect. The main point
is the system is vulnerable by design. Can that be fixed?
>> >The ISPs could go further and reject forged email. Then
>> >the current wave of email viruses and spam (and viruses
>> >that are used for spammers to send email) would go away.
>
>> But they have to look first and again, Gibson says such
>> forgeries aren't always detectable. Should we get rid
>> of anonymous accounts? XP could remove the raw sockets.
>The raw socket access was added as part of the antitrust
>settlement.
Wonderful.
>Forgeries *are* detectable at the ISP,
>because the ISP knows what IP their customer has at
>the end of that cable or ADSL or dialup conenction,
>and hence an incoming packet saying it's from some IP
>not at the other end of that "leaf" connection is bogus
>and should be dropped. In the same way, mail claiming
>to be sent from some other ISP is clearly forged.
Ok. I'll review the Gibson article.
>This doesn't affect people using HTML mail services such
>as hotmail, but only outgoing SMTP connections, which
>some ISPs already disallow, thankfully.
Ok.
>> The W3C priorities should reflect the immediate realities
>> and needs. What is the mandate of the consortium?
>"To lead the Web to its full potential"...
Yep.
>Note, however, that TCP/IP and email are not within the mandate
>of the W3C - they are IETF specs. Go beat up on the IETF :-)
One can't. They are decentralized. They route around damage
or blame.
>Joking aside, I've been wondering for a while if this is an
>area where W3C could write up vendor-neutral white papers that
>may help legislators around the world. But we don't have a
>lot of resources to do such work, unfortunately.
Hmm. Well, a lot of folks sit on this list and others that
have Beltway clout. One can always hope this thread is
opening their eyes and their wallets.
Thanks Liam. Most productive.
I just sat through a demonstration of an undiscovered backdoor
that affects a hairy host of systems (not Internet related).
The unknowns of these things are bad in the complex issues,
but the really simple ones bite bad. They are easy to fix
but a pain to find.
len
|
