OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] Re: Can A Web Site Be Reliably Defended Against DoS Attack

[ Lists Home | Date Index | Thread Index ]


From: 'Liam Quin' [mailto:liam@w3.org]

>The point of XP is that the default
>home install lets you skip setting an Administrator password,
>without a good warning it seems, and enables file sharing.

Yes.  There are issues of the design of the Microsoft platform 
where the range of applications and application users is 
perturbing the scale of application deployment.  In English, 
to make it as easy as possible, they have increased the 
system vulnerability.  That scale of deployment coupled 
to the intrinsic TCP/IP vulnerability is a significant 
factor in our shared pain.

>> That is the point and thanks.  As long as the Internet design 
>> is that flaky, it is risky to tie the cetain systems 
>> together with it.   The WWW and the 
>> press have to acknowledge this and to heck with the hindmost.

>We should work to make it more robust.  But "mission critical"
>means something different to someone designing a nuclear bomb or
>a space rocket to bury WMDs on Mars :-) than it does to someone
>selling argyle socks.

Right.  The policy makers have to be aware.  The situation map 
looks ever more complex as more dimensions are added.  Yet 
at the root of the problem is the shared protocol and infrastructure. 

If one starts looking at the complexity, one misses that there 
is a shared root, a metaphorical zero point, and that solving 
that should be the emphasis.

>> >Or disconnect the user and send a bill.  That would get
>> >people setting Administrator passwords on their XP systems,
>> >and turning off file sharing, and being careful before
>> >clicking on attachments!
>> 
>> I agree with part of that, but once again, you indulge 
>> the witless part of the agenda:  let's clobber Microsoft.
>> Let's distract the discussion by invoking the devil.

>No, I am not calling Microsoft the devil, Len - nor, I hope,
>am I being devoid of intelligence here ;-)

They might be.  That just isn't the root of the problem.  The 
MS issues are distractions.  One can make the fever go down 
if MS and MS system users exhibit better behaviors, but my 
exact point is that trying to solve this problem by promoting 
better social behavior is a more complicated solution than 
addressing the root cause. 

>> XP systems are vulnerable but so are Linux 
>> systems.  So are Unix systems.  So are Solaris systems. 

>I happen not to
?like some of Microsoft's (past) business practices,
>I happen not to like some of SCO's (current) business
>practices, but this is technical, not political.

I agree.

>It's a new class of vulnerability: the easy ability to
>install remote malicious software on massive numbers of
>computers sitting outside firewalls.

The vulnerability is the same as it has been since TCP/IP 
became the dominant protocol.   What we have now is an 
environment emerging for various reasons that has enhanced 
the vector opportunity (easy to do; gets done a lot).

>If the dominant OS were MacOS or Solaris, we'd need to push
>on Apple or Sun to be very responsive with such problems.

Yes.  But again, that is the social aspect.  The main point 
is the system is vulnerable by design.  Can that be fixed?

>> >The ISPs could go further and reject forged email.  Then
>> >the current wave of email viruses and spam (and viruses
>> >that are used for spammers to send email) would go away.
> 
>> But they have to look first and again, Gibson says such 
>> forgeries aren't always detectable.  Should we get rid 
>> of anonymous accounts?  XP could remove the raw sockets.

>The raw socket access was added as part of the antitrust
>settlement.  

Wonderful.

>Forgeries *are* detectable at the ISP,
>because the ISP knows what IP their customer has at
>the end of that cable or ADSL or dialup conenction,
>and hence an incoming packet saying it's from some IP
>not at the other end of that "leaf" connection is bogus
>and should be dropped.  In the same way, mail claiming
>to be sent from some other ISP is clearly forged.

Ok.  I'll review the Gibson article.

>This doesn't affect people using HTML mail services such
>as hotmail, but only outgoing SMTP connections, which
>some ISPs already disallow, thankfully.

Ok.

>> The W3C priorities should reflect the immediate realities 
>> and needs.  What is the mandate of the consortium?

>"To lead the Web to its full potential"...

Yep.

>Note, however, that TCP/IP and email are not within the mandate
>of the W3C - they are IETF specs.  Go beat up on the IETF :-)

One can't.  They are decentralized.  They route around damage 
or blame.

>Joking aside, I've been wondering for a while if this is an
>area where W3C could write up vendor-neutral white papers that
>may help legislators around the world.  But we don't have a
>lot of resources to do such work, unfortunately.

Hmm.  Well, a lot of folks sit on this list and others that 
have Beltway clout.  One can always hope this thread is 
opening their eyes and their wallets.

Thanks Liam.  Most productive.

I just sat through a demonstration of an undiscovered backdoor 
that affects a hairy host of systems (not Internet related). 
The unknowns of these things are bad in the complex issues, 
but the really simple ones bite bad.  They are easy to fix 
but a pain to find.

len




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS