"Cisco Release Of Goner Worm Raises Eyebrows" (Newsbytes)
Talk about a slow news day. http://www.newsbytes.com/news/01/172978.html -- Simon Lyall. | Newsmaster | Work: simon.lyall@ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon@darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
On Sat, 15 Dec 2001, Simon Lyall wrote:
Talk about a slow news day. http://www.newsbytes.com/news/01/172978.html
He does bring up an interesting point though. Is there ANY legitimate reason to allow ANY file attachments through nanog ml? I can't imagine any legitimate reason for someone to send a file attachment to EVERY single nanog ml member. A URL pointer to a file would be far more appropriate. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Fri, 14 Dec 2001 16:25:40 PST, "..." said:
He does bring up an interesting point though. Is there ANY legitimate reason to allow ANY file attachments through nanog ml?
Yet another attack on multipart/signed. Geez. ;)
I can't imagine any legitimate reason for someone to send a file attachment to EVERY single nanog ml member. A URL pointer to a file would
MIME attachments are not the problem. The problem is people who insist on using mail software that fails to address the security considerations of executable content. Compounding the problem are people who insist on confusing "problems with executable MIME attachments" with "problems with all MIME attachments because one vendor ships a product that will execute anything that resembles ones and zeros more than my goldfish does". -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Valdis.Kletnieks@vt.edu wrote:
On Fri, 14 Dec 2001 16:25:40 PST, "..." said:
I can't imagine any legitimate reason for someone to send a file attachment to EVERY single nanog ml member. A URL pointer to a file would
MIME attachments are not the problem.
The problem is people who insist on using mail software that fails to address the security considerations of executable content.
Yes, but does nanog have the power to prohibit list users from using said mail agent? It does (should?) however, have the ability to drop/refuse attachments (possibly over a certain size) - like Mr. Li's 54Kb gift to the list. Me thinks there is more than one way to skin this cat - but that dropping sizable attachments is probably the path of least resistance - if the problem at hand is seen as keeping questionable email and their payloads off the list. Now, on the other hand, if what you really want to do is change the world....... then maybe your onto something. ;)
On Fri, 14 Dec 2001, ben hubbard wrote:
address the security considerations of executable content.
Yes, but does nanog have the power to prohibit list users from using said mail agent?
It does (should?) however, have the ability to drop/refuse attachments (possibly over a certain size) - like Mr. Li's 54Kb gift to the list.
A digital signature won't be more than a couple K in size, will it? Not that anyone here digitally signs their messages anyhow... -- JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216 website: http://JustThe.net email: sjsobol@JustThe.net phone: 216.619.2NET postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2
"Steven J. Sobol" wrote:
On Fri, 14 Dec 2001, ben hubbard wrote:
address the security considerations of executable content.
Yes, but does nanog have the power to prohibit list users from using said mail agent?
It does (should?) however, have the ability to drop/refuse attachments (possibly over a certain size) - like Mr. Li's 54Kb gift to the list.
A digital signature won't be more than a couple K in size, will it?
I'd hope not - but thus the reason to drop only attachments over a certain size - (3k? 5k?) - to allow digital sig's, but can everything else. Of course, if someone's digital signature is larger than 5Kb.... I wouldn't mind dropping it anyway ;) Or, possibly, just drop the "large" attachments, but allow the associated message?
On Fri, Dec 14, 2001 at 09:50:40PM -0500, sjsobol@JustThe.net said: [snip]
A digital signature won't be more than a couple K in size, will it? Not that anyone here digitally signs their messages anyhow...
I beg to differ ... :)
-- JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216 website: http://JustThe.net email: sjsobol@JustThe.net phone: 216.619.2NET postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2
-- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
On Fri, 14 Dec 2001, ben hubbard wrote:
It does (should?) however, have the ability to drop/refuse attachments (possibly over a certain size) - like Mr. Li's 54Kb gift to the list.
isn't it easier to stick a procmail recipe into the NANOG mail system dropping double extension files and other highly dangerous extensions, such as .scr, .lnk, .com, .dll, .pif and others??? Also, for a low volume server, this should be a good choice: http://www.impsec.org/email-tools/sanitizer-intro.html
On Sat, 15 Dec 2001 03:11:29 GMT, Hermann Wecke <hermann@rodeios.com> said:
isn't it easier to stick a procmail recipe into the NANOG mail system dropping double extension files and other highly dangerous extensions, such as .scr, .lnk, .com, .dll, .pif and others???
Well.. that's closer than trying to restrict it based on size. It's still wrong though, because the filtering *should* be done based on the MIME type. Of course, the whole *problem* here is that malware is able to wave its little digital arms, hop up and down, and say: "I'm a text/plain called whoops.exe - of course it's safe to run me, who ever heard of a malicious text/plain?!" Personally, I'd recommend a controlled burn, except that we've been having one every 2 weeks already. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Fri, 14 Dec 2001, ... wrote:
I can't imagine any legitimate reason for someone to send a file attachment to EVERY single nanog ml member. A URL pointer to a file would be far more appropriate.
RFC822 mail is more survivable than many other communication methods, such as telephone, web or ftp. One of the academics may be able to tell us why (or if) that is true. A few times a decade, distributing patches via e-mail has been an important method to reach system and network operators during network disruptions. RFC822 mail was used during the RTM worm attack, the BIND root change crash, and probably a few other times to get patches out when connectivity was iffy.
Talk about a slow news day.
I find it hard to believe that someone managed to get that "story" past their editor - what a complete joke. Maybe they should be writing about how its so totally rediculous that email programs are able to do such things with attachments. If people want this problem to go away then they need to make some hard decisions about how things like MIME and attachments work, you can't have your cake and eat it folks. Regards, Neil. -- Neil J. McRae - Alive and Kicking neil@DOMINO.ORG
participants (9)
-
... -
ben hubbard -
Hermann Wecke -
neil@DOMINO.ORG -
Scott Francis -
Sean Donelan -
Simon Lyall -
Steven J. Sobol -
Valdis.Kletnieks@vt.edu