At 03:30 PM 6/23/2003 -0400, Barry Shein wrote:
On June 22, 2003 at 22:10 research(_at_)solidmatrix(_dot_)com (Yakov
Shafranovich) wrote:
> >Now, would it be possible to scan similarly for systems infected with
> >Jeem or one of the other spammer slave bugs?
> >
>
> This is something that Dshield.org is already doing - people are
submitting
> their firewall logs, and when enough evidence accumulates that an
infested
> computer is present, his ISP is informed.
>
> >Anyhow, this all starts with whether it's possible to write a piece of
> >software which begins to scan the net for infected systems? I don't
> >know enough about these specific viruses right now to answer that
> >question: Do they use hard to guess passwords? Do they give failure
> >indications on use of a bad passwd which identifies the infection, or
> >listen on a specific port, etc?
>
> I do not know if such scanner is possible since its behavior maybe be
> though off as malicious since it will be using and scanning the same
ports
> that viruses are.
[I chopped the above a little to try to get to the meat]
I thought you said above that Dshield.org is already doing something
like this? Or did I misunderstand?
Sorry about being confusing. DShield.org collects data from PASSIVE sources
such as firewalls detecting attacks. What you were proposing is an ACTIVE
scanner, one that actually goes ahead looking for security holes and viruses.
> >Maybe we should also issue an RFC that simply says that the days of
> >computer, including personal and desktop computer, operating systems
> >being vulnerable to viruses (within some problem definition) should
> >have been over years ago via widely distributed and well-known
> >techniques utilized in highly successful and comparable operating
> >systems software.
> >
> >As such, any operating system which does not meet a minimum standard
> >of being viral resistant (obviously some detail is needed here) and is
> >connected to the internet is non-conformant to RFC XYZZY or however
> >that's usually worded and is a potential hazard to the net at large.
> >[..]
>
> And do we seriously think that Microsoft would care about some RFC? When
1. Is the criteria now that we should only propose work-product
(e.g., an RFC) which Microsoft approves or is likely to adhere
to?
Anything that is proposed in regards to operating systems and MUA, must
take into account the world's most used OS - Windows. Thus, Microsoft mus
be taken into account. I have no problems with proposing solutions that
Microsoft's is unlikely to approve - but then again they are unlikely to be
implemented.
2. Are there any other companies we should consider or only
Microsoft?
We should consider all manufacturers of operating systems including Apple
(Mac OS), Sun (Solaris), Linux, etc. We should also consider major MUA
manufacturers - Qualcomm (Eudora), Pine, etc. But historically the open
source community has been much better at following standards than
closed-source.
3. Or is the criteria you are now proposing that all companies (it
might affect) must be willing to adopt any work-product of this
group? So arguing (you don't really know what MS will do, do
you?) that just one company (in this case MS) might not adopt it
is grounds for rejection?
I am arguing that unless we know that Microsoft is willing to adopt our
proposal it would not have a high chance of success. However, I am
definitely not against such proposal - just pointing out that it probably
would not be successful. And yes, you are correct I do not know what
Microsoft will do. However, their past history suggests that they will not
confirm.
> was the last time Microsoft cared about an Internet standard when its not
> in their interest? Take the HTML example and the various related
1. How do you know what is in Microsoft's interest? Do you speak
for Microsoft?
I am basing this on their past history. But contacting Microsoft might
settle the issue.
2. Assuming you are correct, and you may well be, should we not
pursue the truth even if it's not entirely in Microsoft's
pecuniary interests?
We should proceed but we should take into account Microsoft's monopoly on
desktop OSes, and its near monopoly on MUAs (Outlook Express). Ways of
dealing with Windows/Outlook users should be taken into account/
3. Do any significant purchasers of MS (industry, govt) issue RFPs
which indicate that compliance with various RFCs form a minimum
criteria for a vendor to be considered?
I am not aware of any but it is a very good idea.
> discussions as to changing the default MUA behavior as per HTML. What
might
> actually force Microsoft to make their OS more secure is increased
> competition from Linux and other Unixes.
Well, I don't know that I plan to "force" MS to do anything, in
particular via ASRG.
However, if it is true that a major source of spam is the exploitation
of viruses infecting vulnerable operating systems then it seems we
could, as a work-product, state that truth officially.
I agree with that, stating facts would help. One idea which I suggested in
another email, is perhaps creating an "Email Standards Project" similar to
the "Web Standards Project" (http://www.webstandards.org), to publicize
good email and anti-spam practices, perhaps combined with a collection of
anti-spam patches for popular MTAs and instructions for MUAs.
Even if it isn't in the best possible interest of Microsoft (something
which remains to be shown.)
I am basing this on their past history but I agree that we definatly do not
know for sure what Microsoft will do. The best thing would be to ask them
directly unless there is already a Microsoft's representative lurking in
the group.
If it's true that this group is to be bounded by Microsoft's pecuniary
interests, as you claim, then I think we have a real problem.
When did the IETF become a subsidiary of Microsoft?
Unfortunately like any other standards body, industry support must be taken
into account. There are numerous examples of the industry creating their
own standards which might not be in other's best interest. Additionally,
Microsoft is part of a separate anti-spam consortium with AOL and others,
and might not be interested in ASRG or the IETF.
The IETF is not a subsidiary of Microsoft nor will it ever be. But unless
we have a clear way to somehow communicate with MS or able to influence
them into accepting IETF standards, life will not be easy for IETF.
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg