ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] 0. - General - Consent and SoBig

2003-08-23 19:29:38
from [Christopher Bird] [Permanent Link] 
Without having conducted focus groups, etc. I don't have anything other
than anecdotal evidence for the following:

People seem to want to "personalize" everthing they do. That goes for
choosing curtains, to "skins" on Cell phones to a,most all aspects of
their lives. Having a Dallas Cowboys faceplate on my phone doesn't make
it work any better or worse.

The need to express "individuality" and to control *something* seems
paramount.

The computing that people have at their fingertips at home is really
pretty daunting so it is nice to be able to have a small victory over
some aspect of it.

Many people don't really understand the implications of anything (even
obvious things like hot coffee will burn you), so why would we expect
them to understand things that are almost entirely conceptual, esoteric
and interesting to those of us who make our living in the IT field?

Many people pass chat scripts among themsellves so that they can exert
some superiority over their peers. "My script can do X, yours can't"
kinds of behaviors.

Much email does legitimately contain attachments - even HTML because of
the first couple of points above or as the old joke goes, "They can".

So, I don't believe it is just a manufacturer thing. People will behave
in unsafe fashions and use tools in ways that make those of us who
design tools cringe. My ex-wife used to open paint cans and stir the
contents with screwdrivers. I am sure the inventor of the screwdriver
did not expect this. However, it did a decent job. Ruined the
screwdriver, but managed the paint well.

The point of all of this is that if we expect "disease" to be brought
under control by defaulting the vectors in such a way that the "out of
the box behavior" prevents the disease then I fear we are mistaken. It
is the equivalent of the "Just say No" campaign to stop drug abuse (or
was it teen pregnancy, I forget which). People will indulge in risky
behavior for a variety of reasons, especially when they are unable to
visualize the impact of the risk on the population at large.

Rather than insert comments into the text, I have chosen to copy some
pieces of the conversation and address them here.

Right basic argument, but reaching the wrong conclusion.  

Most users will leave 
the default protections in place for most senders, only 
opening it up where 
needed.  Since *few* senders ever have need to send attachments (and 
particularly even fewer needing to send executable ones!) 
it's a safe bet that 
SoBig would have never achieved anything like this kind of 
wild success if the 
great majority of its propagating E-mails went directly into 
the bit bucket.


I think the previous writer is confusing need with want. For much of
what we do we perhaps need plain text. However for some of the reasons I
outlined earlier, we *want* to behave differently. Need is water. Want
is cola. We make more profit out of servicing wants than needs. The
commercial market place deals in wants not needs. So a "need based"
approach simply doesn't hold water. 

BTW it isn't just AOL users.......

I apologize for leaving the whole thread in (as follows) I wasn't sure
exactly what to snip.

Chris



-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org [mailto:asrg-admin(_at_)ietf(_dot_)org] 
On 
Behalf Of gep2(_at_)terabites(_dot_)com
Sent: Saturday, August 23, 2003 8:55 PM
To: Brad Knowles; gep2(_at_)terabites(_dot_)com
Cc: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] 0. - General - Consent and SoBig



At 1:01 PM -0500 2003/08/23, gep2(_at_)terabites(_dot_)com wrote:

 Most of these recipients who allowed this worm to infect their  
computer probably would NOT have had authorized those senders  to 
send attachments at all, let alone EXECUTABLE attachments.



    I disagree.


That's mostly because you didn't pay attention to what I 
said, or didn't hear 
the discussion on these points here before.


If you have a consent framework system, and the
dominant monopoly application vendor chooses to default to turning 
off all security, 


Points:

  1)  If all the security is turned off, it doesn't matter 
what type there was 
or who turned it off... there's no security.  

  2)  I've always proposed as key elements of my suggested 
consent system that 
the default state (for unspecified senders) is to disallow 
HTML and to disallow 
attachments.  Recipients could turn enable HTML, and/or 
attachments, at their 
option FOR SPECIFIC INDIVIDUAL SENDERS (or sender domains) 
and probably also 
specifying WHICH classes of attachments they expect from any 
of those senders.

So if a user follows the "path of least resistance" they'll 
get only plain ASCII 
text E-mails, which are relatively easily handled by content filters.


by far the vast majority of users will leave it
that way.  Thus, they would remain vulnerable.


Right basic argument, but reaching the wrong conclusion.  
Most users will leave 
the default protections in place for most senders, only 
opening it up where 
needed.  Since *few* senders ever have need to send attachments (and 
particularly even fewer needing to send executable ones!) 
it's a safe bet that 
SoBig would have never achieved anything like this kind of 
wild success if the 
great majority of its propagating E-mails went directly into 
the bit bucket.


    This entire problem would have been a non-event even without a
consent framework system, if the dominant monopoly 

application vendor 

actually paid any attention whatsoever to the issue of security from 
a user perspective.


Actually, even if Outlook and IE and Windows were all 
"secure", I think one can 
fairly argue that there are 'enough' clueness users of AOL's 
insecure client 
software that there would still be a problem.  The consent 
framework, and 
default to removing (or better, intercepting entirely) HTML 
and attachments on a 
per-sender, per-addressee basis, really ought to be done at 
the ISP or domain 
provider level.

I fully agree that Microsoft has done some pretty stupid crap 
over the years, 
including enabling HTML by default, but a lot of other 
software suppliers aren't 
a whole lot better.


    A consent framework system is neither a necessary condition nor
sufficient, 


Nor is anything else, when you get right down to it.  If 
there were an obvious, 
100% watertight, 100% effective solution to these problems we 
wouldn't have to 
have this list and be discussing all these different ideas... 
the problem would 
have been fixed a long time ago.

But the consent framework that I proposed is still a simple, 
cost-effective, 
user-comprehensible, surprisingly effective system that will 
put a serious dent 
in BOTH spam AND malware, and moreover will do so in a way 
that is incrementally 
implementable and that offers a near-immediate payback to 
those who go to the 
effort to put it in.  That sounds to me like it covers a lot 
of the requisite 
bases, and while avoiding nearly all the 'headaches' and 
implementation barriers 
that most of these other systems we've proposed are afflicted with.


unless it is a fundamental requirement of the most basic
kind of operations.  


It ought to be offered by ISPs and domain providers, although 
interested 
individual users could still set it up, I'd think, if the 
programming for it 
were done appropriately.


However, such a system may be an enabler,
especially during a time of transition from an old system that 
doesn't use it to a new system where it is integral.


I don't think you're going to see a worldwide transition to a 
totally new E-mail 
framework anytime soon.  There are too many individual mail 
packages and too 
much 'integrated' stuff already out there which adhere to the 
current standard.


    However, to be truly effective, we have to make sure that we do
everything possible to create a system in which all possible 
implementations default to "secure" mode, as opposed to "insecure".


That's the intention for the Secure Computing Initiative, 
which is what 
Microsoft is calling their development effort.  

It wasn't all that long ago that Sendmail (et al) all 
defaulted to installing 
with open relays and such too, so it's not as if Microsoft is 
the only guilty 
party in this industry.  

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area 
Networking! Support the Anti-SPAM Amendment!  Join at 

http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they
"represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] US Spam patents: Partial list, Jed Margolin
Next by Date:  Re: [Asrg] 0. - General - Consent and SoBig, Kee Hinckley
Previous by Thread:  Re: [Asrg] 0. - General - Consent and SoBig, gep2
Next by Thread:  Re: [Asrg] 0. - General - Consent and SoBig, Brad Knowles
Indexes:  [Date] [Thread] [Top] [All Lists]