ietf-asrg
[Top] [All Lists]

Re: [Asrg] SICS

2005-01-03 18:03:31
[zombies]

In order for it to eliminate zombies, it has to be implemented by
_everybody else_.  That's not going to happen.

Well, yes and no.

I agree that you probably won't eliminate 100% of the vulnerability, but at 
some point the remainder doesn't much matter.  The issue is whether the 
vulnerability is widespread enough to ATTEMPT to exploit it.

And that doesn't take much.

I disagree.  If the great majority of users are rejecting E-mail-borne zombie 
attacks, then I think that hackers and spammers will move to greener pastures 
(such as trying to infect via Web sites or whatever).

It also depends on how quickly such a fine-grained permissions list
approach is accepted and installed.  Obviously, if Microsoft were to
include something like this in Outlook and Outlook Express by
default, it would be much more effective and much sooner than if
Infopoint or some other small software company were to try to market
it as an addon package.

You mean 5 years instead of 20?

I don't agree with your numbers, but the ratio might be about right.  A small 
software company is going to have a much harder time getting rapid worldwide 
distribution.

Such an effort will be implemented worldwide by far more customers, faster, if 
it's an upgrade to a program they already have and trust than if it's something 
new and different.

You're assuming that you can tell whether or not the _recipient's_ MUA
will attempt to interpret a message as HTML.

It doesn't much matter.  Most spammers don't know, either, what specific 
E-mail client program a destination address is using.  Nor do they care, in
fact.  

Precisely.  The spammers will attack a vulnerability that affects only
a small percentage.  

True, but as it becomes a smaller and smaller percentage, their exploit becomes 
less and less a matter of concern.

You have to defend against all such vulnerabilities.

Oh, if you can, I suppose.  But if you're waiting to get 100% before getting 
80% 
that you can get sooner, I think that's a poor implementation choice.

That issue is already known in virus protection.  Some email clients
were treating some messages as HTML that the anti-virus software
thought was (safe) plaintext.  The spammer didn't care _which_ victim
he got, just _how many_.

At some point, the answer to "how many" will be "not enough"... just the same 
way that spammers don't tend to go after Linux or Mac boxes, even though they 
clearly could.  The grass is greener elsewhere, so the minority situation can 
be 
pretty safely ignored.

For some spammers, maybe.  Many others sell their services, and the
worldwide shortage of suckers is not expected soon.

It won't take long for the word to get around that spamming doesn't work 
anymore, and that some types work dramatically less well than others.

And some spammers will just think it's good that the market is less
crowded, and spam more.

Sure, for a while.  But the fine-grained permissions list is still the most 
likely solution to yield a quick, lasting reduction in spam volume and 
virus/worms too, and with a minimum impact on legitimate users.

Ultimately, the way to control spam is to make it less profitable and appealing 
for the spammer.  The profitability doesn't HAVE to go to zero... it only has 
to 
go low enough that a spammer or virus author will decide that other approaches 
are more appealing.

Prove it.  Come up with a reasonable implementation that my mother can
handle.

I'll be GLAD to do that, and I'll even bring it to release-ready, if
you'll fund the development.  :-)

In other words, you're claiming something that doesn't exist and
offering no evidence.

Anyone who has spent any time working in R&D is quite used to designing 
products 
that don't exist yet.  My professional record for conceiving, designing and 
successfully implementing practical, usable, innovative products that are the 
first-of-kind is pretty good.  :-)

The point is that this is IMPLEMENTATION-DEPENDENT, and does not
need to be part of a "best practices" advisory.  Some companies are
hugely better at "human-engineering" software products than others
are; given that, we don't have to concern ourselves HERE with the
fact that some of them might not do a terrific job of it.

However, it's close to necessary to demonstrate that it's _possible_
to do an acceptably-good job.

I think that's pretty evident.  Certainly neither you nor anybody else here has 
posted convincing evidence proving the inverse.

There are MUCH, MUCH harder problems of software engineering that have been 
solved.  This one is comparatively quite trivial.

Again, though, I'll point out that once you default to "no
attachments, no HTML" in E-mails from unlisted senders, you don't
leave the spammers much room to evade much of anything, at least as
far as their E-mail content goes.

As I've already pointed out, "no attachments, no HTML" isn't a
clear-cut decision, 

It comes awfully close.

And if the implemention of the fine-grained permissions list is built into the 
recipient's mail client software (say, Outlook/Outlook 
Express/Pegasus/Eudora/etc) then it's possible to make it damned near 
airtight... certainly something that a clueless user (the one most likely to be 
fooled) isn't likely to be taken in by.

...and spammers will take advantage of every implementation difference of 
opinion.

Sure.  They are awfully determined, and devious.  But (again) the *great* 
majority of their tricks and deceptions are based on obscured URLs, scripting, 
HTML, and attachments.  Once you have denied them those, they're left with VERY 
little wiggle room.

Likewise, if you don't allow HTML or attachments in mail from 
unfamiliar/untrusted sources, and executable content (by HTML or attachment) 
from fewer-to-NO sources, then virus/worm/zombie infestation (at least by 
E-mail 
transmission vectors) is essentially going to go away.

[That is SUCH an obvious conclusion that I'm astounded that we have to keep 
bringing up the point!!  You'd *think* that at least THAT part of my proposal 
would receive pretty much universal agreement... especially when you compare 
its 
simple, logical basis with the outlandishly convoluted and complicated 
Rube-Goldberg-esque schemes that others here seem to be so fond of!]

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections!  http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg


<Prev in Thread] Current Thread [Next in Thread>