Rich Kulawiec wrote:
On Fri, Jan 29, 2010 at 02:33:56PM +0000, Ian Eiloart wrote:
So, does that mean that all computer mediated communication is pointless?
Of course not. But it does mean that anything originating on an
end-user system should never be used as an input to a security policy
mechanism, since The Bad Guys can either fabricate or block an
arbitrary number of such inputs as they see fit. [1]
Why is "security policy" different than "crown jewels"? If they own my
machine, they can tar up a svn checkout of the crown jewels and do
immeasurably
more harm than shipping bogus anti spam reports.
That and it might be *good* for them to start trying to game AS
reporting stuff:
if the backend started looking for those patterns, they'd probably stick
out like a
sore thumb, and you could put the machine in the penalty box.
Mike
---Rsk
[1] Within the constraint that they can only do so from those systems
which they control. But given that the number of such systems is
already very large and still growing, and that there is no reason
at all to think that this trend will reverse or even slow down, this
constraint is not really very limiting in practice.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg