Mobile code security (was Re: rr style scanning of non-customers)

Christopher L. Morrow chris at UU.NET
Mon Jun 16 15:51:45 UTC 2003


On Mon, 16 Jun 2003, Paul Vixie wrote:

>
> > therefore
> >
> > 3) why would anyone ever run outlook
>
> i love outlook2003.  no joke, i use it every day.  whenever i get an
> attachment that seems reasonable and i need to open it, i put it in the
> folder that outlook can see, and i read it.  i also share a calendar (in
> three directions) using outlook's "iCalendar" support.  i edit my cell
> phone's directory using a shared outlook address book.  for what it's
> intended to do, outlook works really great.  it's only when you let it
> open *all* the e-mail you get, that its weaknesses prevail.

This is the central problem though, Complexity. Paul is willing to accept
having 3 email clients and jumping through hoops to read an email or sync
a calendar across 3 devices... 99% (more?) of the computing public can't
understand this :( I'm willing to jump through 3 hoops of ssh to make
connections to one network, this to me is the price of 'security'... Many
other people just don't understand why they can't jump right to the end
system and still be 'secure'. That or they are just unwilling to remember
that security is important and at times it can entail some extra work :(

>
> moral of story: i think the security model is terrible, and i think the
> fact that credible or similarly-dominant alternatives do not exist is
> reprehensible, but the applications themselves, like outlook, seem to
> work pretty well once you put them inside a lockbox.  (i guess hundreds
> of companies are now in the business of selling such lockboxes, too.)
>

So, microsoft has actually improved the computing business world as well
as ruined it? :)

> the real failure, the thing that actually burns my hash, is when my spam
> complaints or noc correspondance are robotically bounced because they
> contain dangerous mime attachments of type "message/rfc822" (spam
> examples) or "text/plain" (traceroute or tcpdump output).  if your noc
> or abusedesk has such a robot protecting it, you ought to be ashamed.
>

Sure, that and the fact that outlook hasn't properly handled 822 messages
'ever'... whats a standard for anyway?



More information about the NANOG mailing list