Mobile code security (was Re: rr style scanning of non-customers)

Mon Jun 16 15:04:33 UTC 2003

On Mon, Jun 16, 2003 at 03:43:41PM +0100, Brandon Butterworth wrote:
> 
> > the thing that actually burns my hash, is when my spam
> > complaints or noc correspondance are robotically bounced because they
> > contain dangerous mime attachments of type "message/rfc822" (spam
> > examples) or "text/plain" (traceroute or tcpdump output). if your noc
> > or abusedesk has such a robot protecting it, you ought to be ashamed.
> 
> Or they may be happy thinking their NOC is more 0day virus proof rather
> than hoping a 3rd party will update their scanner in time
> 
> Who'd want to risk the NOC falling to the same problem that's just
> taken out the network they're trying to fix?

	I think pauls point may be:

	If they use text based mailers (eg: mutt, pine, elm, /bin/Mail,
mh, etc..) they won't risk being infected except by the rare buffer
overflow that might be out there.  The risk-reward comparison that I
can easily see here is that if I were to be running an abuse desk and
my people were using a fully integrated click-open or click-execute
mailer on the desktop, the chances of getting infected are a lot higher
than if I give someone an xterm, tell them to use pine/mutt and some
additional ticketing system (RT for example, or other systems i've seen
that can aggregate the abuse complaints based on headers, etc..).

	It's a lot harder to open up a microsoft executable on a *nix
machine than a windows machine.

	If your abuse desk can't take the complaint, you can't do anything
about it.  The abuse/security desks are in most cases small, understaffed
and hidden to prevent them from being overworked yet do enough that
you're not called a spam/abuse harborer.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.