----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'George Ou'" <***@netzero.com>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Peter Smith'" <***@onlinecounsellors.co.uk>;
"'Larry Seltzer'" <***@larryseltzer.com>; "'Chris Lewis'"
<***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Tuesday, July 20, 2004 7:27 PM
Subject: RE: [Asrg] Zombie spam
Post by Hallam-Baker, PhillipPost by George OuThe key word here is "I". "I" does not comprise the rest of
the world.
True, but my experience of the net tends to be a better guide
that most IETF'ers or Sysops.
Key phrase here is "IETF'ers or Sysops". I'm talking about mere mortals.
Mime a very convenient mechanism for mere mortals, if one can provide a save
environment with modern anti-virus measures for a few thousand dollars, then
most corporations will not penny pinch. It's a hell of a lot more expensive
in man-hours if you have more than 20 users. The maintenance license is
really not that expensive.
Post by Hallam-Baker, PhillipThe vast majority of net users do not run executables that
don't come off a CDROM or a Web site.
What about S/MIME and PGP messages? What about encrypted ZIP files? Are
you going to make exceptions for those?
Post by Hallam-Baker, PhillipPost by George OuThe
rest of the world needs to be able to transmit files to each
other and don't
live in the stone age. If it can't go through email, then an
ftp link or
and http link sent within the email will suffice and your EXE blocking
policy is totally useless.
You sound like someone who argues that we should not bother with
seatbelts because they don't protect you against rocket propelled
grenades.
Why don't you stick to the topic and answer the question? HTTP and FTP
links are a reality except it's a little more difficult for most people to
use. The reality is, any organization should implement anti-virus
technology at the HTTP, FTP, and SMTP gateways for that large umbrella of
protection. Exchange or Notes anti-virus and Desktop level protection are
the last line of defense. Windows XP SP2 trusted and untrusted executables
takes this to the next level and protects against Trojans and viruses that
don't have any known signature.
Post by Hallam-Baker, PhillipPost by George OuWhat they do is flag the file as untrusted so that it cannot be
launched by the user period.
Why not just delete it?
Stupid question. You should know better than that. Let me give you a clue,
it's the same reason you quarantine questionable spam instead of deleting
it.
Post by Hallam-Baker, PhillipWhat I am arguing for here is that the default config of a
mail server should be to block incomming executables, if there
are people who really want to send executables by mail then they
can finance the anti-virus companies to make that possible. But
I believe that 98% of the market would be happy to accept a
situation where executables were supressed by default.
No rules, no updates, no subscriptions.
What I'm getting at is that it's penny wise and a pound foolish for any
email system serving more than 25 people.
Post by Hallam-Baker, PhillipI don't want to create a product here, I want to stop people
hijacking PCs and then using botnets of zombies to spam, phish
and DDoS my customers. I don't think the anti-virus companies
are likely to offer that technology for free so I am looking for
a strategy that can be deployed at no cost.
There are free basic firewalls out there for any OS. Anti-virus usually
come bundled with most PCs and even many motherboards. Downloading new
definitions don't cost a thing. Since the majority of computers in the
world run Windows XP, upgrading to SP2 is free. You get a default on
firewall, recompiled OS with a buffer overflow checking compiler, an OS that
refuses to execute untrusted binaries. Cost is not much of a concern here.
Post by Hallam-Baker, PhillipPost by George OuWithin the next few
months, I'm going to mandate that our IT department upgrades
everyone to
SP2. Once that is done, executables won't launch even if
they don't match
an existing virus signature.
In the real world we can't force everyone to upgrade to XP.
In the real world, most people already run Windows XP, and that number will
only rise. If you don't run XP, get yourself a free firewall. ISPs should
mandate these free downloads to customers when they sign them up or they
should provide inbound protection for their users. Users who refuse to
protect themselves should be disconnected. There is no excuse for not
running inbound firewall protection.
Post by Hallam-Baker, PhillipPost by George OuNonsense, comprehensive Anti-virus solutions are over 99.9%
effective when implemented properly.
Not unless people pay for them.
Most computers and motherboards come with anti-virus. If not, go to
PriceWatch.com and buy yourself a copy of Panda or Trend anti-virus for
$4-$6. The money argument is totally bogus so why don't you stop whining
about the cost. If you're running an ISP, the cost of implementing an
anti-virus SMTP gateway is negligible when spread across all the users. I
never get a single virus from my free MSN account since they've implemented
anti-virus at the gateway. ISPs shouldn't be permitted to operate email
service if they refuse to implement gateway scanning. I can't believe we're
even debating this at this point. It would be so cheap to mandate this at
the ISP level.
Post by Hallam-Baker, PhillipI think that the idea of exchanging executables via email is
clueless, it should never have been possible in the first place.
That is why most people will never buy software from you, and certainly
would hate to have you as an Email administrator. I would dare say 9 out of
10 CIOs or IT directors would listen to me.
Post by Hallam-Baker, PhillipUnix folk don't seem to feel the need to send executables about
via email.
Some of these Unix folks are elitists that need to get their head out of the
80s. You ever wonder why Unix users make up less than 5% of the population?
Post by Hallam-Baker, PhillipThere is no way that a fingerprint product is going to be of use if
you are the target of a trojan attack.
If signature based protection mechanisms protect you over 99.9% of the time,
you don't give up on it because of the .1% it can't cover. Additionally,
strict Authenticode policies or XP SP2 will solve this. XP SP2 is very
relevant since the vast majority of computers in the world run Windows XP.
Windows 2000 has local or domain level group policy capability that can
enforce Authenticode. If you're running Win9x or ME, get yourself a free
firewall and a $4 anti-virus package. Outlook and Outlook Express already
block EXEs on those OSes anyways.
Post by Hallam-Baker, PhillipPost by George OuIt is a fact that the bulk of these zombies came
from Comcast users who were connected 24x7 with zero protection.
I can't get a national cybersecurity policy in place that forces
comcast to subscribe to a virus fingerprint service, blocking
dangerous MIME types on the other hand is a much more tractable
proposition.
Getting a cybersecurity policy that mandates ISPs to implement transparent
anti-virus HTTP, FTP, and SMTP gateways would make eminent sense. Another
side benefit to these FTP and HTTP scanners is that they cache too, and can
save an ISP a lot of bandwidth on the backhaul. Licensing on this stuff is
not based on the number of users and is cost negligible. Mandating a
minimum of free inbound firewalls on all broadband enabled computers would
make eminent sense. As far as I'm concerned, the industry should not wait
until the federal government gets involved. If an ISP doesn't participate,
the rest of the industry should block all traffic from them until they
comply.
Post by Hallam-Baker, PhillipPost by George OuBecause people don't always use them, they don't implement a
comprehensive
solution or they implemented a lousy solution.
I don't thinkI am going to change these people, so after ten years
its time to look at a different solution.
You're not going to get anywhere telling people to stop using anti-virus or
banning attachments.
Post by Hallam-Baker, PhillipPost by George OuXP SP2 trusted/untrusted executables resolves this. I've
explained this enough times, go look this up.
Go look up the number of papers and specs i have co-authored
with Microsoft in the past three years.
If you know, why do you come up with these cockamamie suggestions.
Post by Hallam-Baker, PhillipXP SP2 will only work for people running XP. I want to stop
the W2K and W95 platforms being co-opted into botnets.
See above.
Post by Hallam-Baker, PhillipPost by George OuI would take the code signing machines a step further. Make
sure that they
are using HSMs so that their private keys can't be harvested
by worms or
viruses. Many new computers have embedded TPMs (Trusted
Platform Modules)
in them, and that is a step in the right direction.
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
George Ou