Home page logo

nanog logo nanog mailing list archives

Re: Mobile code security (was Re: rr style scanning of non-customers)
From: Jared Mauch <jared () puck Nether net>
Date: Mon, 16 Jun 2003 11:04:33 -0400

On Mon, Jun 16, 2003 at 03:43:41PM +0100, Brandon Butterworth wrote:

the thing that actually burns my hash, is when my spam
complaints or noc correspondance are robotically bounced because they
contain dangerous mime attachments of type "message/rfc822" (spam
examples) or "text/plain" (traceroute or tcpdump output). if your noc
or abusedesk has such a robot protecting it, you ought to be ashamed.

Or they may be happy thinking their NOC is more 0day virus proof rather
than hoping a 3rd party will update their scanner in time

Who'd want to risk the NOC falling to the same problem that's just
taken out the network they're trying to fix?

        I think pauls point may be:

        If they use text based mailers (eg: mutt, pine, elm, /bin/Mail,
mh, etc..) they won't risk being infected except by the rare buffer
overflow that might be out there.  The risk-reward comparison that I
can easily see here is that if I were to be running an abuse desk and
my people were using a fully integrated click-open or click-execute
mailer on the desktop, the chances of getting infected are a lot higher
than if I give someone an xterm, tell them to use pine/mutt and some
additional ticketing system (RT for example, or other systems i've seen
that can aggregate the abuse complaints based on headers, etc..).

        It's a lot harder to open up a microsoft executable on a *nix
machine than a windows machine.

        If your abuse desk can't take the complaint, you can't do anything
about it.  The abuse/security desks are in most cases small, understaffed
and hidden to prevent them from being overworked yet do enough that
you're not called a spam/abuse harborer.

        - Jared

Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]