mailing list archives
Re: Mobile code security (was Re: rr style scanning of non-customers)
From: Jared Mauch <jared () puck Nether net>
Date: Mon, 16 Jun 2003 11:04:33 -0400
On Mon, Jun 16, 2003 at 03:43:41PM +0100, Brandon Butterworth wrote:
the thing that actually burns my hash, is when my spam
complaints or noc correspondance are robotically bounced because they
contain dangerous mime attachments of type "message/rfc822" (spam
examples) or "text/plain" (traceroute or tcpdump output). if your noc
or abusedesk has such a robot protecting it, you ought to be ashamed.
Or they may be happy thinking their NOC is more 0day virus proof rather
than hoping a 3rd party will update their scanner in time
Who'd want to risk the NOC falling to the same problem that's just
taken out the network they're trying to fix?
I think pauls point may be:
If they use text based mailers (eg: mutt, pine, elm, /bin/Mail,
mh, etc..) they won't risk being infected except by the rare buffer
overflow that might be out there. The risk-reward comparison that I
can easily see here is that if I were to be running an abuse desk and
my people were using a fully integrated click-open or click-execute
mailer on the desktop, the chances of getting infected are a lot higher
than if I give someone an xterm, tell them to use pine/mutt and some
additional ticketing system (RT for example, or other systems i've seen
that can aggregate the abuse complaints based on headers, etc..).
It's a lot harder to open up a microsoft executable on a *nix
machine than a windows machine.
If your abuse desk can't take the complaint, you can't do anything
about it. The abuse/security desks are in most cases small, understaffed
and hidden to prevent them from being overworked yet do enough that
you're not called a spam/abuse harborer.
Jared Mauch | pgp key available via finger from jared () puck nether net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.