Home page logo
/

nanog logo nanog mailing list archives

Re: Mobile code security (was Re: rr style scanning of non-customers)
From: "Christopher L. Morrow" <chris () UU NET>
Date: Mon, 16 Jun 2003 15:51:45 +0000 (GMT)



On Mon, 16 Jun 2003, Paul Vixie wrote:


therefore

3) why would anyone ever run outlook

i love outlook2003.  no joke, i use it every day.  whenever i get an
attachment that seems reasonable and i need to open it, i put it in the
folder that outlook can see, and i read it.  i also share a calendar (in
three directions) using outlook's "iCalendar" support.  i edit my cell
phone's directory using a shared outlook address book.  for what it's
intended to do, outlook works really great.  it's only when you let it
open *all* the e-mail you get, that its weaknesses prevail.

This is the central problem though, Complexity. Paul is willing to accept
having 3 email clients and jumping through hoops to read an email or sync
a calendar across 3 devices... 99% (more?) of the computing public can't
understand this :( I'm willing to jump through 3 hoops of ssh to make
connections to one network, this to me is the price of 'security'... Many
other people just don't understand why they can't jump right to the end
system and still be 'secure'. That or they are just unwilling to remember
that security is important and at times it can entail some extra work :(


moral of story: i think the security model is terrible, and i think the
fact that credible or similarly-dominant alternatives do not exist is
reprehensible, but the applications themselves, like outlook, seem to
work pretty well once you put them inside a lockbox.  (i guess hundreds
of companies are now in the business of selling such lockboxes, too.)


So, microsoft has actually improved the computing business world as well
as ruined it? :)

the real failure, the thing that actually burns my hash, is when my spam
complaints or noc correspondance are robotically bounced because they
contain dangerous mime attachments of type "message/rfc822" (spam
examples) or "text/plain" (traceroute or tcpdump output).  if your noc
or abusedesk has such a robot protecting it, you ought to be ashamed.


Sure, that and the fact that outlook hasn't properly handled 822 messages
'ever'... whats a standard for anyway?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault