Re: [Nolug] FEEDBACK: Security blame games

From: Dustin Puryear <dpuryear_at_usa.net>
Date: Tue, 09 Sep 2003 00:38:29 -0500
Message-Id: <5.2.1.1.0.20030909003509.02df2798@localhost port 111>

At 11:44 PM 9/8/2003 -0500, you wrote:
>On Mon, 8 Sep 2003, Mark A. Hershberger wrote:
> > Dustin Puryear <dpuryear@usa.net> writes:
> >
> > > Advanced email software like Evolution has had flaws, and these flaws
> > > will be attacked more and more as there are more Linux end-users.
> >
> > What sort of exploitable flaws does Evolution have? How would the
> > exploitation of those flaws be similar to the exploits for Outlook if
> > everyone ran Evolution?
>
>I'm convinced that Joe User will click anything that says 'Click Me',
>regardless of his OS or mail client. To see if Kmail was really more
>secure, i sent myself a bash, perl, and compiled C program as attachments.
> >From Kmail, just clicking around, there was no way to execute them.
>Attempts to "open" just opened the source in Emacs. There was no way to
>run them, which is good. All MUAs should be like this, since obviously
>most people are too dumb to have a smart mail client.

I absolutely agree! At worst show a warning like "You are about to do a
very, very dangerous thing. Are you sure?" and then possibly a "So when you
said Yes to being sure, were you sure you meant Yes? Or did you in fact
mean No? I would think you meant No. Right?" Better yet, require the user
to save the file to disk using a Save As and then perform the operation.

No automatic execution.

---
Dustin Puryear <dustin@puryear-it.com>
Puryear Information Technology, LLC <http://www.puryear-it.com>
Providing expertise in the management, integration, and
security of Windows and UNIX systems, networks, and applications.
___________________
Nolug mailing list
nolug@nolug.org
Received on 09/09/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST