Re: [Nolug] FEEDBACK: Security blame games

From: Dustin Puryear <dpuryear_at_usa.net>
Date: Wed, 10 Sep 2003 15:10:27 -0500
Message-Id: <5.2.1.1.0.20030910150251.02584ae8@localhost port 111>

At 02:52 PM 9/10/2003 -0500, you wrote:

>Quoting Dustin Puryear <dpuryear@usa.net>:
>
> > That's a good question. Should the email client fully render the HTML,
> > including images which can be used by spammers to validate addresses?
>
>Note that this particular bug allowed the loading of images -- the bug
>blocked
>the user's preference in loading images from the internet.
>
> > The issues can be generally blamed on bad implementation choices (i.e.,
> > running attachments by default) and some nasty bugs.
>
>Your "Implementation choices" == my "Design".

I'm not sure if you have done any development work, but there is a big
difference between implementation and design. In this case the issues are
mainly related to implementation. Will Evolution allow you to open a
picture in an outside viewer? If so it's just a hop, skip, and jump away
from running executable attachments. That is an implementation issue. So in
that regard Outlook and Evolution have made the same design choice: allow
users to open attachments using internal or external software.

Evolution, if what I have seen here is accurate, has made the better
implementation choice about handling executable attachments. Unfortunately,
that is not the only way for code to run, grab your address book, and kick
off on a rampage.

>The point is that Microsoft has known for some time that their design or
>implementation choices are the root of the problem (would you like some
>bugtraq
>references?) but they have only recently begun to address the issues by
>changing the default behavior of Outlook.

I think there is some confusion here. I am not in any way saying that
Outlook is safe. I don't personally use it. However, that doesn't mean that
the design of Outlook is poor (although I would argue some design choices
are a bit weak). It's the implementation that has had problems. Evolution
can follow that path as well, and I think it is leaning in that direction.

We had this same debate on a brlug.net list. 

---
Dustin Puryear <dustin@puryear-it.com>
Puryear Information Technology, LLC <http://www.puryear-it.com>
Providing expertise in the management, integration, and
security of Windows and UNIX systems, networks, and applications.
___________________
Nolug mailing list
nolug@nolug.org
Received on 09/10/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST