[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 05 March 2004 12:51 pm, Keith Abraham wrote:
Is this an attempt to put email under commercial control? http://www.guardian.co.uk/online/story/0,3605,1161063,00.html
I don't see it that way - how is it meant to provide control? All that is being proposed is that SMTP does some basic checking on the From: to limit spoofing. It's long overdue. I can't send email via your ISP, you can't connect to my SMTP server - what's wrong with enforcing the same rules on the steps in-between to catch those who use or setup servers that don't do that first check? Problem is, it won't stop spam, it'll just redirect it so that it comes from indiatimes.com instead of hotmail.com and aol.com. The bigger problem is here: Stuart Okin, Microsoft UK's chief security officer, also points out that not all security problems are related to flaws in Microsoft's software. "If you take MyDoom as the classic example, it did not use any vulnerabilities in a Microsoft product. It was purely a human, social engineering technique - ie, you received an email, you thought was from a friend, you opened it, it ran a program and did all sorts of nasty things." Don't Microsoft even realise that a secure OS would not ALLOW the program to do nasty things!!!? Forget the social engineering to get users to click, if all the virus can do is trash some home files, what's the point? The 'nasty things' declared by Okin are ALL because Windows allows arbitrary executables to run with system privileges. The Registry should be off-limits to ALL user executables, installation routines should ALL require admin passwords, admin users themselves could be automatically logged out after a period of time to prevent people running user apps as admin. If these simple steps were implemented in 'Trustworthy Computing', a simple reboot (again) would remove all traces of user-area contaminants and services would not be compromised by user activity without a specific exploit. Instead, 'Trustworthy Computing' is all about Microsoft trusting you to not copy the OS rather than preventing security breaches by remote executables. It's completely backwards - Windows appears to trust the attacker MORE than the user!? - -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFASKCfiAEJSii8s+MRAt0+AKCgXMglxUT+FkFcQEO7oF3cCmGqZACgywhJ ccKDdKl1XyI0KBa3M09zV+U= =ILXT -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.