[ On Tuesday, January 11, 2005 at 21:24:06 (+0000), Alan J. Flavell wrote: ]
> Subject: RE: [exim] Securing Email for the prying eyes of any government
>
> The implication of that seems to be that we should remove all the
> mailer's defences forthwith, and let the users fester in their own
> mess until they learn the folly of their ways. It certainly has its
> appeal
I don't think it makes one hoot of a difference how hard "we" try to
protect the masses from themselves.
We know we cannot possibly ever catch exploits on their initial release
(at least not good ones -- the catch-a-Doze-EXE-as-MIME regex tricks do
work very well to catch initial releases of new crap using the same old
exploits far better than the silly signature writers ever seem to do)
The best we can do is keep the fools from "hurting" the systems and
resources we manage for them -- i.e. from doing unnecessary damage once
we've discovered any new mess running wild in their client machines.
And as we agree when the skills of the attackers increase sufficiently
there won't be a damn thing we can do but stand well back and watch all
the fun. They really will have to fester in their own mess since the
only alternative will be to pull the plug. Stirling and Gibson et al
have probably only predicted the ideal outcome, not some dark future
that most have interpreted it as up until now. And I'm an optimist by
nature. :-)
> - but unfortunately, the ones whose behaviour suggests that
> they are the most eager to compromise their own security, would be the
> ones who are in a position to tell the human resources department that
> our services are no longer required.
I've been reasonably successful at telling the powers that be that I'll
only ever be held responsible for protecting the mail servers and other
network systems themselves and that even though some of what I do also
mitigates the effects of attacks on client systems, I couldn't care less
what happens to any end user's own systems and I'm not in any way,
shape, or form responsible for the security of end-user systems.
Of course I work mostly for ISPs, or for others who don't run M$ crap,
and I am usually on contract to design, manage, and support
infrastructure, never end-user systems.
I've also been saying this same thing from day one and have never
strayed from my story and never led anyone down the garden path to a
sense of false security about what bastions and firewalls can do for
their client systems, so it's not like I'd be changing my level of
support or anything. :-)
I don't envy anyone supporting M$ desktops, but then again one creates
the circumstances of one's live that one must live with! I'd rather
flip burgers than manage M$ crap, but luckily I've been able to arrange
thins so that I don't have to do either. (yet, touch wood! :-)
--
Greg A. Woods
H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>