Autor: Jan-Peter Koopmann Datum: To: David Brodbeck, Exim User's Mailing List CC: Betreff: RE: [exim] Securing Email for the prying eyes of any government
Hi David,
> Now, now. He's right in a way. Virus scanners are a
Yes I agree. But there is a difference in pointing out problems or annoyances and praying that everything people do now is bad and there is only one other solution.
> The underlying problem is that people are emailing around
> executable code to begin with. There's almost no legitimate
> reason for it.
Ease of use for many people. Before you start: Yes I also hate it and I usually do not send EXEs (and I block incoming and outgoing EXEs on the gateways). But for a lot of people sending EXEs is a lot simpler that setting up some sort of storage, loading stuff up there, assuring your communication partner has access to it etc. Even thinking about it costs them too much money.
> (And before you say something about Word
> documents and macros, I don't think there's any legitimate
> reason for word processor documents to be able to carry
> system-damaging code, either.)
Code: Yes. System-damaging code: No. Agreed. But how exactly do you assure this?
> The widespread use of virus scanners has, if anything, set us
> BACK by allowing vendors to brush off this underlying problem by
> passing the buck. "Don't worry about the insecurity of our products.
> Just use a virus scanner, you'll be okay."
Let's assume for one second that there would be a way to make everybodies system so secure that a virus has no chance. You are right then of course but again: It is not really probable for the world to change therefore virus scanners unfortunately still are necessary and I do not see a middle term alternative to them.
Back to reality: There is no system I am aware of that prohibits all kinds of viruses under all conditions. Many people work on their Linux platforms as root and if they download/receive a virus it will of course work and do all kinds of stuff. So even if you design the ultimate system that has no buffer overflows or similar security problems you will still have the problem of people downloading viruses just because they receive an e-mail saying "Hey Joe, here is a really cool program. Klick here and have fun!".
> So...no floppy drives, no USB ports, no cell phones...that's
> a start.
First of all that was not what I talked about. But yes we had clients thinking about this indeed. And the lack of floppy drives and USB sticks is not that hard to cope with for many users. No cell phones is a different thing I suppose but many users are not capable of setting up a GPRS/UMTS/Bluetooth/whatever connection to get this working. And you can make this harder for them as well. It mostly depends on what the client wants, what he is willing to pay and what problems he is willing to accept.
> Then you get into the really tricky ones. (And
> that's leaving out the obvious stuff, like monitoring phone
> conversations and blocking webmail providers.)