gabriel rosenkoetter on Thu, 8 Nov 2001 20:10:20 +0100


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The spirit also took Scrooge


On Thu, Nov 08, 2001 at 11:10:21AM -0600, leroy wrote:
> it would not be terribly difficult to write a sub-2K vbscript that could
> trash a machine.  is it possible to setup the scanner to allow only pgp 
> signings?  

Only by checking MIME types (well, if you're going to obey any kind
of standards at all). There's nothing stopping my sending something
that's not an OpenPGP signature in a MIME compartment that claims
it's OpenPGP and, if the recipient's MUA is unaware of OpenPGP,
it'll just get treated like any other unknown attachment (including,
in braindead MUAs like Outlook, executing random code).

The only complete solution to this problem is proper security
precautions (that doesn't mean software, that means using your damn
noggin) on the recipients' end. I'm not against a virus scanner
(it would definitely mean this particular incident hadn't happened),
but I'm not convinced that there's enough of a problem right now to
justify the overhead of maintenance (one must update virus
signatures) not to mention that of the slow-down and system strain
added for each message passed by lists.phillylinux.org.

-- 
       ~ g r @ eclipsed.net

Attachment: pgpGapDj16rRW.pgp
Description: PGP signature