On Nov 15, 2004, at 2:02 PM, jef moskot wrote:
On Mon, 15 Nov 2004, Bart Silverstrim wrote:...if you're going to start moving it into another direction, it may be
best to fork that and leave the original recipe alone until the new
direction...
I think you're overstating what the ClamAV team is trying to accomplish here. Forget the "slippery slope" and look at what they're actually doing.
Since I don't know any of the developers and I don't know if any have commented on this aspect...we can let this part drop :-) They'd have to answer that.
Personally I don't like the idea of protecting users from their own stupidity...
As a sys admin, this is part of my job. A large portion of my userbase is
unsophisticated, and a philsophical argument about why they need to learn
to protect themselves wouldn't fly with the boss.
Then that's your job description. Some people are in the position where they need to coach users not to touch hot stovetops. Others have users who resent it...ie, ISP customers. They would not always appreciate having mail tampered with.
Again, I don't have any problem with Julian's basic premise, but I think
this discussion has shown that we can't even agree on what "social
engineering" means.
Getting a user to do something by merely tricking them?
Social engineering involves asking and posing as something you're not to get something. If the message asks you to click something, you can ignore it or click it. Either way the message is *harmless* in itself. It is just text. It can be saved, forwarded, scanned, whatever...it doesn't *run* anything, and it doesn't take advantage of an OS flaw.
It relies *entirely* on user stupidity. "We're from your bank, and we have a database problem so we need you to verify your name, social security number, account number, how much money is in your checking account and your address at this handy website! CLICK HERE!" The message *does* nothing. It relies on the user to do something, and it's entirely cross platform because there's no executable script or binary attachment.
If you want to argue "well, a virus tells you to click the icon in order to run,..." yes, that's social engineering. It's also a binary attachment containing harmful code.
All squares are rectangles, but not all rectangles are squares. Viruses can use social engineering, but not all social engineering involves viruses. I think he was referring to "the subset with the code right here...a blob of binary that if I run it it will infect my PC..." as technical. The other is nothing but text, nothing but a fishing line asking the user to hook their finger. It is no more dangerous than an email that gives detailed instructions on how to disable the safety on my microwave and stick my head in and start baking for 20 minutes because it gives a "real rush". It's harmless until I'm stupid enough to go through the effort to hurt myself. That's purely social engineering.
Given that, maybe adding a flag that allows you to
ignore signatures with certain prefixes makes sense, but I don't see the
benefit of putting too much effort into being overly specific about the
specific path a virus takes from unsolicited e-mail to user hard drive.
After seeing the lengths users will go to to avoid learning something and how hard they work to hurt their systems sometimes, methinks the best thing to do is just whitelist email servers and block everything else at the rate we're going. There's just too much to ask in the effort to protect users from themselves, and while some admins (I truly pity them) have that in their job descriptions (to protect people from themselves), I think there's only so much we can do and just so far we can go before it can be a detriment to the project we're discussing.
I find it interesting though that I've yet to hear from anyone commenting on my proposal to create a filter that will extract and convert all emails into pure text, or reformat it so only certain things can get through as an attachment with a pure text message so it would be "defanged" of scripts, web content, potential scripting exploits, etc...I'm honestly beginning to wonder how hard that would be to make and whether it may be of use for some sites. Draconian, yet it would be extremely handy in stopping the maliciousness of viruses or spam tricks...dynamically rewriting all email to a "standard" format.
Anyone? Does this already exist? A prefilter thing...not halfway to the task, like using MIMEDefang, but a whole "here's the email stripped of HTML and in a standard format for the mail system" type filter...
-Bart
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
