Email Clients and digital signatures

CL Gilbert Lamont_Gilbert@RigidSoftware.com
Sun Jul 6 14:59:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Neil Williams wrote:
| On Sunday 06 Jul 2003 5:22 am, CL Gilbert wrote:
|
|>Well I have been away from the scripting for a while so I will say that
|>what you say makes no sense if that is true.
|
| http://news.google.com/
| Your ignorance of the risk is threatening sites that I rely on. Do
something
| about it.
| http://www.codehelp.co.uk/html/winemail.html
| http://www.codehelp.co.uk/html/winprotect.html
|
|
|>I know Java could Never do anything like that, even though the program
|>can run automatically when you visit a web page or download an email.
|>
|>Same with javascript.  It just does not have access to these things.
|
|
| Java does have a good sandbox, that's why I recommend OpenOffice later to
| replace MSOrifice. Javascript does have some problems on Windows
platforms
| but the security implications are not massive. Javascript is nothing
to do
| with Java.
|

I know java well, and I also used to do javascript.  I know they are
seperate.

| HOWEVER:
| I was talking of ActiveX/VBScript not Javascript. ActiveX can access your
| system registry directly, no express permission is required by default
| although nearly all the mechanisms can be locked down if the admin is
VERY
| security minded and oblivious to user complaints. Internet Explorer runs
| VBScript or ActiveX within the Explorer environment, i.e. your desktop!
|
|

Well yes, activeX has full control.  But activeX is just another name
for COM/DCOM which still can not simply run automatically.  I turned off
HTML because I got tired of being *asked* to run code that I knew I
would not let run.  Always, "so and so script wants to run, this can be
dangerours", "Authorize?"  This is what I always get from outlook
express.  A request, not an automatic run of a program.  So much so that
when Norton would catch virused emails, sometimes I would just view them
anyway to see what they were going to try and do.  Never failed that
outlook express *asked* me if I wanted the script to run.

My IE settings (which is the renderer outlook express is using say this
for security.

1. Download Signed ActiveX control				->Prompt
2. Download unsigned ActiveX controls				->Prompt
3. Initialize and script ActiveX controls not marked as safe	->Prompt
4. Run ActiveX controls marked as safe for scripting		->Prompt


These are default settings.  They mean for any ActiveX control I will be
asked first.  Its not automatic.

Only time its automatic is when A bug is found that someone exploits to
make it automatic.

Yes, VBSCript runs automatically, but it can not access the stuff you
are worried about without invoking some other code like activeX that it
downloads first.  and as shown above you are asked about the download.

|>and we are all the way to XP and windows is doing something stupid as
that.
|
|
| Hate to disappoint you but many business users are not at XP (nor ever
will if
| MS keep up their licencing fiasco). Many still run Win95, some have
updated
| to Win98 but that's your lot. I have no direct experience of XP but the
| principle and the vulnerability still exist in XP. (See the Windows
Security
| sites for more info, XP is still getting security alerts for HTML
rendering
| vulnerabilities.)
|
|

Well if you are running old software that is your own problem.  Just as
easy to upgrade to a new MS product as it is to get Netscape or Eudora.


|>also the default action is NOT to allow arbitrary code to execute.  It
|>depends on the certificate of the code or website.
|
|
| Not true. A site does not need a certificate to execute ActiveX
elements. Nor
| does it need to be on a website - as the quote showed, it is easier to
| execute from an HTML email where certificates have no impact.
|

As I have shown above, my default IE settings disagree with you.  And as
I have said above, HTML emails are rendered using IE.


|
|>If this is so, why do I still get malicious emails that require me to
|>run a program.  why dont I get sent ones that just run automaticaly??
|
|
| You probably have. If it runs automatically, why would you ever know
that it
| did run? I hate to repeat myself, so here's the answer:
|

Never had a virus.  I read the below email and Still just plain
disagree.  This is not the default behavior.  This is the behavior
always indicated when a new bug is found. "so and so bug...may allow
user to run arbitrary code on users machine..."  These announcements
make no sense because you are saying anyone can at anytime run arbitrary
code on your machine anyway.

*Show me* some example code and I will believe you.


| From my email:
| OT Off-topic Was:Email Clients and digital signatures
| Today 12:30:42 am
| ==============
| It really is that easy - the reason [low-level formatting of your C:
drive]
| isn't happening all the time is that the potential perpetrators have lost
| interest in trashing individual systems. That's left to those who have a
| personal reason for targeted revenge (usually targeted at the backup
server).
| The interest is in distributed attacks - keeping your machine running
their
| nice Trojan. You keep going, oblivious to the chaos your infected
machine is
| creating across the rest of the network.
| (A DDoS, distributed denial of service).
| ===============
|
| So what is the point of alerting you that your lovely machine is
running a
| cutesy little Trojan??? The whole point of the Trojan method is that the
| trojan runs when the intruder wants it to run, does what the intruder
wants
| it to do and is completely invisible to all interventions from the user.
| There is often no need for the Trojan to reveal itself - it's more of
a cold
| war mole. If your system is set to display HTML email unaltered, there
is no
| reliable method of assuring that you have a clean system. Trojans can
hide
| from anti-virus routines by using the same techniques as the 'Tracker'
| programs employed by companies to pretend to stop laptop theft. (Tip: use
| Linux to format your entire hard drive and your trojan (or indeed
Tracker) is
| no more. Windows format won't.)
|
| A DDoS can bring down any site on the internet if it is allowed to get
big
| enough. The sights are set higher now too, the targets become whole
subnets
| or large company sites with multiple sub-domains. Unless people stop
| believing the kinds of things you have been quoting at me, the
situation can
| only get worse.
|
| It really is stupidly easy to protect yourself AND OTHERS from your own
| bravado.
| There are tips available to bolster Windows poor security, including
on my own
| site:
| http://www.codehelp.co.uk/html/winemail.html
| http://www.codehelp.co.uk/html/winprotect.html
|
| If you must use HTML email - or just allow it to be read as HTML - you
are
| being irresponsible NOT to prevent it from affecting others when the
solution
| has been staring you in the face since Win98 was released. You still
won't be
| protected from Word macros (uninstall MSOffice and use OpenOffice to
do that)
| but it would be something.
|


- --
Thank you,


CL Gilbert
Free Java interface to Freechess.org
http://www.rigidsoftware.com/Chess/chess.html
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16

GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD  19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard http://www.gnupg.org
Pretty Good Privacy (PGP) http://web.mit.edu/network/pgp.html, windows
users should try that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/CB1iVbJM14DSCi0RAnRFAJwOWzuFsJ7Gsf9T5kFAxxyRiw54XwCg/qxm
5hbpcy4ujb1HKWq5icwLfwY=
=VxEF
-----END PGP SIGNATURE-----