[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [suse-security] ID wwywxugwisi... thanks



Hi there, 

just my "2cents worth" on this security related issue, which I feel can be
extended to generally any type of mailing list, even those we may set up for
our own networks at home or on the office:

> i would not like to remove all attachments, sometimes ppl post configs
> etc. or maybe a png about a network topology. 

Actually I think that on a list that deals with security issues we should be
able to come up with a solution here that could serve as an example for
other lists, perhaps very specifically giving hints on how to configure a
system to do similar filtering say on lists served my majordomo.

What type of attachmenets for example would one allow? I especially put the
question this way around, because I think that's easier to define than to
attempt to pinpoint everything one would want to *disallow*.

Obviously one would have the option to only allow MIME type attachmenets and
then filter out any "unwanted" types, such as HTML, mpeg and whatever else
produces a headache (obviously it's a better idea to agree on what types we
*will* let through then arguing the other way around, as that might end up
in an endless discussion). How can one go about this project using available
tools under Linux?

> Besides from that, i would more like if ppl would learn not to click 
> on every shit in an email. 

Who wouldn't. Then again, generations of EMail users have tried to educate
other users about this one, and it still doesn't seem to hit home with
everyone. 

So if you can't get what you want, accept it as a given fault you can't
rectify and rather see how we can prevent these people to receive hazardous
attachments from this list in the first place - after all, if they don't
think, we'll have to. 

> If you really want to drop attachments, then maybe just the well known
> windows executables like com exe bat pif scr etc.

There have been terrifyingly aggressive discussions on other lists wether to
allow anything else but pure "text/plain" messages, so one probably can grab
all of those already stated arguments and reguritate them here as well - but
in general I can follow the otherwise also abundantly practiced policy of
only allowing what is absolutely necessary to fullfill a specific purpose of
a system - here to conduct a security related discussion in a meaningfull
way.

Essentially that means: we shouldn't allow any attachment types apart from
those we have speicifically agreed upon here. As I said, *not* the other way
around: attempting to specify what types we will *not* allow just leaves too
many loopholes.

> just my 2eurocents.

Same here...

> Sven

Gerard

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here