Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Can A Web Site Be Reliably Defended Against DoS Attacks?
 Dare Obasanjo wrote: > That solution basically amounts to creating a user hostile system where users can't run applications unless allowed to by the system administrator. Most large businesses want to create just precisely that! > As for the home user, I don't see how this ultra-cumbersome approach would even get off the ground let alone fly with the average IMing, music downloading teenager. > Even if you did all that they'd just go through all the steps and launch the application. The problem is that applications can be launched without being installed. If there was no way of running executable code in an application other than having the attachment being a software package wrapped up in a distribution file format that was handled by a standard system app (like RPM or apt or whatever), so you had to say "yes I want to install this software" and so on, THEN actually go and run it, then people won't be fooled into thinking they're just opening a file. Which is what MyDoom tries. Obviously, if somebody can install software on their machine - either the owners of the machine permit it, or they own the machine themselves - then they can always be socially engineered into installing and running arbitrary applications. But that's not what MyDoom has done. MyDoom is claiming that the attachment isn't an executable, because the action of opening a document is the same as the action of running an executable under so many GUIs! On the command line, one is not so easily fooled. If an attachment claims to be Unicode text or whatever, you will save it them run: emacs <filename> If it asks you to directly execute the attachment with: ./<filename> ...the user might think "Why's that then?" :-) > How many people would have believed that requiring a user to download > a zip file, unzip it's contents then launch the contained executable > would be a virus vector that would actually work let alone be one of the fastest spreading of all time? The same people who thought that popping up those dialogs saying "This web page contains ActiveX controls signed by XYZ Corporation. Do you want to trust content signed by XYZ Corporation?" was a stupid idea :-) ABS 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
