IETF Logo Mail Archive

Re: Requesting comments on draft-cheney-safe-02.txt

"Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil> Sat, 08 August 2009 04:33 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n784XqYa021578 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Aug 2009 21:33:52 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n784XqSH021577; Fri, 7 Aug 2009 21:33:52 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from mxoutps1.us.army.mil (mxoutps1.us.army.mil [143.69.250.38]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n784XlxH021569 for <ietf-smtp@imc.org>; Fri, 7 Aug 2009 21:33:51 -0700 (MST) (envelope-from austin.cheney@us.army.mil)
DomainKey-Signature: s=ako; d=us.army.mil; c=nofws; q=dns; h=From:X-AKO:X-IronPort-AV:Received:Received:To:Cc: Message-ID:Date:X-Mailer:MIME-Version:Content-Language: Subject:X-Accept-Language:Priority:In-Reply-To:References: Content-Type:Content-Disposition: Content-Transfer-Encoding; b=Kzk53o9eUnMhrVzqI9Zug65bbDab8Xh3NOezRTHTpLZKcuHLB0UqbnrM Ziqohf9lrGaKC+ru4IRDDrxjw0TCtQ==;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=us.army.mil; i=austin.cheney@us.army.mil; q=dns/txt; s=akodkim; t=1249706032; x=1281242032; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Cheney,=20Edward=20A=20SSG=20RES=20USAR=20USARC "=20<austin.cheney@us.army.mil>|Subject:=20Re:=20Requesti ng=20comments=20on=20draft-cheney-safe-02.txt|Date:=20Sat ,=2008=20Aug=202009=2008:33:45=20+0400|Message-ID:=20<f73 e99651b6bb.4a7d3869@us.army.mil>|To:=20Rich=20Kulawiec=20 <rsk@gsp.org>|Cc:=20ietf-smtp@imc.org|MIME-Version:=201.0 |Content-Transfer-Encoding:=207bit|In-Reply-To:=20<200908 07100147.GA16131@gsp.org>|References:=20<f6fecbd18af7.4a7 21c99@us.army.mil>=0D=0A=20<4A720D35.1000306@cybernothing .org>=0D=0A=20<f6e091e580a6.4a7258af@us.army.mil>=20<2009 0807100147.GA16131@gsp.org>; bh=yxjc3IVlg9SR1gxVaqRtvCI+qjreP9egYlKt1RetAfM=; b=aG4YqGC4Nfynaa3BlcT1wrhKhEcDjeC6xxWzBEwdSF1cK4IfDXvGn5pa pLdyCf3Ggc0yqEmx3pYYPWXdT+2jgM7+3ult4zBcnfdnwiKBCs5Hi78ZJ eH4tSdzWH5ZZ38ayH9uFF0cd5ALqwoYYVcZhDwB8O8Pknc0aMUK8IeSTC w=;
From: "Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil>
X-AKO: 100506799:10.224.29.21:08 Aug 2009 04:33:45 +0000:$Webmail:None
X-IronPort-AV: E=Sophos;i="4.43,344,1246838400"; d="scan'208";a="100506799"
Received: from lb2pip21.int.ps1.us.army.mil (HELO us.army.mil) ([10.224.29.21]) by mxoutps1.us.army.mil with ESMTP; 08 Aug 2009 04:33:45 +0000
Received: from [10.101.32.171] (Forwarded-For: 214.13.1.73, [10.101.32.171]) by mail15.int.ps1.us.army.mil (mshttpd); Sat, 08 Aug 2009 08:33:45 +0400
To: Rich Kulawiec <rsk@gsp.org>
Cc: ietf-smtp@imc.org
Message-ID: <f73e99651b6bb.4a7d3869@us.army.mil>
Date: Sat, 08 Aug 2009 08:33:45 +0400
X-Mailer: Sun Java(tm) System Messenger Express 6.3-6.03 (built Mar 14 2008; 32bit)
MIME-Version: 1.0
Content-Language: en
Subject: Re: Requesting comments on draft-cheney-safe-02.txt
X-Accept-Language: en
In-Reply-To: <20090807100147.GA16131@gsp.org>
References: <f6fecbd18af7.4a721c99@us.army.mil> <4A720D35.1000306@cybernothing.org> <f6e091e580a6.4a7258af@us.army.mil> <20090807100147.GA16131@gsp.org>
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

Rich,

I do wish to be clear that when I say most significant I mean that
purely in a quantitative and not a qualitative manner.  Vulernabilities
associated with client-side scripting are certainly not the most harmful
forms of security intrusion.

> These are (a) web browser and (b) operating system vulnerabilities,
> and are quite readily mitigated by making sensible choices about both.

I draw a solid distinction between mitigation and solution.  A
mitigation is a proactive action to ensure systems or data in your area
of responsibility are protected against security breaches from both
internal and external users.  That is an attempt to avoid the problem,
and it is not a solution to the problem.  A solution is a recommendation
that intends to eliminate the problem, which thereby reduces the scope
of mitigation in a given security assessment.  In other words, if
actions to a system were really a solution to client-side security
vulnerabilities then those security flaws must never again occur upon
that system, correct?

> If, on the other hand, poor choices of web browser and/or operating
> system (or mail client, for that matter) are made, then it really
> doesn't matter whether traffic moves via HTTP or SMTP or anything
> else: those systems WILL be compromised.

Users can only be protected from themselves through adherance to
policies, procedures, and relevant training.  That is leadership
solution and not a technology solution.  Protecting user from themselves
does not solve exploitable weaknesses in technology.  In these cases you
have to simply fix the technology to disallow exploitation.  If this
were not so software companies would not spend millions of dollars to
continually patch their products if administrators and management could
so easily retrain their users.

Thank you,
Austin

v2.23.0 | Report a Bug | By Email