At 11:34 AM -0800 2/7/02, Asmus Freytag wrote:
>But, as the discussion shows, spoofing on the word level (.com
>for .gov) is alive and well, and supported by any character set
>whatsoever. For that reason, it seems to promise little gain to
>try to chase the holy grail of a multilingual character set that
>somehow avoids the character level spoofing, if the word level
>spoofing can go on unchecked.
Burglary at the broken window level is alive and well. Therefore
there's little point to putting locks on doors.
I hope the fallacy of the above is obvious, but when translated into
the computer security domain it's all too common a rationalization,
as this thread demonstrates.
There are many ways to socially engineer someone into doing something
they shouldn't do. This is just one of them, and one that's mostly
theoretical at the current time. However, we still need to plug the
hole. That there are other, less damaging holes (or even more
damaging ones) is no excuse for not fixing this one.
Just to pull a number out of a hat, imagine there are 10,000 attacks
a day using spoofing in the current system. Is this any justification
for opening up a hole that will add 10,000 more? Of course it's not.
--+-----------------------+------------------------+-------------------+ | Elliotte Rusty Harold | elharo@metalab.unc.edu | Writer/Programmer | +-----------------------+------------------------+-------------------+ | The XML Bible, 2nd Edition (Hungry Minds, 2001) | | http://www.ibiblio.org/xml/books/bible2/ | | http://www.amazon.com/exec/obidos/ISBN=0764547607/cafeaulaitA/ | +----------------------------------+---------------------------------+ | Read Cafe au Lait for Java news: http://www.cafeaulait.org/ | | Read Cafe con Leche for XML news: http://www.ibiblio.org/xml/ | +----------------------------------+---------------------------------+
This archive was generated by hypermail 2.1.2 : Thu Feb 07 2002 - 14:38:28 EST