[govsec] Morris Worm and a Change in Direction

jmetz at intac.com jmetz at intac.com
Fri Nov 5 13:51:36 EST 2004



one question bothers me in almost every situation all mail (to any
Governmental officer)  is considered either questionable or often non
deliverable to the intended recipient mostly this has been because of the
potential of virus/worm delivery.

Yet in all the years of Email no one has ever considered mail conversion
prior to delivery.

Why has no one ever setup a system of conversion to pdf  in the mail system.
This would be one way to insure that real information would be transfered
no matter how it was sent.

A stand alone mail Gateway which automaticly strips all mail html or plain
text ( oe even preexisting PDF converting it to pdf and then transposting
it to the intended recepient would prevent most worms/virus from ever
getting through.

This would ensure that public officials would receive direct comunication
while the mailbox/gateway would preform the function of vetting the mail
in the conversion process.

A dedicated system in this fasion would be considered sacrificial

While the concept may not be perfect it might create a relitive short term
security concept by processing both incoming and outgoing mail no matter
what or how the senders or receivers composed the original.

It would also insure that the security would be enhanced in the most
vulnerable pathway.

Yours

John Metzger



> At 11:39 11/5/2004, you wrote:
>>It's been over 6 months since I posted to GovSec;
>>many of you probably forgot you were even subscribed.
>>I originally founded this list with the hope of fostering
>>meaningful discussion concerning the unique issues
>>facing those entrusted with securing information
>>systems in the public sector.  Such dialogue has, unfortunately,
>>largely failed to materialize, for whatever reason, so
>>I've decided to change my tack a bit.  I'm going to
>>use this list to post items of interest to the
>>government infosec community, about which you are,
>>of course, free to comment.  I expect it will still be a very
>>low volume list, but hopefully what little traffic you
>>do receive will be of more use and interest.
>>
>>****************************************
>>
>>As most of you are no doubt already aware, Wednesday was the
>>16th anniversary of the release of the Morris worm.  I expect
>>many of us can remember exactly where we were and what we
>>were doing when it hit--I was working in a medical research
>>lab at a university in Texas.
>>
>>Worms have become commonplace in this day and age, but I wonder
>>if people who have entered the infosec field since that
>>November day in 1988 really understand what fundamental
>>changes took place in the collective attitudes of those using
>>the Internet.  Security was a personal affair back then--
>>true anonymity was rare, and there simply weren't enough nodes
>>to rely on some convoluted path for obscurity.   The bang path
>>of your email messages was pretty much a roadmap back to
>>you, for example--a sort of electronic manifestation of what
>>biologists call the principle of "ontogeny recapitulating
>>phylogeny."
>>
>>Security since those days has morphed into a multi-billion dollar
>>industry and a major employer within the IT field, but I can't
>>help but be curious how many of the newly-certificated experts
>>out there understand the fundamental history of their
>>chosen vocation. One very important aspect of being a professional
>>soldier is a thorough knowledge of military history.  Every
>>general who has come before you has contributed to the common
>>pool of knowledge in the art and science of warfare.  If you
>>aren't intimately familiar with their success and failures,
>>you doom yourself, needlessly, to making their same mistakes.
>>
>>Today is a good day to take it upon yourselves to study the
>>brief but rich history of infosec, and thereby to learn the
>>lessons of the past--so that they won't become the all too
>>familiar news stories of the future.
>>
>>Cheers,
>>
>>RGF
>>
>>
>>_______________________________________________
>>govsec mailing list
>>govsec at attrition.org
>>http://www.attrition.org/mailman/listinfo/govsec
>
> _______________________________________________
> govsec mailing list
> govsec at attrition.org
> http://www.attrition.org/mailman/listinfo/govsec
>



More information about the govsec mailing list