[govsec] Morris Worm and a Change in Direction

[security curmudgeon]

:     Translating content into what should be equivalent content in
: another form is used. Some of the problems recently seen with image
: formats containg exploits just shows that there are few safe data
: formats.

It isn't just that the format isn't secure that we need to worry
about. You propose that a system be implemented to scan and convert
between MIME/file types. Historically, these implementations are just as
insecure as anything else. How many vulnerabilities are there related to
e-mail scanning systems (virus, content, etc)?

: jpeg <-> gif <-> jpeg as an example could be done at the gateway to
: clean up images and remove steganography. Likewise mp3 <-> wma <-> mp3
: could be used do the same.

This still poses a risk. Instead of a gif or jpg being used to execute
arbitrary code when rendered in a browser, it could just as well be
designed to execute when processed by the engine that converts.