| To: | "Mike Swier" <mswier@YAHOO.COM> |
Date: | Thu, 9 Sep 2004 12:58:07 -0400 (EDT) |
From: | "Security Pipeline Newsletter" <secured@techwire.com>
| Subject: | [SPN] Security Pipeline 9.9.04 - Microsoft Should Open-Source Sender ID |
SECURITY PIPELINE NEWSLETTER
http://www.securitypipeline.com/
Thursday, September 9, 2004
IN THIS ISSUE:
1. Editor's Note: Microsoft Should Open-Source Anti-Spam Technology
2. Editor's Picks:
- Microsoft Extends Deadline For Enterprise SP2 Adoption
- Langa Letter: Real-Life Experiences With XP's SP2
- Spam! Lovely Spam!
More Picks...
3. Only The Best Security News:
- ISPs Given Thumbs Down For Virus, Hacker Control
- Boingo Bolsters Hotspot Security
- Spammers Using Authentication To Dodge Detection
More News...
4. Shameless Self-Promotion
------- Advertisement -------------------
This issue is sponsored by Trend Micro and Cisco Systems.
Announcing a more effective approach to managing virus
outbreaks. Trend Micro and Cisco Systems-working together.
Imagine a network solution so advanced, so secure, so ingeniously
proactive, you may never have to worry about SASSER or another
outbreak again. Find out more at: http://www.trendmicro.com/cisco
-----------------------------------------
1. EDITOR'S NOTE: Microsoft Should Open-Source Anti-Spam Technology
If Microsoft is serious about using sender authentication to
block spam, phishing, and viruses, the company needs to release
its Sender ID technology into open source.
Sender ID is Microsoft's technology for identifying the sender of
an e-mail message. According to advocates for the technology,
spam, viruses, and phishing work because the senders of an e-mail
messages can put whatever address they like in the "from" line of
a message. The recipient has no way of knowing if the message
really came from customerservice@citibank.com,
president@whitehouse.org, or whatever address the message appears
to be from.
Sender authentication alone won't stop spam, viruses, and
phishing, but it's a start. It'll enable users to reliably
identify messages from known, good senders, and then put the
others aside into a queue of potential spam and other bad mail,
to be managed accordingly. Some users will run the questionable
mail through filters; others will simply delete it unread.
In order for Sender ID to work, it has to see widespread adoption
and, in order for that to happen, Sender ID has to be integrated
into all the common e-mail server platforms. And that's the problem.
The open-source Apache Software Foundation said last week it
won't support Sender ID because the licensing terms set by
Microsoft are too strict.
Apache Says It Won't Support Sender ID
http://www.securitypipeline.com/showArticle.jhtml?articleId=46200895
According to the report by TechWeb News: "The foundation said the
'nontransferable' language in Microsoft's license, as well as its
prohibitions on sub-licensing of the technology, made the
software maker's terms unacceptable to the open-source
development process." Apache projects include the web server of
the same name, as well as the popular open-source spam filter,
SpamAssassin.
For Sender ID to be successful, the technology needs the support
of all e-mail software makers, not just the vendors of
proprietary software. Microsoft needs to work with open-source
software creators to get Sender ID incorporated into open-source
e-mail packages.
That's not the only problem with Sender ID.
Identifying the domain that e-mail comes from is nice, but that
doesn't tell you who actually sent the mail. Sender ID would stop
phishers from sending e-mail that appears to come from
citibank.com. But what's to stop phishers from registering
variations on the CitiBank name and trapping victims that way? If
you got an e-mail from citibank-customer-service.com, how would
you know whether it's legitimate?
And I've heard it said that Sender ID doesn't really solve any
problems at all, that e-mail recipients can already identify the
sender of a message using clues in the message headers and
envelope. I have to admit I don't quite understand those points;
can someone please explain to me, step by step, how to reliably
identify the sender of an e-mail using existing, standard,
technology? Please use small words, suitable for a small child,
idiot, or journalist.
Mitch Wagner
mailto:mwagner@cmp.com?subject=SPNfeedback
Editor
Security Pipeline
http://www.securitypipeline.com
If you send e-mail, let us know if it's OK for us to publish it.
For more commentary and links, see the Security Pipeline Weblog.
http://securitypipeline.com/trends
-----------------------------------------
2. EDITOR'S PICKS:
Microsoft Extends Deadline For Enterprise SP2 Adoption
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46802633
The amount of time to block the automatic update of Windows XP
Service Pack 2 has been extended by Microsoft until mid-April
2005.
Langa Letter: Real-Life Experiences With XP's SP2
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46802557
Forget the ivory-tower pundits--here are first-hand reports from
the trenches, relayed by your peers who've already installed the
new Service Pack.
Spam! Lovely Spam!
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46802544
Billions of spam messages are sent every day--and the number is
climbing quickly. Will this eventually kill e-mail as a business
tool?
Apache Says It Won't Support Sender ID
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46200895
The foundation is balking at Microsoft's strict licensing terms
for the proposed anti-spam standard.
Spyware Could Mess Up SP2 Installations
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46800040
Microsoft warns that computers with spyware may freeze upon
installation of SP2.
Register Today For TECHXNY
http://techxny.com/
Join us October 5-7 at the Jacob Javits Convention Center in New
York for TECHXNY where you'll find the business solutions you
need. We'll be covering storage, networking, security, database,
Internet, wireless, Linux solutions and more. Save the dates and
register today.
Attend The CSI Annual Computer Security Conference
http://www.gocsi.com/annual/
Attend the CSI Annual Computer Security Conference & Exhibition
November 8-10 in Washington, D.C., featuring 14 tracks, 160
sessions and 175 exhibitors. The must-attend event for security
pros covers topics such as wireless, forensics, compliance,
attacks, countermeasures and more.
3. ONLY THE BEST SECURITY NEWS:
ISPs Given Thumbs Down For Virus, Hacker Control
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46802767
A J.D. Power and Associates survey finds users remain unhappy
with their ISPs' defenses against hackers and viruses.
Boingo Bolsters Hotspot Security
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46802635
Hotspot vendor adds 802.1x and WPA support to its client
software.
Spammers Using Authentication To Dodge Detection
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46802630
Sasser Creator Charged With Sabotage
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46802573
Red Hat Boosts Security In Enterprise Server
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46800536
WinZip Vulnerable To Hacks
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46800220
TSA Extends Registered Traveler Program To Reagan National
http://www.SecurityPipeline.com/showArticle.jhtml?articleId=46800121
4. SHAMELESS SELF-PROMOTION
LOOK FOR ENTERPRISE MONITORING/MANAGEMENT PRODUCTS IN PRODUCT
FINDER
http://productfinder.securitypipeline.com/index.cgi?search=Search&final_cat1=3&category=6&sub_cat=31
For other Product Finder product categories, browse or search the
database from its home page:
http://productfinder.securitypipeline.com/
BULLETINS: Microsoft Security
http://www.securitypipeline.com/howto/
Feeling insecure? Keep up with all the latest security bulletins
from Redmond. A live feed updates this page continuously; for
best results, bookmark and check it regularly.
CHECK OUT THE SECURITY PIPELINE TOPIC CENTERS
Desktop Security:
http://www.securitypipeline.com/desktop/
Network Security:
http://www.securitypipeline.com/network/
Infrastructure:
http://www.securitypipeline.com/infrastructure/
Policy & Privacy:
http://www.securitypipeline.com/policy_privacy/
TELL A COLLEAGUE ABOUT THE SECURITY PIPELINE NEWSLETTER
http://www.securitypipeline.com/newsletter.jhtml
If you know someone who might be interested
in signing up for this newsletter, please forward it and point
out the subscription page:
NETWORK COMPUTING'S SECURE ENTERPRISE MAGAZINE
http://www.securitypipeline.com/se/
Did you know that Network Computing has launched a new supplement
called Secure Enterprise? Security Pipeline hosts the Secure
Enterprise Web site. It's well worth a moment of your time
to check out this content from top-notch authors.
HAVE YOU DISCOVERED THE OTHER PIPELINES?
http://www.techweb.com/pipelines/
Security Pipeline is one is a series of specialized IT sites from
the TechWeb Network we think you'll like. Discover the rest of
the Pipeline publications:
Every Pipeline site has its own newsletter and RSS feed. Give them a
try.
Explore the TechWeb Network:
http://www.techweb.com/
SUBSCRIBE TO THE SECURITY PIPELINE RSS FEED
Security Pipeline's content is available as an RSS feed. Just
copy this link and paste into an RSS reader:
http://www.securitypipeline.com/rss/all.jhtml
You need specialized software (or a Web-based service) called a
news aggregator or RSS reader to view an RSS feed. This link does
not work in most Web browsers or e-mail packages.
------- Advertisement -------------------
This issue is sponsored by Trend Micro and Cisco Systems.
Announcing a more effective approach to managing virus
outbreaks. Trend Micro and Cisco Systems-working together.
Imagine a network solution so advanced, so secure, so ingeniously
proactive, you may never have to worry about SASSER or another
outbreak again. Find out more at: http://www.trendmicro.com/cisco
-----------------------------------------
Privacy policy:
http://www.cmp.com/delivery/privacy.html
The Security Pipeline Newsletter
http://www.securitypipeline.com/
Copyright (c) 2003-2004 CMP Media LLC
600 Community Drive
Manhasset, NY 11030