Ed Brill

Post a Comment

1. 1  Nathan T. Freeman  | 9/19/2003 11:40:13 AM

   ...does this mean that your team is going to get even more aggressive about the "use Notes because it doesn't propagate viruses like a [insert off-color reference here]" competitive angle? I sure hope so. :)

1. 2  Ed Brill www.edbrill.com | 9/19/2003 1:13:05 PM

   I still don't think it's prudent to do an Oracle-style "unbreakable" campaign. It's in a lot of Notes/Domino presentations, in the new upcoming update to the Domino spec sheet, and of course in my "boss loves Microsoft" presentation (where I remind people that Microsoft was recently saying that e-mail viruses were a thing of the past).

1. 3  Mike Brown n/a | 9/19/2003 2:21:26 PM

   Sametime? iNotes? That sort of thing. (Stuck record; I know!)

   Cheers,

   - Mike

1. 4  (Ed Brill) www.edithere.com/barry | 9/19/2003 3:33:07 PM

   from Barry Briggs: "And if OS X is so strong how come my Mac is always downloading security patches too?"

   http://www.edithere.com/barry/2003/09/19#a536

1. 5  Philip Storry  | 9/19/2003 4:55:03 PM

   Notes was more secure. In R4.6, the only way to get something to propogate on a Notes network would be to send a properly Notes encoded mail, with embedded LotusScript. And In a well-secured environment, the signature on that LotusScript would need authorisation (via the ECL) to be able to resend mail.

   Pretty secure.

   Two things have changed since then:

   1. Virus/Worm writers have changed tactics

   2. Houston, we have COM!

   The first is easy to explain. Virus/Worm writers soon realised that exploiting vulnerabilities in Outlook/Outlook Express or IE (which is used by both to render HTML) has a very limited scope. People may be slow to patch, but patches eventually come out and do get applied. And then there's new versions, and so forth. Anything written this way has a limited lifespan. Human gullibility, however, is not patchable by a Microsoft download or upgrade. By writing their own SMTP mailing engine and then asking (or tricking) the user to run it, you get further. Some worms still use holes to start running automatically, but worms like Klez and the new Gibe carry their own SMTP engines so that they can be "mailer independant". Lotus Notes is not much safer from these worms - although the worms are much less likely to find addresses to send themselves to on the computer, which is something! ;)

   The second change is the "Dirty Little Secret" which nobody who uses Domino/Notes wants to talk about. If they even know it, that is.

   R5 added COM support, if I recall correctly. You can use that to fire off as many emails as you like from Notes, often without even needing to be prompted for a password to create the new Notes session needed. If you wanted to write a worm that targets Notes and used it to spread, you now could - and could completely bypass those famed ECL's in the process.

   However, that first change pretty much makes this redundant. It's something to bear in mind when evaluating Notes security, but it's unlikely to be exploited - it offers little advantage unless you're targetting a specific company, trying to overload its mail servers (In my opinioon, anyway.) This is more fodder for a trojan than an internet-wide worm.

   But that should still worry you. Notes isn't as secure as you thought it was - it has holes in it which are large. Although not as large as some other products, I'll admit. ;-)

   Despite IBM issueing of CFs, that COM hole will always be a lingering presence - because COM itself has no ECL mechanism. COM is not well designed for security, when compared to LotusScript.

   Good design is only one third of good security - good implementation is another, and we know IBM are committed to that, thourgh CF's and constant incremental improvement. (The final third is good usage practices, of course!)

   So the question would be, why are Domino/Notes installations so infrequently hit by these viruses & worms, if they viruses & worms are more and more often "mailer agnostic"?

   And I believe that the answer is simple. Common sense and good training.

   Many companies believe Notes is hard to use (It isn't, but that's something for another comment!), especially compared to its main competitor - Outlook. Most Outlook proponents I know will extol it's "ease of use".

   This apparent ease of use means that most companies don't bother training employees in their significant Microsoft systems. Indeed, sometimes you'd get the idea from Microsoft advertising that nobody ever needs training for their products!

   Companies that choose Domino/Notes messaging solutions are more likely to believe that training - in order to get the fullest use out of their investment - is in order. And it's during that training that good usage is often enforced. Users are told WHY Notes asks them if they want to run, detach or cancel that file they double-clicked - and more organisation specific information, like who to contact when they see a suspicious email etc.

   Companies that choose Microsoft messaging solutions often think that there's no training required. They believe they are saving money by buying a "familiar" solution - when in fact they may well be losing money every time an untrained user just double clicks on that "great joke" they were sent...

   It's nice to know that David Pogue has recieved a little training from his readers in how a good design is the bedrock of good security - but nobody seems to have pointed out to him that the weakest link in computer security is always in the same place. Between the keyboard and the chair...