Re: Providers removing blocks on port 135?

[Petri Helenius <pete () he iki fi>]

Iljitsch van Beijnum wrote:

> But someone has to. The trouble is that access to the network has 
> never been considered a liability, except for local ports under 1024. 
> (Have a look at java, for example.) I believe that the only way to 
> solve all this nonsense is to have a mechanism that is preferably 
> outside the host, or at least deep enough inside the system to be 
> protected against application holes and user stupidity, which controls 
> application's access to the network. This must not only be based on 
> application type and user rights (user www gets to run a web server 
> that listens on port 80) but also on application version. So when a 
> vulnerability is found the vulnerable version of the application is 
> automatically blocked.
Go and count the Pinto´s on US101 or I-880. :-)

> I don't see something like this popping up over night, though.
For this to be really effective, there needs to be an unbroken chain of 
authentication for code
from the author to your PC and additionally the operating system needs 
to change to get rid
of the notion of  "superuser". As have been said multiple times on this 
and other lists, most
consumer users expect their stuff "just work" and unfortunately 
Microsoft translated this
requirement to "Always Local Administrator" which has catastrophic 
security consequences.

The chain above does not have to mean that there is central authority 
enabling the code to
run on your box, it can as well give the right to you or some place in 
the organization
where it makes sense.

Pete