19 October 2005

The return of the Evil bit?

RFC3514 specifies that

Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases.

How is this achieved?

To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.

But what happens if an evil application refuses to co-operate and leaves the evil bit reset on packets generated by it?

RFC3514 has a submission date of 01 April 2003, but this does not:

Microsoft Office 2003 introduced Information Rights Management (IRM) that provides a way to help restrict recipients from copying, printing, or forwarding e-mail messages.

[...]

Opening the message with other e-mail applications or even using different types of accounts might result in recipients having full permissions to forward or reply all to a message.

D’oh? I’ve heard of security by obscurity, but what do you call this? Security by divine fiat? Security by Redmond insists?

No comments: