But shouldn't everyone use some common sense. You don't take candy
or rides from stranges do you. I guess we should assume that everyone is
stupid so we need to code for that. I love to have ten dialog boxes appear
before I view a file(sarcasm).
I am just saying that when you make it easier for the average user
to develop code(even if it scripting), you are going to have some people who
take advantage of it in the wrong way. I could send you an attachment that
appears to be a grep executable and you save it to disk and execute it. The
key is you are smart enough not to do this. I agree that Microsoft should
have some kind of warning when a script like this about to execute but the
user needs to take some responsibility and not click on everything they see.
I won't speak any further because I know everyone is sick of this
and we all know we can't change Microsoft.......
-----Original Message-----
From: Strider Centaur [mailto:">strider@scifi-fantasy.com]
Sent: Monday, May 08, 2000 2:57 PM
To: ">ale@ale.org
Subject: Re: [ale] Why does everything have to be scriptable?
I totally disagree with this concept of security at the end user level
in all
cases. Microsoft has done little to educate the public, such features
should
ALWAYS be shipped turned off, forcing the end user to turn them on, with all
the
WARNINGs and the Its Your Ars that it deserves.
Microsoft claims they are making computers easier to use for the common
man,
well security 101 tells us that Ease of Use and Secure are inversely
proportional. So we read into to this that it is the goal of Microsoft to
error
on the side of poor security where issues of ease of use may be concerned.
Additionally, I can find no reason why a attachment should have the
ability
to affect anything outside of a USER space, ideally not even that much. The
API
is there, embedded and with little to no way to turn it off or make it
inaccessible. At least with a gun there are lots of warnings and in most
states
mandatory training on proper use and maintenance. Then again a gun is a
much
easier to use tool, its designed for sport and to kill, we hope only in the
case
of defense. I draw very little similarities between Windows and a gun
other
than both can be very expensive to own. :-)
Basically your assertion that its not a issue with microsoft but with
the
education of end users falls flat in my book. While education may have
helped,
it is no substitution for correct security in the first place. This is not
just
a we hate Microsoft nit picking here. The same holds true for all OSs. If
this
happened in the Linux realm, because a distributor left sendmail configured
with
auto execution of binaries enabled( god save them ), I would be just as hard
nosed on them. Security is not to be taken lightly.
Michael Smith wrote:
> I think we need to start a campaign like the drug campaign a couple of
years
> ago.
>
> Just Say No.....to unknown attachments.
>
> This "worm" wouldn't have been an issue if people didn't open every
> attachment without thinking about it. I know that Microsoft made the api
> available but they didn't click on the attachment.
>
> .....This is starting to sound like gun control....
>
> I think the government needs to buy back all the Microsoft operating
> systems. It will probably save lives. Ha.
>
> -----Original Message-----
> From: David Heath [mailto:">dave@hipgraphics.com]
> Sent: Monday, May 08, 2000 2:04 PM
> To: Dan Newcombe
> Cc: ALE
> Subject: Re: [ale] Why does everything have to be scriptable?
>
> >On Mon, 8 May 2000, David Heath wrote:
> >> The problem is not everyone running the same software, the problem is:
> >
> >That's part of the problem - it makes it easy to know that the exploit
> >will propagate - like the sendmail worm.
>
> It makes it easier, yes, but it is neither sufficient nor necessary
> for virus propagation.
>
> >
> >> 1) No security model in the most common os!
> >
> >It has security, however it comes with a very loose setting out of the
> >box, and most people don't know to change it. If you change your
security
> >setting to "Internet Explorer's Restricted Sites" setting then you'd be
> >immune.
>
> Does windows 98 have a concept of user vs. administrator? I don't
> know, but certainly >= 99% of windows 98 users run everything
> (including mail readers and web browsers) will _full_ access to the
> system. That is what I mean by no security model. It places the onus
> for security on the application rather than on the OS where it belongs.
>
> >
> >> 2) Unnecessary and dangerous scripting capability being added to
> >> everything these days. Scripting is fine for the user, but mail, web
> >> clients, etc, should not accept scripts from the outside world.
> >
> >Agreed - well, they can accept it, but it should run like on a JVM - it
> >only has access to the resources of the JVM, not the host OS.
>
> But that misses the point. How many bugs relating to JVM security have
> been found? This adds a huge level of complexity to what should be a
> simple task (reading email).
>
> The point I am trying to make is that someone in microsoft should do a
> risk-benefit analysis before features get added. In this case, the
> benefits of scriptable email (minimal IMHO) don't outweigh the risks
> (huge, as demonstrated recently). This is just another example of
> microsoft focusing on adding gimmicks while their base software still
> sucks (again, IMHO).
>
> -dave
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
> body.
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
body.
--
Strider Centaur
http://www.Scifi-Fantasy.com
" It is my observation that unless you really understand the issues, you
are
hardly in a position to criticize. Nearly all Linux users have used
Windows,
but very few Windows users have used Linux. " -- Me
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
body.
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.