Three to four years ago or so, I very strongly recommended that business
environments should not use Windows 95 in large part because of the "run as
root" issue (as well as the crash-happiness issue). My recommendation never
went over well, mostly because of the cost issue. Simply put, Win95/98
never belonged in an environment where you cared about a) your systems b)
your data.
Heck of it is, I've seen a number of NT Workstation implementations where
users expect to log in locally as "Administrator" with no password...
- Jeff
> -----Original Message-----
> From: Michael Smith [mailto:">MSmith@webtonetech.com]
> Sent: Monday, May 08, 2000 3:20 PM
> To: ">ale@ale.org
> Subject: RE: [ale] Why does everything have to be scriptable?
>
>
> But shouldn't everyone use some common sense. You
> don't take candy
> or rides from stranges do you. I guess we should assume that
> everyone is
> stupid so we need to code for that. I love to have ten
> dialog boxes appear
> before I view a file(sarcasm).
>
> I am just saying that when you make it easier for the
> average user
> to develop code(even if it scripting), you are going to have
> some people who
> take advantage of it in the wrong way. I could send you an
> attachment that
> appears to be a grep executable and you save it to disk and
> execute it. The
> key is you are smart enough not to do this. I agree that
> Microsoft should
> have some kind of warning when a script like this about to
> execute but the
> user needs to take some responsibility and not click on
> everything they see.
>
> I won't speak any further because I know everyone is
> sick of this
> and we all know we can't change Microsoft.......
>
> -----Original Message-----
> From: Strider Centaur [mailto:">strider@scifi-fantasy.com]
> Sent: Monday, May 08, 2000 2:57 PM
> To: ">ale@ale.org
> Subject: Re: [ale] Why does everything have to be scriptable?
>
>
> I totally disagree with this concept of security at the
> end user level
> in all
> cases. Microsoft has done little to educate the public, such features
> should
> ALWAYS be shipped turned off, forcing the end user to turn
> them on, with all
> the
> WARNINGs and the Its Your Ars that it deserves.
>
> Microsoft claims they are making computers easier to use
> for the common
> man,
> well security 101 tells us that Ease of Use and Secure are inversely
> proportional. So we read into to this that it is the goal of
> Microsoft to
> error
> on the side of poor security where issues of ease of use may
> be concerned.
>
> Additionally, I can find no reason why a attachment
> should have the
> ability
> to affect anything outside of a USER space, ideally not even
> that much. The
> API
> is there, embedded and with little to no way to turn it off or make it
> inaccessible. At least with a gun there are lots of
> warnings and in most
> states
> mandatory training on proper use and maintenance. Then
> again a gun is a
> much
> easier to use tool, its designed for sport and to kill, we
> hope only in the
> case
> of defense. I draw very little similarities between Windows
> and a gun
> other
> than both can be very expensive to own. :-)
>
> Basically your assertion that its not a issue with
> microsoft but with
> the
> education of end users falls flat in my book. While
> education may have
> helped,
> it is no substitution for correct security in the first
> place. This is not
> just
> a we hate Microsoft nit picking here. The same holds true for
> all OSs. If
> this
> happened in the Linux realm, because a distributor left
> sendmail configured
> with
> auto execution of binaries enabled( god save them ), I would
> be just as hard
> nosed on them. Security is not to be taken lightly.
>
>
>
>
> Michael Smith wrote:
>
> > I think we need to start a campaign like the drug campaign
> a couple of
> years
> > ago.
> >
> > Just Say No.....to unknown attachments.
> >
> > This "worm" wouldn't have been an issue if people didn't open every
> > attachment without thinking about it. I know that
> Microsoft made the api
> > available but they didn't click on the attachment.
> >
> > .....This is starting to sound like gun control....
> >
> > I think the government needs to buy back all the Microsoft operating
> > systems. It will probably save lives. Ha.
> >
> > -----Original Message-----
> > From: David Heath [mailto:">dave@hipgraphics.com]
> > Sent: Monday, May 08, 2000 2:04 PM
> > To: Dan Newcombe
> > Cc: ALE
> > Subject: Re: [ale] Why does everything have to be scriptable?
> >
> > >On Mon, 8 May 2000, David Heath wrote:
> > >> The problem is not everyone running the same software,
> the problem is:
> > >
> > >That's part of the problem - it makes it easy to know that
> the exploit
> > >will propagate - like the sendmail worm.
> >
> > It makes it easier, yes, but it is neither sufficient nor necessary
> > for virus propagation.
> >
> > >
> > >> 1) No security model in the most common os!
> > >
> > >It has security, however it comes with a very loose
> setting out of the
> > >box, and most people don't know to change it. If you change your
> security
> > >setting to "Internet Explorer's Restricted Sites" setting
> then you'd be
> > >immune.
> >
> > Does windows 98 have a concept of user vs. administrator? I don't
> > know, but certainly >= 99% of windows 98 users run everything
> > (including mail readers and web browsers) will _full_ access to the
> > system. That is what I mean by no security model. It places the onus
> > for security on the application rather than on the OS where
> it belongs.
> >
> > >
> > >> 2) Unnecessary and dangerous scripting capability being added to
> > >> everything these days. Scripting is fine for the user,
> but mail, web
> > >> clients, etc, should not accept scripts from the outside world.
> > >
> > >Agreed - well, they can accept it, but it should run like
> on a JVM - it
> > >only has access to the resources of the JVM, not the host OS.
> >
> > But that misses the point. How many bugs relating to JVM
> security have
> > been found? This adds a huge level of complexity to what should be a
> > simple task (reading email).
> >
> > The point I am trying to make is that someone in microsoft
> should do a
> > risk-benefit analysis before features get added. In this case, the
> > benefits of scriptable email (minimal IMHO) don't outweigh the risks
> > (huge, as demonstrated recently). This is just another example of
> > microsoft focusing on adding gimmicks while their base
> software still
> > sucks (again, IMHO).
> >
> > -dave
> > --
> > To unsubscribe: mail ">majordomo@ale.org with "unsubscribe
> ale" in message
> > body.
> > --
> > To unsubscribe: mail ">majordomo@ale.org with "unsubscribe
> ale" in message
> body.
>
> --
> Strider Centaur
> http://www.Scifi-Fantasy.com
>
> " It is my observation that unless you really understand
> the issues, you
> are
> hardly in a position to criticize. Nearly all Linux users have used
> Windows,
> but very few Windows users have used Linux. " -- Me
>
>
>
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale"
> in message
> body.
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale"
> in message body.
>
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.