I totally disagree with this concept of security at the end user level in all
cases. Microsoft has done little to educate the public, such features should
ALWAYS be shipped turned off, forcing the end user to turn them on, with all the
WARNINGs and the Its Your Ars that it deserves.
Microsoft claims they are making computers easier to use for the common man,
well security 101 tells us that Ease of Use and Secure are inversely
proportional. So we read into to this that it is the goal of Microsoft to error
on the side of poor security where issues of ease of use may be concerned.
Additionally, I can find no reason why a attachment should have the ability
to affect anything outside of a USER space, ideally not even that much. The API
is there, embedded and with little to no way to turn it off or make it
inaccessible. At least with a gun there are lots of warnings and in most states
mandatory training on proper use and maintenance. Then again a gun is a much
easier to use tool, its designed for sport and to kill, we hope only in the case
of defense. I draw very little similarities between Windows and a gun other
than both can be very expensive to own. :-)
Basically your assertion that its not a issue with microsoft but with the
education of end users falls flat in my book. While education may have helped,
it is no substitution for correct security in the first place. This is not just
a we hate Microsoft nit picking here. The same holds true for all OSs. If this
happened in the Linux realm, because a distributor left sendmail configured with
auto execution of binaries enabled( god save them ), I would be just as hard
nosed on them. Security is not to be taken lightly.
Michael Smith wrote:
> I think we need to start a campaign like the drug campaign a couple of years
> ago.
>
> Just Say No.....to unknown attachments.
>
> This "worm" wouldn't have been an issue if people didn't open every
> attachment without thinking about it. I know that Microsoft made the api
> available but they didn't click on the attachment.
>
> .....This is starting to sound like gun control....
>
> I think the government needs to buy back all the Microsoft operating
> systems. It will probably save lives. Ha.
>
> -----Original Message-----
> From: David Heath [mailto:">dave@hipgraphics.com]
> Sent: Monday, May 08, 2000 2:04 PM
> To: Dan Newcombe
> Cc: ALE
> Subject: Re: [ale] Why does everything have to be scriptable?
>
> >On Mon, 8 May 2000, David Heath wrote:
> >> The problem is not everyone running the same software, the problem is:
> >
> >That's part of the problem - it makes it easy to know that the exploit
> >will propagate - like the sendmail worm.
>
> It makes it easier, yes, but it is neither sufficient nor necessary
> for virus propagation.
>
> >
> >> 1) No security model in the most common os!
> >
> >It has security, however it comes with a very loose setting out of the
> >box, and most people don't know to change it. If you change your security
> >setting to "Internet Explorer's Restricted Sites" setting then you'd be
> >immune.
>
> Does windows 98 have a concept of user vs. administrator? I don't
> know, but certainly >= 99% of windows 98 users run everything
> (including mail readers and web browsers) will _full_ access to the
> system. That is what I mean by no security model. It places the onus
> for security on the application rather than on the OS where it belongs.
>
> >
> >> 2) Unnecessary and dangerous scripting capability being added to
> >> everything these days. Scripting is fine for the user, but mail, web
> >> clients, etc, should not accept scripts from the outside world.
> >
> >Agreed - well, they can accept it, but it should run like on a JVM - it
> >only has access to the resources of the JVM, not the host OS.
>
> But that misses the point. How many bugs relating to JVM security have
> been found? This adds a huge level of complexity to what should be a
> simple task (reading email).
>
> The point I am trying to make is that someone in microsoft should do a
> risk-benefit analysis before features get added. In this case, the
> benefits of scriptable email (minimal IMHO) don't outweigh the risks
> (huge, as demonstrated recently). This is just another example of
> microsoft focusing on adding gimmicks while their base software still
> sucks (again, IMHO).
>
> -dave
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message
> body.
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.
--
Strider Centaur
http://www.Scifi-Fantasy.com
" It is my observation that unless you really understand the issues, you are
hardly in a position to criticize. Nearly all Linux users have used Windows,
but very few Windows users have used Linux. " -- Me
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.