Benjamin Geer on Sat, 13 May 2000 23:27:10 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: <nettime> Viruses on the Internet: Monoculture breeds parasites |
On Sat, May 13, 2000 at 11:08:33AM +0200, Menso Heus wrote: > On Fri, 12 May 2000, Benjamin Geer wrote: > > To write a virus, it is not enough to write a shell script > > that would do damage if you ran it. > > What exactly do you think the ILOVEYOU virus is?! It's a VBS script, a > Visual Basic Script file. Visual Basic Script has been introduced on NT > 4.0 and Windows 98 and can be used for the same functions that shell > scripts can be used on unix systems: you can automate things with it. > You, as a software developer should know... I know very well what VBS is; I've written rather a lot of software in it. You don't seem to have understood my sentence above. Let's suppose I write the following two-line shell script: #!/bin/sh rm -rf /* If you run this script with root permissions on a Unix system, it will delete the entire contents of your hard drive. If I email this script to people, is it a virus? No. All that will happen is that the people who receive it will see the two lines above. The script will not execute. A virus must exploit flaws in the receiving system in order to cause itself to be executed, without the user's knowledge or permission. > Outlook does NOT automatically open attachments, the user still has > to click on them.... As I said, there is (or should be) a difference between 'opening' (i.e. viewing) an attachment and executing it as a program. When I click on an attachment in a mail agent, it should *not* execute it as a program. The idea that it might do so is completely absurd. It should simply show me the contents of the attachment. > No, this is crap. You seem to be just another of those 'I don't have > much clues but everybody's yelling that Linux is great so I'm gonna > bash MS and stop thinking now just like the rest' people... I have been developing software for Linux (and Windows NT) for quite a few years now. For some of my open-source projects, see nbpp.sourceforge.net and freemarker.sourceforge.net. > If a newbie behind a linux box gets a mail saying 'pssst kiddo, execute > me, it's great fun!' and the newbie saves it, gives it execution > permissions and runs it then it's still the mailclients fault? No, but in that case, the user has *decided* to install and execute the program, and must accept the consequences. Clicking on an attachment in a mail reader should not constitute a decision to execute the attachment as a program. Let's consider whether there are any legitimate situations in which you would want to execute a program that you receive in the mail. I can't think of any. It's worth noting that software products are never distributed via email. You either download them from a web site, or you get the CD. Of course, neither of these two distribution methods is invulnerable to attack, but such attacks are considerably more difficult than sending email. You might have noticed that there are few, if any, viruses that are not distributed via email. Even on Windows, when you acquire useful software (as opposed to a virus), you always need to go through an installation process. You don't just run the software directly off the CD. You need to give it an appropriate place to live on your computer, and configure it. Then, as a separate step, you run it. If we suppose that someday, email might become a legitimate means of distributing software, so that people would receive the latest version of Microsoft Word in an email message from Microsoft, Outlook would still have to run an installer program. In other words, the user would be aware of choosing to install a piece of software. (Particularly since, as usual, the installation procedure would have to reboot their machine. :) ) To run Word, they would still have to select it from their 'Start' menu. Of course, if people insist on running a program without knowing what it is or where it came from, and the program turns out to be a virus, then the only solution is to educate the user. But I don't think most users are as naive as you seem to think. Viruses are often talked about in the news; people know that it's dangerous to run a program that you receive in the mail. They simply aren't expecting Outlook to run a message attachment as a program when they click on it. Nor should they. Benjamin Geer # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body # archive: http://www.nettime.org contact: nettime@bbs.thing.net