Benjamin Geer on Sat, 13 May 2000 23:27:10 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: <nettime> Viruses on the Internet: Monoculture breeds parasites


On Sat, May 13, 2000 at 11:08:33AM +0200, Menso Heus wrote:
> On Fri, 12 May 2000, Benjamin Geer wrote:
> > To write a virus, it is not enough to write a shell script
> > that would do damage if you ran it.  
> 
> What exactly do you think the ILOVEYOU virus is?! It's a VBS script, a
> Visual Basic Script file. Visual Basic Script has been introduced on NT
> 4.0 and Windows 98 and can be used for the same functions that shell
> scripts can be used on unix systems: you can automate things with it. 
> You, as a software developer should know...

I know very well what VBS is; I've written rather a lot of software in it. 
You don't seem to have understood my sentence above. 

Let's suppose I write the following two-line shell script: 

#!/bin/sh
rm -rf /*

If you run this script with root permissions on a Unix system, it will
delete the entire contents of your hard drive.  If I email this script to
people, is it a virus?  No.  All that will happen is that the people who
receive it will see the two lines above.  The script will not execute.  A
virus must exploit flaws in the receiving system in order to cause itself
to be executed, without the user's knowledge or permission. 

> Outlook does NOT automatically open attachments, the user still has
> to click on them....

As I said, there is (or should be) a difference between 'opening' (i.e.
viewing) an attachment and executing it as a program.  When I click on an
attachment in a mail agent, it should *not* execute it as a program.  The
idea that it might do so is completely absurd.  It should simply show me
the contents of the attachment. 

> No, this is crap. You seem to be just another of those 'I don't have
> much clues but everybody's yelling that Linux is great so I'm gonna
> bash MS and stop thinking now just like the rest' people...

I have been developing software for Linux (and Windows NT) for quite a few
years now.  For some of my open-source projects, see nbpp.sourceforge.net
and freemarker.sourceforge.net. 

> If a newbie behind a linux box gets a mail saying 'pssst kiddo, execute
> me, it's great fun!' and the newbie saves it, gives it execution
> permissions and runs it then it's still the mailclients fault?

No, but in that case, the user has *decided* to install and execute the
program, and must accept the consequences.  Clicking on an attachment in a
mail reader should not constitute a decision to execute the attachment as
a program. 

Let's consider whether there are any legitimate situations in which you
would want to execute a program that you receive in the mail.  I can't
think of any.  It's worth noting that software products are never
distributed via email.  You either download them from a web site, or you
get the CD.  Of course, neither of these two distribution methods is
invulnerable to attack, but such attacks are considerably more difficult
than sending email.  You might have noticed that there are few, if any,
viruses that are not distributed via email. 

Even on Windows, when you acquire useful software (as opposed to a virus),
you always need to go through an installation process.  You don't just run
the software directly off the CD.  You need to give it an appropriate
place to live on your computer, and configure it.  Then, as a separate
step, you run it.  If we suppose that someday, email might become a
legitimate means of distributing software, so that people would receive
the latest version of Microsoft Word in an email message from Microsoft,
Outlook would still have to run an installer program.  In other words, the
user would be aware of choosing to install a piece of software. 
(Particularly since, as usual, the installation procedure would have to
reboot their machine. :) ) To run Word, they would still have to select it
from their 'Start' menu. 

Of course, if people insist on running a program without knowing what it
is or where it came from, and the program turns out to be a virus, then
the only solution is to educate the user.  But I don't think most users
are as naive as you seem to think.  Viruses are often talked about in the
news; people know that it's dangerous to run a program that you receive in
the mail.  They simply aren't expecting Outlook to run a message
attachment as a program when they click on it.  Nor should they. 

Benjamin Geer



#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net