Benjamin Geer on Sat, 13 May 2000 13:44:43 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Nettime-bold] Re: <nettime> Viruses on the Internet: Monoculture breeds parasites


On Sat, May 13, 2000 at 11:08:33AM +0200, Menso Heus wrote:
> On Fri, 12 May 2000, Benjamin Geer wrote:
> > To write a virus, it is not enough to write a shell script
> > that would do damage if you ran it.  
> 
> What exactly do you think the ILOVEYOU virus is?! It's a VBS script, a
> Visual Basic Script file. Visual Basic Script has been introduced on NT
> 4.0 and Windows 98 and can be used for the same functions that shell
> scripts can be used on unix systems: you can automate things with it. 
> You, as a software developer should know...

I know very well what VBS is; I've written rather a lot of software in
it.  You don't seem to have understood my sentence above.

Let's suppose I write the following two-line shell script:

#!/bin/sh
rm -rf /*

If you run this script with root permissions on a Unix system, it will
delete the entire contents of your hard drive.  If I email this script
to people, is it a virus?  No.  All that will happen is that the
people who receive it will see the two lines above.  The script will
not execute.  A virus must exploit flaws in the receiving system in
order to cause itself to be executed, without the user's knowledge or
permission.

> Outlook does NOT automatically open attachments, the user still has
> to click on them....

As I said, there is (or should be) a difference between 'opening'
(i.e. viewing) an attachment and executing it as a program.  When I
click on an attachment in a mail agent, it should *not* execute it as
a program.  The idea that it might do so is completely absurd.  It
should simply show me the contents of the attachment.

> No, this is crap. You seem to be just another of those 'I don't have
> much clues but everybody's yelling that Linux is great so I'm gonna
> bash MS and stop thinking now just like the rest' people...

I have been developing software for Linux (and Windows NT) for quite a
few years now.  For some of my open-source projects, see
nbpp.sourceforge.net and freemarker.sourceforge.net.

> If a newbie behind a linux box gets a mail saying 'pssst kiddo, execute
> me, it's great fun!' and the newbie saves it, gives it execution
> permissions and runs it then it's still the mailclients fault?

No, but in that case, the user has *decided* to install and execute
the program, and must accept the consequences.  Clicking on an
attachment in a mail reader should not constitute a decision to
execute the attachment as a program.

Let's consider whether there are any legitimate situations in which
you would want to execute a program that you receive in the mail.  I
can't think of any.  It's worth noting that software products are
never distributed via email.  You either download them from a web
site, or you get the CD.  Of course, neither of these two distribution
methods is invulnerable to attack, but such attacks are considerably
more difficult than sending email.  You might have noticed that there
are few, if any, viruses that are not distributed via email.

Even on Windows, when you acquire useful software (as opposed to a
virus), you always need to go through an installation process.  You
don't just run the software directly off the CD.  You need to give it
an appropriate place to live on your computer, and configure it.
Then, as a separate step, you run it.  If we suppose that someday,
email might become a legitimate means of distributing software, so
that people would receive the latest version of Microsoft Word in an
email message from Microsoft, Outlook would still have to run an
installer program.  In other words, the user would be aware of
choosing to install a piece of software.  (Particularly since, as
usual, the installation procedure would have to reboot their
machine. :) ) To run Word, they would still have to select it from
their 'Start' menu.

Of course, if people insist on running a program without knowing what
it is or where it came from, and the program turns out to be a virus,
then the only solution is to educate the user.  But I don't think most
users are as naive as you seem to think.  Viruses are often talked
about in the news; people know that it's dangerous to run a program
that you receive in the mail.  They simply aren't expecting Outlook to
run a message attachment as a program when they click on it.  Nor
should they.

Benjamin Geer


_______________________________________________
Nettime-bold mailing list
Nettime-bold@nettime.org
http://www.nettime.org/cgi-bin/mailman/listinfo/nettime-bold