Microsoft To Disable Autorun

jchrisos writes "Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and future updates to Windows XP and Vista. In order to maintain a 'balance between security and usability,' non-writable media will maintain its current behavior however. In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction. Will be interesting to see what malware creators do to get around this ..."

Erm.....What the hell?

[Sj0]

Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.

Re:Erm.....What the hell?

[Moryath]

Has to do with crap like this - the theory goes that you may WANT to have an autorun from them for legit reasons (movie on a "read only" flash disk, or a "plug this hard drive in and automatically launch Program X" setup).

Hell, without this, those "U3 Enabled" flash drives (yeah I know, gag puke awful crap software) are even harder to use too. They use a single partition with the U3 software, autoboot it, check for you entering your "password", and only they will it decrypt the OTHER partition on the drive for you.

See where this is going?

Re:Erm.....What the hell?

Microsoft wanted a computer to be an appliance. The person operating it didn't have to know much. When it got older, you bought a new one Want your new camera to work? Plug it in and insert cd. Want an external hard drive you just plug in and it backs up your stuff? You got it. Want to watch tv on your computer? Plug it in the usb slot, plop the cd in the drive and you're good to go. Good idea. However, the real world doesn't play with good ideas very well.

Re:Erm.....What the hell?

[Sj0]

The risk is too obvious and too stupid to take.

A menu pops up with this stuff anyway: "Hey, want to open this folder?", so it's not like you're doing anything more than adding exactly one step.

Re:Erm.....What the hell?

[Midnight+Thunder]

Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.

A compromise would have been to ask the user, but disabling is completely is probably better, since it will avoid stuff like the Sony Root kit, being installed by a clueless user. After all:

Computer: "Do you want to do xyz? It may break you computer."
User: clicky, clicky "Why yes of course"

Re:Erm.....What the hell?

suddenoutbreakofswineflu
WTF?

Re:Erm.....What the hell?

Why don't you jump into your time machine and go tell that to Microsoft at its first implementation?

"You can't make this happen. It'll introduce another security hole vector. Yes in the future you'll be riddled with security problems. Yes. Also, as a sacrifice you'll have to appear not as 'user friendly' which will cut into your billions of dollars of revenue. See you in the future! Thanks!"

Re:Erm.....What the hell?

[Sj0]

CD is read-only, thus not applicable.

Re:Erm.....What the hell?

[Red+Flayer]

Why wasn't this the default to begin with?

In the beginning, there was a User.

This User did not possess the special knowledge of the Priests of the Cult of Computers.

This User was granted divine Manna from heaven in the form of a shining disc with an outer shell of a transparent horn-like material.

"Lo!" said he, "I have found the Sacred Tablet of AOL!"

And he put the Tablet in the Slot of Curious Whirrings, and nothing happened. And this was Good.

But the User was unhappy, and complained to the Disciples of AOL, that the sacred disc of AOL was defective.

And so the Disciples of AOL conferred with the Disciples of Borg.

Now, the Disciples discipled for a while, and determined that the User could never be trusted grok the mysteries of "Drive D". The Disciples agreed, also it was bothersome and unholy, to be summoned each time a Tablet was delivered by divine provenance to another User. And so Autorun was created.

Verily, the User could place the Sacred Tablet of AOL in the Slot of Curious Whirrings, and without any further discipling by the Disciples, could run AOL.

And thus were the Demons of AOL unleashed upon the world together with the Lord of PC Plague and Pestilence, he-who-should-not-be-named-but-nevertheless-I-will, Autorun.

Re:Erm.....What the hell?

[steelfood]

In general, there's no good reason for computers to execute code you did not explicitly ask it to execute.

Malware can still be distributed through sneakernet. And remember the Sony rootkit fiasco? That's no better or worse than something you might catch from popping a pirated CD or DVD (the ones you buy for $1 off the streets).

Computer security is about control. It's about controlling what enters and leaves the computer, and what executes on the computer. Anything that causes execution on read automatically implies a complete loss of control.

Re:Erm.....What the hell?

[Sj0]

I don't believe for a second that limiting autorun to read-only media would be even remotely damaging to Microsoft. Frankly, I expected only CD-ROM drives to be able to do that.

Re:Erm.....What the hell?

[Twillerror]

Not entirely true. When I plug in my camera and a little popup comes up I really like that. Why...because it's not exactly what program I'd like to launch. Most of the time I just want to get at the file system and copy and paste over the files.

Then there is my wife who would be completely lost without the auto run that cameras present users with.

When USB drives plugin sometimes they auto run management software which could include faster drivers or encryption utilities. I'd don't want the option for this lost.

The problem to me is not that it auto runs, but that it doesn't require any sort of user involvement. I like auto run cds...except when I don't want it. I know I can hold down shift to get around it, but if I forget or my arms are to short to do both at the same time I'm boned.

If there is a use case (even if you don't see the need) for this then we need to try to continue to support it. My guess is someone though of a GOOD user for it. I don't want my entire computer expierence to be dictated by virus writers and boring programers. It's like saying we can't fly on jets because someone could fly them into buildings...figure out how to stop people from flying into buildings...not stop flying.

Re:Erm.....What the hell?

[Randle_Revar]

Hilarious!

Re:Erm.....What the hell?

[Yaksha42]

I have a thumb drive I want to automatically back up every time I plug it in. I want it to back up to C:\backup\{datetimestamp}

I had to get a program called Autorun USB to get it to work, but with this and a .bat file I was able to get immediate automatic backing up of my thumb drive every time I plugged it in.

Re:Erm.....What the hell?

[interkin3tic]

Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.

Man, I'm WAY too busy to double click on my flash drive, I gotta have those pictures of the kegger last weekend NOW! Thanks a lot, micro$oft, selling out to the "anti-kegger pictures immediately" lobby!

Re:Erm.....What the hell?

[PitaBred]

There should be a minimum level of expertise required to operate certain equipment. You don't get cars that automatically put their turn indicators on, because that would just cause more problems than it solves, and it would enable people to be even stupider. Same thing with Autorun. Autorun should NEVER be there. Let the machine say "What do you want to do with this?" like you're suggesting, but it shouldn't ever just choose something by default.

Re:Erm.....What the hell?

[Midnight+Thunder]

CD is read-only, thus not applicable.

Heck, missed that :( An alert window would be nice then.

Re:Erm.....What the hell?

While I agree with your point about boring programmers, your analogy would fall flat if 1/10 airplanes were smashed into a building within an hour of takeoff.

Re:Erm.....What the hell?

[Feanturi]

That's only if there isn't an autorun.inf pointing to an executable. If there is, it runs that instead of showing the "What do you want to do?" dialog. Only having autorun disabled will protect you from that. What would be good is if it was disabled by default, but could be turned on for select "trusted" flash drives. Or, just a thought, maybe people could learn a bit about how to use a computer and not have to have it do all the driving. Nothing wrong with learning to open an Explorer window, then navigating to a drive to access something on it. What a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.

Re:Erm.....What the hell?

[EvanED]

Or, just a thought, maybe people could learn a bit about how to use a computer and not have to have it do all the driving. Nothing wrong with learning to open an Explorer window, then navigating to a drive to access something on it. What a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.

As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

I think Vista's "always autoplay, never autorun" (if I got those names right) scheme works really well.

Re:Erm.....What the hell?

[RzUpAnmsCwrds]

A compromise would have been to ask the user

This is exactly what Vista does. The problem is that you can customize the icon for the "run" operation, and malware authors got clever and used the folder icon. If you weren't paying attention, you might click the wrong option and install the malware (although there's also a UAC prompt to get through on Vista).

Re:Erm.....What the hell?

[thePowerOfGrayskull]

hat a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.

Why should those people who are using computers as tools (in the same way they would use a car, lawnmower, or vibrator) have to know anything at all about how it works, where content is stored, etc?

The best system is one that just does what you want it to do, without distracting you from your task by making you think about it. That holds equally true for computers, windshield wipers, and toilet paper.

Re:Erm.....What the hell?

[Darkness404]

And remember the Sony rootkit fiasco? That's no better or worse than something you might catch from popping a pirated CD or DVD (the ones you buy for $1 off the streets).

Except for the fact the Antivirus you paid $80 for will catch the malware that came off the CDs and DVDs but believes that the Sony Rootkit is "legitimate" and leaves it alone.

Re:Erm.....What the hell?

[supernova_hq]

Those U3 enabled flash drives will STILL autorun. The second partition is made to appear to be a cdrom to windows, which means that windows will still autorun the crap they put on there.

Not only that, but this will give sandisk a semi-legit reason to partitions those bloody things. To this day, the ONLY way to get rid of that damn partition is using a windows utility, and that doesn't even work half the time!

Re:Erm.....What the hell?

[Bert64]

Modern systems come with cd/dvd recorders by default...
A piece of malware could hijack your burning apps and add itself to any optical media you burn.

Re:Erm.....What the hell?

[mooingyak]

You're a disciple of AOL.

Re:Erm.....What the hell?

[TooMuchToDo]

Will they differentiate between a CD and a CD-R/RW?

Re:Erm.....What the hell?

[Happler]

I have met people who do not think about toilet paper and they stink. I am a firm believer that people should have at least a basic understanding of what tools they are using. Knowing the basics of windshield wipers means that you can purchase and change them yourself (and pay less in the long run). Knowing the basics of computers means that you will, at least, help minimize the amount of damage you do to your computer via virus, malware, stupid user tricks, etc. I have worked too much tech support to encourage systems that do everything for the user. It just creates more problems then it is worth.

Re:Erm.....What the hell?

[Bert64]

A very small number of people are qualified to operate jet planes.
Being a passenger on a plane is a massive difference from flying it yourself...

Re:Erm.....What the hell?

[jabithew]

Maybe the system will draw a distinction between a CD/DVD-ROM and a CD/DVD-Anything else.

Re:Erm.....What the hell?

[Penguin+Follower]

Brilliant! :)

Re:Erm.....What the hell?

[Nerdfest]

It's still an infection vector.

Re:Erm.....What the hell?

[Cajun+Hell]

The best system is one that just does what you want it to do

Autorun isn't intended to do what users want it to do. Close, but not quite. Autorun is intended to do what ..
.. .. somebody .. ..
.. wants it to do. That person is never the user, unless the user wrote the autorun script. That person may have the user's interests at heart.

Re:Erm.....What the hell?

[Hognoxious]

Autorun is on the whole more trouble than its worth. Its evil twin (popup window that asks what you want to do) is almost as annoying and incredibly slow (probably because it reads every file on the bastarding media three times in order to try and second guess you). And to add insult to injury I find it doesn't always remember when I tell it to just fuck the fuck off already, I know where file twatting manager is, thank you very fucking much, Bob.

First thing I do on any machine with an optical drive is to disable autorun on it, but then I occasionally have to dig in the stupid autorun.inf file to see what program it should execute so I can trigger the shite-heap manually. Equally bloody irritating either way.

The solution - and frankly it's obvious to any organism that doesn't contain chlorophyll - would be a semi-autorun; it does what the .inf file says, but only if and only fucking well when you explicitly tell it to. If someone can be trained to put a CD in a drive, the right way up and (here's the tricky bit) having remembered to take it out of the box first then they can be trained to press "activate", "launch", "shoot" or whatever you'd want to call such a feature.

Re:Erm.....What the hell?

[Tanktalus]

No other device stores nearly so much of a user's information as a computer. Except maybe a filing cabinet, and you damned well better know where to find your information there, because there's no "grep" tool for that!

All I'm saying is that analogising a computer against a lawn mower may break down for some things. And this might just be one of them.

I don't expect a user to be able to write a program, or even a script, or even a batch file. But I do expect them to know where they store their stuff insofar as its similarities to a set of filing cabinets goes.

Re:Erm.....What the hell?

[BikeHelmet]

Why should those people who are using computers as tools (in the same way they would use a car, lawnmower, or vibrator) have to know anything at all about how it works, where content is stored, etc?

The same reason I have to drive my car, rather than picking a destination, waiting, and magically ending up there.

Opening a folder is not that difficult. I do tutoring sometimes, and I've found more people are confused by the Autoplay menu than just opening the drive in Explorer. Those Autoplay menus can get very cluttered!

Re:Erm.....What the hell?

[bhtooefr]

Autorun on read-only media is still an infection vector.

(Hell, even if the "read-only media" in question is a pressed CD, not a CD-R. *cough*Sony BMG*cough*)

Re:Erm.....What the hell?

[interiot]

The problem is that businesses use autorun on burned demos for customers, particularly when they need only a small number of demo discs. There are lots of small businesses that do this, and we even do it at the Fortune 100 company I work at.

What percentage of legit uses of autorun CDRs versus virus autorun CDRs? I'd imagine the legit uses far outweigh the virus ones (though that could change in response to this article's change, I suppose).

Re:Erm.....What the hell?

[maxume]

But is autoplay/autorun an automatic turn signal or is it a starter motor?

Re:Erm.....What the hell?

[digitalchinky]

No grep for the filing cabinet? My god man, are you serious? Around here the command is a verbal "nice -20 Office Beeyatch grep -i report"

Re:Erm.....What the hell?

[rolfwind]

He obviously meant that one should beckon him a disciple of AOL, just like one would call a cab. But I don't find any AOL disciples in the phone book. Maybe if I check under frisbee...

Re:Erm.....What the hell?

[camperdave]

"yeah, because I like doing work myself that a computer is good at".

This is exactly why a CLI is better than a GUI. With a CLI, you type the command, and the computer goes off and finds the actual executable. With a GUI, you have to do that manually: Click Start, select All Programs, select Microsoft Office, click on Microsoft Word (as an example). When did we humans get stuck with the job of finding the actual program we want to run?

Re:Erm.....What the hell?

[Molochi]

You would have to have a 5 digit UID to be that evil. At best your're an acolyte of AOL.

Re:Erm.....What the hell?

[adisakp]

As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

I think Vista's "always autoplay, never autorun" (if I got those names right) scheme works really well.

Autorun does work really well... at installing rootkits on your machine from Sony/BMG CD's.

Re:Erm.....What the hell?

[Molochi]

Dammit...

Re:Erm.....What the hell?

[maxume]

If you open up "My Computer" in Windows Explorer and right click on a media with Autorun or Autoplay features, the relevant feature should show up as an option (Just now I am testing Autoplay, which I have turned off; it does turn up as an option).

I think that works for "only if and only fucking well when you explicitly tell it to".

Re:Erm.....What the hell?

[Toonol]

As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

Computers are HORRIBLE at deciding what is safe to run at what isn't. That's the central security problem, and it probably won't be solved until we have strong AI.

Re:Erm.....What the hell?

[FlyingBishop]

He specifically mentioned the Sony Root kit, which was installed by otherwise innocuous, mass-produced CD's.

Re:Erm.....What the hell?

[Hatta]

As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

Computers are good at deciding whether or not you can trust a piece of software? What algorithm would you use for that?

Re:Erm.....What the hell?

[FlyingBishop]

Why would you pay money for something that could take over your computer when you could just pirate it yourself (with the same obvious risks.)

Re:Erm.....What the hell?

[Z80xxc!]

Actually, by default on Windows XP and later, if a removable device such as a flash drive has an autorun file, the prompt will still come up, and ask you which action to take. The action specified by autorun.inf will be highlighted by default, but you can click "cancel" or some other action. The problem is that many viruses call themselves "Open in Windows Explorer" or something to that effect, so people click it anyhow.

Re:Erm.....What the hell?

[nicolas.kassis]

Humans are HORRIBLE at deciding what is safe to run at what isn't. That's the central security problem, and it probably won't be solved until we have intelligence.

there fixed that for you

Re:Erm.....What the hell?

[Animaether]

except that he gave the example of Windows Vista as actually getting things fairly right.

DVD video, CD audio -> autoplay OK
USB/PhotoCD, CD/DVD with just images -> autoplay OK
USB/CD/DVD with autorun specifying an executable -> DO NOT AUTORUN.

Within 'do not autorun' you even get choices...
A. Ask me what the flippant to do
B. Do nothing whatsoever.

Option A is perfectly sane. The only problem is in the presentation. People exploit the fact that one of the usual options is the 'browse disc' thing. They use the same icon, give it the same name, it appears at the top and voila.. people think that's the regular ol' browse disc option but in reality they end up running nefarious software.

Autorun/Autoplay are not the issue given the above - the design of that dialog asking you what to do *is*.

The new method sucks monkeyballs. Thankfully there's third-party autorun utilities and I'll be installing one of those once I land on Windows Se7en.

Re:Erm.....What the hell?

[DragonWriter]

Autorun isn't intended to do what users want it to do. Close, but not quite. Autorun is intended to do what .. .. .. somebody .. .. .. wants it to do. That person is never the user, unless the user wrote the autorun script.

Or, unless the user deliberately enabled autorun and deliberately put the media in the drive/slot/etc. What the user wants can be "whatever the creator of the autorun script on this drive programmed", after all.

Re:Erm.....What the hell?

[Requiem18th]

Yeah picture Grayskull sitting in a toilet staring at the paper and saying, what are you waiting for? Do what you are supposed to do!

Re:Erm.....What the hell?

[pizzach]

Erm. Isn't the only reason why Windows users need autorun is because their media doesn't appear on their desktop when inserted? It's always hidden somewhere weird like My Computer or something...

Re:Erm.....What the hell?

[_ivy_ivy_]

Except maybe a filing cabinet, and you damned well better know where to find your information there, because there's no "grep" tool for that!

Yes there is. It is called an administrative assistant. However, if you use too many command line options, they get quite cranky.

Re:Erm.....What the hell?

[Fumus]

In Vista you can go: Press Start button, type "word", hit enter. And you open MS Word using a CLI-like interface.

Re:Erm.....What the hell?

[wampus]

Mash windows key. l4 and I am killing zombies. Windows search is slick.

Re:Erm.....What the hell?

[GuldKalle]

..Or maybe the autorun program could be an option in the "what do you want to do"-menu. That way the user still has to take action, and you don't have to reprint every manual printed within the last 14 years.

Re:Erm.....What the hell?

[SailorSpork]

Why wasn't this the default to begin with?

Simple: because it's much smarter to expect tech savvy users to be able to turn off autorun if they don't want it than for tech novices to turn it on if they do. Remember, if they're running Vista, it may be because they can't compile their own Linux distro to run on a Beowulf cluster of PS3's - they may just be your grandma trying to run their card-making or Tax software.

Re:Erm.....What the hell?

[rnelsonee]

If we're talking about CD's, then the user is already assuming the script writer has their best interests at heart - why else would they be sticking the CD in the drive? All disabling autorun does is make it harder for users, because *no* user is ever going to stick a CD in the drive, and then say "Well, that was fun" and then take the CD back out and throw it away. They're putting it in to install software! And if they're putting a CD in that doesn't have a setup.exe, then there's not going to be an autorun.

I use autorun for my customers. I have multiple install scripts depending on the type of computer and dependencies. I'd rather change an autorun.inf than explain which setup to run to my customers. I'm getting paid to automate tasks (my software is basically an automated testing suite). If Windows forces my users to run setups themselves, its making everyone's life more difficult.

If you think autorun is a security threat, you can already disable it. At least make it a choice.

Re:Erm.....What the hell?

[shutdown+-p+now]

Autorun does work really well... at installing rootkits on your machine from Sony/BMG CD's.

This made me wonder if Sony will now sue Microsoft for producing software that circumvents their copy protection.

Re:Erm.....What the hell?

[wampus]

The one they use right now is pretty good. If the executable isn't signed, it asks for an admin password.

Re:Erm.....What the hell?

[HTH+NE1]

I have met people who do not think about toilet paper and they stink.

Who needs toilet paper when you have three seashells?

Re:Erm.....What the hell?

[Lonewolf666]

I think Vista's "always autoplay, never autorun" (if I got those names right) scheme works really well.

That's OK as long as you have safe media players and a solid distinction between "display only" and "contains arbitrary code" filetypes. I wouldn't really trust Microsoft to get that right. Even if they have removed the most embarrassing security holes they used to have in that area by now (several years ago you could send an e-mail with VB attachment to someone, and Outlook would execute that code without asking).

Re:Erm.....What the hell?

[mysidia]

Even then.. malware authors will actively be looking for ways to fool the AI.

Don't underestimate them, they will use their own systems to "test", and keep modifying their software until they can convince it it's safe.

The way to prevent autorun malware is to require binaries signed by a highly-regarded well trusted authority who has an obligation to not sign malware, and to require a check for certificate revokation before invoking the media's autoruin program.

Oh yeah, and that authority has to actually manually review the executables, and look for problems, (like that software loading yet another executable that doesn't have to be autorun-signed) , not merely use some AI, or reply on a "fee" payed by the developer to "prove" they're legit.

Re:Erm.....What the hell?

[initialE]

Autorun was a feature touted with the release of windows 95 - you don't have to know how it works, just pop in the damn CD. I guess going backwards and removing this feature would be quite an embarassment, no matter how long it's been. Personally I'm surprised it hasn't been exploited much earlier. It's the uPnP fiasco all over again, only it's taken much longer to play out.

Re:Erm.....What the hell?

[Trogre]

So is a flash drive with the switch set to the "Read-Only" position. Are they exempt too?

Re:Erm.....What the hell?

[HTH+NE1]

Autorunaway!

Re:Erm.....What the hell?

[mysidia]

The decision is an intractible one, but human-action-required at least serves as an obstacle the bad guys have to cross.

If you inserted a flash drive and didn't mean to run a program, chances are you won't open up explorer and look for the program to run.

OTOH, if Windows just launches it for you, or prompts you to do it, you're just hosed....

Re:Erm.....What the hell?

[Windowser]

undoing damage done by stupid moderation auto-post-without-undo function. I wanted to moderate you as funny

Re:Erm.....What the hell?

[mysidia]

The problem with that is people use their computers as computers not appliances.

When you pop a CD in your CD player.. no matter what's on it, it can't take over your CD player and reprogram it to make toast instead of playing CDs.

If you want your OS to be an appliance.. use an ISO9660 filesystem for your system directories; i.e. make the system software folders read-only except for signed updates. Only allow software and addons in designated places designated for addons.

Don't allow user software to manipulate a giant registry that also contains system parameters.

Most of the knobs should be frozen, and only editable by interacting with the vendor-provided UI.

In fact, run all software in a sandbox, like UNIX chroot or UNIX non-superuser at least, so program A cannot effect program B, and cannot hook system events, run in the background, hide windows, directly manipulate memory, or other such nonsense.

Re:Erm.....What the hell?

[nurb432]

Because most average users cant handle opening up explorer and knowing what to execute to get their app to run.

THey have enough trouble answering the questions during an install, or finding their files when they want to open them in their word processor 'Microsoft', or email..

Re:Erm.....What the hell?

[mysidia]

If only they had applied the same policy to read-only optical media...

By the way... I wonder if CD-Rs/DVD-Rs, and other burned media will be treated.

Will they autorun?

What about multi-session disks?

Any possibility of malware detected a multi-session disk and burning a new session with a malicious autorun?

Re:Erm.....What the hell?

[mysidia]

After this change, maybe they will find that investing in a CD press, or paying a third party to make proper pressed CDs will be worth it. I'm all for microsoft at bare minimum excluding all (re)-writable media, and all write-once optical media also.

Yes, they will have to pay something, but who ever said security was free? It's not free, either for the person implementing it, or for third parties (outsiders like vendors trying to get you to run their demo) who may be effected by security policy.

The market for burned demo CD-Rs may be too small to justify the security risk of allowing CD-Rs to autoplay, from Microsoft's end.

IMO, requiring pressed DVD-Rs is not even a strong enough barrier. Digital signatures should be a requirement.

And when signed the autorun executable should always be invoked in some sort of sandbox where only signed code can be spawned.

Re:Erm.....What the hell?

[mortonda]

You do know that you need to check the oil in your car and lawnmower? Your lawnmower blade may need sharpening?

You should have a basic understanding of your tool at hand. Some tools are dangerous.

Re:Erm.....What the hell?

[EvanED]

This is exactly why a CLI is better than a GUI. With a CLI, you type the command, and the computer goes off and finds the actual executable.

Except that when you want to use a program that you don't use much, or in a new way, you have to preface that by "man whatever" or googling instructions, whereas what you can do in a GUI is largely discoverable during the normal course of your use.

With a GUI, you have to do that manually: Click Start, select All Programs, select Microsoft Office, click on Microsoft Word (as an example).

And that's why Vista's start menu is much better than XP's.

If you're still using XP, there's Launchy. (Actually that might be worthwhile even under Vista.)

Re:Erm.....What the hell?

[gad_zuki!]

>When I plug in my camera and a little popup comes up I really like that.

Thats not autorun, thats a device connecting to the USB bus and a service you installed with your camera launching an app. I doubt the root of your camera has an autorun.inf file.

Re:Erm.....What the hell?

[EvanED]

Good thing that (I am pretty sure) wouldn't happen in Vista, or at least less likely, which is exactly what I'm talking about.

Re:Erm.....What the hell?

[EvanED]

Computers are HORRIBLE at deciding what is safe to run at what isn't.

That's why Vista's solution, which doesn't run anything from the untrusted media, is a great compromise.

Re:Erm.....What the hell?

[EvanED]

Erm. Isn't the only reason why Windows users need autorun is because their media doesn't appear on their desktop when inserted? It's always hidden somewhere weird like My Computer or something...

For me, that's not the primary benefit. The primary benefit is that I get a window that appears on top of everything that's open. Even if it did put an icon on the desktop, I'd still have to minimize a bunch of crap to get to it.

If Windows would actually join the 1980s and have decent support for virtual desktops that would alleviate a lot of that, but even in KDE or Gnome it's often the case that I have stuff open on all of the desktops and would still have to move things. (On the tiling WM I'm using now, awesome, I've got 32 virtual desktops on each monitor, about 1/3 of which are usually used, so there getting to an open desktop would be pretty easy.)

Further, there are times when you don't want to just open the window to explore the contents; if it's a CD, you might want to autorun the installer on the CD. With Vista's autoplay, that's one click. With it appearing on the desktop, that's two double-clicks. If you plug in a camera, you might have it ask to start your camera program and start downloading images. Again one click with autoplay. With a manual start, that's probably a few clicks away as you start the program yourself and then follow its instructions.

It's not a huge win, but it is a small convenience. And at this point, the difference between different systems are usually just small conveniences for the most part anyway. Linux wins some, Windows wins some, OS X wins some.

Re:Erm.....What the hell?

[mysidia]

Except when it's emulated by a device that is not read-only.

For example, there is a possibility that a USB flash drive could be equipped with a controller that pretends to be a USB hub with two devices hooked up to it: a USB CD drive with a CD plugged into it, AND, a Mass storage device as well.

With the contents of the emulated "CD" coming from something actually stored on the mass storage device, i.e. a hidden .ISO, or a hidden partition, for instance.

In this case, the "CD-ROM" (which looks to the OS just like any other USB-attached external cd-rom drive), is actually quite editable.

Re:Erm.....What the hell?

[EvanED]

Computers are good at deciding whether or not you can trust a piece of software? What algorithm would you use for that?

When given media that XP would have autorun, Vista uses the following algorithm:
  1. ask the user what he wants to do
  2. if the user clicked the "autorun" button (which says what the exe name is, and probably publisher info if it's signed), goto 5
  3. don't run the program
  4. goto 6
  5. run the program
  6. end

It works pretty well.

Re:Erm.....What the hell?

[dakameleon]

Who verifies the signature? Who verifies the verifiers? What stops a signature from being faked?

if you're going to be paranoid about these things, you might as well be all-the-way paranoid.

Re:Erm.....What the hell?

[EvanED]

That's OK as long as you have safe media players and a solid distinction between "display only" and "contains arbitrary code" filetypes.

I fully agree Windows doesn't make a very good distinction between these, but I view this as an almost entirely orthogonal issue to the autoplay/autorun stuff. I'm not sure how it'd be particularly related.

Re:Erm.....What the hell?

[wolferz]

because in 1995 when autorun was introduced viruses on home computers were an oddity and the internet was a place for nerds. There was no need to be concerned with such security. In later windows the functionality was kept because it was expected to be there by device manufacturers. When external flash and hard drives appeared windows 98 saw all media, regardless of what it was, not connected during boot up as something to be "auto run." By the time there was any separation between media types in windows (windows xp) there were already people using such devices with autoplay features... including manufacturers of the devices themselves.

The only reason it is changing now is that, shortly after xp landed on desktops world wide, spyware and self disseminating viruses became the norm... leading to the current security crazy.

Re:Erm.....What the hell?

[EvanED]

OTOH, if Windows just launches it for you, or prompts you to do it, you're just hosed....

Agreed on the first, but disagreed on the second.

Here's my reasoning. Why are you inserting an unknown flash drive anyway? Probably to figure out what's on it. So if Windows didn't prompt, you're probably going to look around the drive anyway, and probably come across the program that the autoplay window in Vista would prompt you to run. If you say "run this program" in the autoplay window, why wouldn't you say "run this program" when you come across it on the disk?

In fact, I'd say that the situation is exactly the reverse. If I saw some untrusted media try to autorun something, I'd be more suspicious of it than if I just stumbled across the program on the drive when looking through. Furthermore, it's a little more resistant to obfuscation by hiding the .exe extension and stuff, since if it asks you to autorun something, you know it's a program.

(This is written from the point of view of a user who isn't clueless. For someone who is careless or ignorant or whatever, I'll acknowledge that prompting is probably more prone to result in the program getting run. That'd be reason to maybe change the default, but if MS did do that, I'd set it back to Vista's current default.)

Re:Erm.....What the hell?

[EvanED]

Who verifies the signature? Who verifies the verifiers? What stops a signature from being faked?

if you're going to be paranoid about these things, you might as well be all-the-way paranoid.

Yes, because after all, if we can't make it IMPOSSIBLE to crack, we might as well not make it rather harder?

BTW, most Linux package managers now check signatures on the packages they install. You know why? Because it's a damn good idea. It eliminates most attack vectors and it eliminates almost all of the easily-attackable attack vectors.

(MS is using signatures a bit differently than the Linux folks are, but many of the same principles and benefits apply.)

Re:Erm.....What the hell?

[Thinboy00]

I'm not very familiar with KDE history, but if I had to guess I'd say MS shamelessly ripped that off...

Re:Erm.....What the hell?

[Thinboy00]

No, Sony got in HUGE trouble for that (not sure if it was legal trouble, but after the public outcry, they recalled EVERYTHING and IIRC a court may have ordered them to do more or something...?).

Re:Erm.....What the hell?

[Thinboy00]

Lemme put that into Java for you:

Java.luser.ask("you.do.want.what?");//1. ask the user what he wants to do
if(Java.luser.clicked()){//2. if the user clicked the "autorun" button...
//Java doesn't support GOTO
        Program.run.now();//5. run the program
}else{
        Program.dontRun.now();//3. don't run the program
}
Java.lang.System.end()

Caution:YMMV, and MS will probably complain about patent issues in the above code.

Re:Erm.....What the hell?

[Thinboy00]

In GNOME you can add a button to the panel which hides all open windows. Ubuntu puts it in the lower left corner (the corner pixel is active by default, as are the other three. Apple and MS are STILL too dumb to figure that one out.).

Re:Erm.....What the hell?

[nabsltd]

That's only if there isn't an autorun.inf pointing to an executable. If there is, it runs that instead of showing the "What do you want to do?" dialog. Only having autorun disabled will protect you from that.

The following registry change works quite well:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

This allows media with music and pictures to do whatever you have chosen for them (i.e., running a known, already installed program), while stopping that random .EXE from the media from running automatically.

Re:Erm.....What the hell?

[Thinboy00]

assert(then != than);

There. Fixed that for you.

Re:Erm.....What the hell?

[Thinboy00]

What if a virus "infects" a USB stick? What if the luser puts the infected stick into the computer? What if social engineering is used to trick the luser into hitting "OK, run it!" on the dialog box?

Re:Erm.....What the hell?

[Thinboy00]

What switch?! Floppies haven't been used for years!

Re:Erm.....What the hell?

[Thinboy00]

"Windows needs your permission to repaint the screen. Allow or deny?" (duh yes)
"Windows needs your permission to start the printer. Allow or deny?" (yes please)
"Windows needs your permission to install malware. Allow or deny?"(yeesss... I MEAN NO!!!... FUCK!!!)

Re:Erm.....What the hell?

[nabsltd]

If Windows would actually join the 1980s and have decent support for virtual desktops that would alleviate a lot of that, but even in KDE or Gnome it's often the case that I have stuff open on all of the desktops and would still have to move things. (On the tiling WM I'm using now, awesome, I've got 32 virtual desktops on each monitor, about 1/3 of which are usually used, so there getting to an open desktop would be pretty easy.)

The Windows NT 3.1 Resource Kit included a program called TopDesk which still works fine with everything up through XP. It does the same sort of multiple desktop system that your link shows.

I run with and 11x3 layout, so that's 33 total desktops. Windows can be set to follow you to the current desktop, or stay where they were as you switch. You can also have "ghosts", which allow you to force a particular program to always start up on a particular desktop.

Re:Erm.....What the hell?

[Tony-A]

>CD is read-only, thus not applicable.
I do not care about overwriting the CD.
I do care about overwriting everything else.

Seems like there are CD's which will boot and then automatically wipe the disk. Very useful for Windows computers.

Re:Erm.....What the hell?

[rtb61]

As an interesting side point on that issue, M$ knew all about Sony's root kit prior to it being released in fact they were involved in evaluating it and it was a M$ advertising blogger who announced it to the world not long after it was released and of course just prior to the release of the playstation 3, ahh, the wonderful world of modern marketing techniques.

Re:Erm.....What the hell?

[uniquegeek]

Those bloody U3 drives are the bane of my existence. I work in a print shop, so people bring those in all the time. Click, click here and there, "gosh, this is cd drive", "you have to reboot" (I don't). Even more fun are the "secure" drives that want to install an executable to allow access to a file. Fun arguing with people over that one, especially the ones who don't "get it". The ones who do "get it" panic that they need their file and I should just open it anyway because they promise it will be ok.

The Kodak photo cd's are along the same lines too. In order to view a directory so I can select specific pictures, I have to click several times to get out of the "here's a slideshow, oh are you quitting the slideshow, are you sure, ok we just quit the slideshow" screens.

Insert drive. View contents. Why does this have to be difficult?

I recall a more recent issue of 2600 which had fun with the programs U3 drives autorun... for example, switching them to do things like report the IP & system info of the machine it was currently plugged into to their own server. Good times. //love my lexar firefly

Re:Erm.....What the hell?

[Hal_Porter]

I always liked Start (or Windows key)->cmd->Ctrl+Shift+Enter. Gives you an elevated (i.e. with Admin rights) command prompt on Vista.

Re:Erm.....What the hell?

[im_thatoneguy]

CLIs are great IF you know the command to launch it.

What if you type in Word. Do you get MS Word or WordPad or Word Search?

What if you don't know the program's name ("Writer" comes to mind) but you know it's a part of Open Office? What if you don't know anything about the program but would recognize it if you saw it?

The list of things on a computer which a person should know the correct command to launch are very few. Vista's: Windows Key -> "Search Phrase" -> Enter. System seems to be the best. You can search or if you can't find it then look through your program list. It's the best of both worlds.

Now the worst place for a CLI is anywhere the user doesn't know 'what they can do'. If you launch a CL program you're presented with no possibilities. You have no idea what the program can do. It's like driving up to a drive through without a menu. You can start quizing the person on the other end of the little box what they offer but a nice photo menu is the fastest way to absorb data.

Re:Erm.....What the hell?

[thePowerOfGrayskull]

Yeah but when your lawnmower turns on every time you get near it or your car slams the gas when you sit in the driver seat it's time to learn how they work, mainly so that you can stop the the annoying and dangerous "features".

I'm not quite sure how this analogy makes sense... but most folks never learn how these things work. They learn how to use them - which is a rather important distinction.

Oh and BTW, I think I know how toilet paper works, and I would be extremely worried if the were any users who didn't.

So the only legimate disagreement you (and a few others) have is my sense of humor?

Re:Erm.....What the hell?

[EvanED]

As an interesting side point on that issue, M$ knew all about Sony's root kit prior to it being released in fact they were involved in evaluating it

[citation needed]

Wikipedia has no mention of such a thing in a reasonably complete article on the rootkit controversy. ...it was a M$ advertising blogger who announced it to the world not long after it was released

1) Mark Russinovich (the guy who broke the news) discovered it on his own (he described how in his blog)
2) Russinovich wasn't an MS employee at the time he broke the news, and didn't start working there for a few months afterward
3) Calling him an "M$ advertising blogger" is, to a fair extent being a dishonest troll

Re:Erm.....What the hell?

[jhol13]

I am not willing to say "A" is sane. Perhaps "A in a sandbox" would be sane, but not "with full (user/admin) privileges".

Users just cannot be trusted not to run "britneynude".

Re:Erm.....What the hell?

[thePowerOfGrayskull]

The same reason I have to drive my car, rather than picking a destination, waiting, and magically ending up there.

Most people driving their car have no idea how it does what it does. They know that it drinks gas and farts exhaust, and sometimes they have to bring it to the mechanic for this thing called a "tune up". As with most car analogies, your attempt to carry it to the "next logical step" is seriously flawed. By your example, the user would expect the computer to write their reports for them.

Opening a folder is not that difficult. I do tutoring sometimes, and I've found more people are confused by the Autoplay menu than just opening the drive in Explorer. Those Autoplay menus can get very cluttered!

We're talking about autorun, and not autoplay - autoplay is a stupid idea; users hate choices, especially when they don't know what all of them mean. Autorun is poor for security, but great for usability.

Re:Erm.....What the hell?

[Livius]

I've always thought this was one of the more bizarre default settings Microsoft inflicted on the world. Thankfully the registry key wasn't too hard to find.

Re:Erm.....What the hell?

[Nogami_Saeko]

Just a thought, but wouldn't another way to handle something like this be to simply make sure that any auto-run executable is run with the lowest level of system privileges so it can't write to, or modify any low-level system resources?

The same way that most malware would have more of a problem installing if it wasn't run with administrator access.

Re:Erm.....What the hell?

[thePowerOfGrayskull]

You do know that you need to check the oil in your car and lawnmower? Your lawnmower blade may need sharpening?

You should have a basic understanding of your tool at hand. Some tools are dangerous.

A basic understanding means knowing how to a) do what you need to accomplish and b) keep it running. Why should this mean understanding the file system's structure?

Re:Erm.....What the hell?

[EvanED]

Should the user be trusted to run "britneynude" if they navigate to it in the actual drive in explorer and open it?

If yes, what's the essential difference? In both cases, the user does have to take affirmative action to cause it to execute.

Re:Erm.....What the hell?

[maitai]

Actually, U3 based USB devices will still autorun, since the whole point of U3 is to have the 2nd partition look like a CDROM drive (non-writable as far as the OS is concerned) so that Windows will parse the autorun.inf the same as any non-writable removable media.

So obviously U3 has a lot more uses than just password protecting the "writable" partition, it's also great for spreading malware by replacing the firmware on the U3 partition (we're doing a social engineering pentest on Friday and one of the things we will be using are U3 capable USB thumb drives for just this purpose).

Re:Erm.....What the hell?

[ipX]

This made me wonder if Sony will now sue Microsoft for producing software that circumvents their copy protection.

No, Sony got in HUGE trouble for that (not sure if it was legal trouble, but after the public outcry, they recalled EVERYTHING and IIRC a court may have ordered them to do more or something...?).

**whoosh**

Re:Erm.....What the hell?

[dcam]

In XP you can go: Press Start button, type "winword", hit enter. And you open MS Word using a CLI-like interface.

Re:Erm.....What the hell?

[Pentium100]

Instructions on a lot of install CDs specify that if the setup does not launch automatically, the user should go to Start->Run and type D:\setup.exe assuming D: is the CDROM drive).

Re:Erm.....What the hell?

[ProfessionalCookie]

The same reason we have drivers licenses. It keeps the roads (or the tubes) safer

Re:Erm.....What the hell?

[ProfessionalCookie]

Modern systems scrap optical drives and good riddance. And yes I definitely agree, autorun needs to leave altogether

Re:Erm.....What the hell?

[perryizgr8]

win7 has the same button now. on the lower right corner. although gnome's button has been there for years.

Re:Erm.....What the hell?

[Pentium100]

Autorun.inf can do that. You can create additional commands to the right-click menu, so you can say to the user: "right click on the CD Drive (S:) and choose 'install software'". The problem is, that autorun.inf file can be made such that it replaces "Open" and "Explore" commands with its own. So, you doubleclick on the drive and...

Re:Erm.....What the hell?

[Tokerat]

Dumb argument. OS X has a command line. Windows has one too, and also has (Windows Key)-R for the "Run..." box. There are plenty of reasons to have a GUI, and feeling smug about being uber-geek isn't one of them, sorry.

Re:Erm.....What the hell?

[EvanED]

Just out of curiosity, does it work better than the somewhat broken Win-D and Win-M shortcuts (that have also been there for years)?

Re:Erm.....What the hell?

[FrankieBaby1986]

Here, here, and this applies to cars very well, too. You absolutely must know how to maintain them. And that can be as little as recognizing your light is out, wipers are old (dried out), etc. Or at least get the freaking snow off your roof before you drive! (one of my peeves about dumb drivers in the winter: an icy, snowy roof is dangerous to drivers behind you).

Ditto for knowing how to use a computer responsibly and not becoming a bothost and placing other people's computer's at risk.

Re:Erm.....What the hell?

[FrankieBaby1986]

On My Desktop!



It seems 85% of users that visit my helpdesk can barely see their wallpaper through their icons of documents, pictures, programs and crap.

Re:Erm.....What the hell?

[Don_dumb]

In GNOME you can add a button to the panel which hides all open windows. Ubuntu puts it in the lower left corner (the corner pixel is active by default, as are the other three. Apple and MS are STILL too dumb to figure that one out.).

XP (and possibly earlier) has the same [Show Desktop]. If I remember correctly it is installed by default on the Quicklaunch bar in the lower left corner.

Re:Erm.....What the hell?

[GillyGuthrie]

In Windows XP you must hit Windowskey-R to open the run box before you type anything. In Vista's auto-search thing, you can't type "d:" or any other drive. I find Vista's Start Menu defaults annoying compared to XP (perhaps I'm just stuck on XP)

Re:Erm.....What the hell?

[perryizgr8]

well win-d works for me. so yes both the button and the shortcut seem fine.
oh, i almost forgot. if you just hover the cursor over the button (not click it) all windows will fade out and show the desktop.

Re:Erm.....What the hell?

[GillyGuthrie]

I don't envision the problem being people inserting unknown flash drives. I see the problem as, a well-hidden malware program exists on a frequently-used flash drive that the user has received no indication that anything is amiss. When the user inserts the flash drive at his friend Bob's house, the malware program automatically is "autorun" and effs shee-it up. That's what I think the real threat is.

Re:Erm.....What the hell?

[GillyGuthrie]

Correct me if I'm wrong - digital certificates combine public and private keys to produce a digital signature that cannot be faked.

Re:Erm.....What the hell?

[EvanED]

Win-D and Win-M have problems for me (at least under XP). Both don't always restore the correct z-order when you go back from going to the desktop. Win-D has the additional problem that if you open another window after hitting Win-D, you can't get back to the state you were in before. Both of these, IMO, substantially deplete the usability of that feature.

(I also don't know how it compares with Gnome or anything else.)

Re:Erm.....What the hell?

[Sir_Lewk]

It's been mentioned a billion times here already, but remeber the Sony rootkit?

Thats right, autorun from a CD that decidely did not have the users best interest in mind. You must remember that software installers are not the only things distributed on CDs.

Re:Erm.....What the hell?

[k.a.f.]

Why should those people who are using computers as tools (in the same way they would use a car, lawnmower, or vibrator) have to know anything at all about how it works, where content is stored, etc?

Because misusing your computer connected to a worldwide network can do harm to uncounted others, while misusing your lawnmower/vibrator will only screw up your own lawn/body. Misusing your car, on the other hand... guess which of your three examples we regulate the hell out of?

Re:Erm.....What the hell?

[Opportunist]

While I can, in theory, possibly, see a reason to autorun from flash drives, I can see zero good reason for autorun on system hard drives. How often do you remove or insert your HD while the system is running from it.

Re:Erm.....What the hell?

[syousef]

In Vista you can go: Press Start button, type "word", hit enter. And you open MS Word using a CLI-like interface.

On XP try winword instead of word, oh and don't press the start button - try WindowsKey+R

Re:Erm.....What the hell?

[Opportunist]

I trust you mean CLI, not GUI, and yes, there are very good reasons.

Take checking your ip address and all relevant information. With the GUI, you need to open at the very least three different windows 'til you have the information an "ipconfig/all" gives you in a terse form. Badly formated, I give you that, but the info is there.

I also don't have the foggiest idea how to set or query network information in KDE's GUI, despite using it for years. I need networking information, I open a cli. ifconfig can be quite a handful to type, but when you know the relevant options, I kinda doubt any GUI gives you the same amount of flexibility.

I wouldn't want to do other things with a CLI, though. Installing software? Ok, what was that name of the package again that I wanted? Do I want to learn 5 different commands to install one, a new flavor every time I have to do it in another distribution?

So there are good reasons for both, CLI and GUI. Even though personally, I consider the best feature of a GUI that it can display a few CLI windows next to each other and I don't have to switch terms. :)

Re:Erm.....What the hell?

[Opportunist]

And KDE 4 looks so much like Vista that I wanna puke. Yeah, yeah, it's actually from MacOS... or whatever.

Does it matter? I don't give a flying turd who copied what. If the idea is good, take it and implement it! I want to use the system, I don't care who came up with the idea, if it's good I want it in my system!

Think about this: Imagine all systems "steal" features from one another until they are basically identical. So they're identical, besides the price, which one will win?

Re:Erm.....What the hell?

[Opportunist]

That "huge trouble" was basically that they were ordered to replace their deliberately distributed rootkits with clean versions of the front content and had to give the victims (IIRC) 2 free DVDs.

If that's all had to fear, I'd build my own botnet army in a nanosecond.

Re:Erm.....What the hell?

[giuda]

I'm almost sure that KDE ripped that off Vista. Shamelessy. But... it's a nice feature.

Re:Erm.....What the hell?

[Opportunist]

What should that AI decide? More important, would I want an AI built by some company whose interests may differ from mine to decide whether I am allowed to run certain software?

Allow me to start my prayer wheel again, which I usually do every time this is mentioned, bear with me, I've been preaching since 1995 and so far... either I'm horribly wrong or people just don't listen 'til it happens to them. IT security is the minimum of the system's abilities and the user's abilities. Not the average. Not the intersection. The minimum. You can have the most secure system, a user that runs any kind of junk makes it insecure. Likewise, you can be a security guru, a system with critical security flaws cannot be secured.

My answer would be that the computer should not be the one deciding what's safe to run or not. That should be its user/administrator. It's your, and only your, responsibility to decide this. The computer can help you make that decision, it can inform you what is about to happen, it can lock your "normal" user out of system critical changes and require elevated privileges to execute the order, but it should never ever go HAL on you (i.e. "I'm afraid I can't let you do that, Dave").

I own the machine. I dictate its use. I want my computer to tell me if I'm about to do something stupid. But I, and only I, make the final decision.

Of course, this requires security awareness. Take the Dancing pig problem. In a nutshell, promise to give or show a user what he really, really, REALLY wants and he will tear down any security for you. Also works for more computer savvy people when you promise them a crack for their system. Yes, of course this will ask to install a driver and mess with your system files...

Ultimately, I do not want my computer to tell me what I may run, though. I want people to learn and be able to make that decision, but it's a step in the wrong direction to support lazyness and take that responsibility out of people's hands. I'm fairly sure a lot of computer users would be very happy, and so would companies and politicians. We, on the other hand, would at the same time have to wave good bye to computers free enough to run the software we want to run.

Re:Erm.....What the hell?

[Opportunist]

Move into a corporate environment. You have to exchange a few gigabytes of data, something a modern USB stick can hold easily, but still something you would't want to FTP or (shudder) EMail.

Cue cubicle hell, marketing goon storming in, tie flying behind him 'cause he's, as usual, in a hurry
"Bob, hey, great to see you buddy, say, got one of those sticks, ya know, memory stuff where I can put my awesome key presentation?"
"Erh... sure", some rummaging, "here, but take care, it's my quickrun flash drive for..."
(snatch) "Thanks man, ya get it back!" (gucchis barely hitting the ground as he runs off)
(tech watches him run off and finishes quietly) "...browsing porn through TOR."

Re:Erm.....What the hell?

[rishistar]

Humans are HORRIBLE

there fixed that for you

Re:Erm.....What the hell?

[Opportunist]

I'd recommend a different one than what's running in most users. That algo seems to be something like "if (chance_to_see_pr0n) run()"

Re:Erm.....What the hell?

[Opportunist]

I may use a car analogy because you started it! :)

I'm not asking for people to be a mechanic, to know what exactly happens when they turn the key or twist a knob, how fuel gets into the engine, how that chemical energy is there converted into kinetic energy and how this in turn is used to accelerate their car. When it breaks down, I don't expect them to be able to fix it. That's what AAA is for.

I do expect them, though, to know how to operate their car. I do expect them to know what traffic lights are and that they are to stop when it shows red. I do expect them to know what the break is for and how to operate it so they don't crash, and I do expect them to know that you should maybe slow down before entering a sharp turn.

If people used cars the same way they use computers, we'd need a LOT more room for cemetaries and would have a LOT less problems with unemployment...

Re:Erm.....What the hell?

[Hench3]

Change that "d:" to "d:\" and it works just fine.

Re:Erm.....What the hell?

[bemymonkey]

WTF? Maybe home users are different, but most computers I use (uni, workplace etc.) have autorun disabled. I thought this was the default setting already...?

Meh, guess you tend to forget things like that when you stop reinstalling Windows and just clone a clean install onto your system partition every time the damned thing gets cluttered...

Re:Erm.....What the hell?

[Richard_at_work]

As Don_dumb has pointed out, this has been on the Quick Launch toolbar for a decade, and Windows 7 places the same feature to the right of the clock in the task bar.

Re:Erm.....What the hell?

[Animaether]

Considering you would run into the exact same problem if you disabled autoplay/run, and opened the JPG file yourself? Yeah, why the heck not.

Of course if you already KNOW you have that vulnerable component, and keep telling yourself "I will not open any JPG, I will not open any JPG, I will not open any JPG", and then get pissed when the CD-ROM with JPGs automatically opened in your favorite slideshow app and you got infected...
THEN WHAT THE HECK ARE YOU STILL DOING WITH THE VULNERABLE COMPONENT!?!?

That same argument applies to the other poster regarding WMVs - vulns were fixed ages ago.. if you still click on the button to install supermegazomgcodec so it can play back the malware, then you were going to do so when manually opening that WMV just as well.

Anyway.. like I said, you *can* disable it altogether in Vista.. sure, maybe that should be the default.. but then everybody will whine that their DVDs no longer automatically play back. Or they could ask during setup what the user wants to do, but then everybody will whine that Windows setup takes so much longer than -other operating system here-, nagging you with stupid questions like "what do you want to do when a DVD is inserted?".

Microsoft truly can't win in these cases - but I like to think they got it pretty right in Vista (I'd like some more granularity, myself, but that's me).. they're fixing the wrong thing, thereby not fixing the problem at all.

Re:Erm.....What the hell?

[kvezach]

Why not just render the customizable icon in a single color - red, for instance? Then there's no way the malware authors can impersonate the folder icon accurately enough; they could only impersonate another autorun program, but never the built-in options (whose icons aren't subject to the color limitation).

Re:Erm.....What the hell?

[neumayr]

Your analogies don't hold. Recognizing that some part of your car's hardware needs replacement is akin to figuring out one of your keyboard's keys don't work - both don't require any knowledge of the underlying technology.
I can't think of anything that resembles ice/snow on the roof in both its obviousness, and its danger to others, in computing.
Becoming a bothost fails the obviousness criteria.

Re:Erm.....What the hell?

[Lonewolf666]

As I understand it,
-"autoplay" means automatically starting the media player for the file type found on the medium you just inserted
-"autorun" means automatically executing the program that is pointed to by the autorun info on the disk.

Obviously, "always autorun" is an invitation for trojans, see the Sony rootkit. As soon as you insert the disk, your computer gets infected.
"Always autoplay" can be safe if the media player is guaranteed to only display things, not execute arbitrary code from the media file. Like a VB macro that has full access to the computer, to reuse the really bad example from Outlook a few years ago. Without that guarantee, "autoplay" is almost as dangerous as "autorun".

Re:Erm.....What the hell?

[EvanED]

Hmmm, you might be right. My understanding was that autoplay was the thing that popped up the dialog asking you what you want to do.

I *really like* that feature, and it's easily worth what I perceive as a small risk for that convenience, but I would also say that if there is media (audio CDs and DVDs?) that does actually start playing automatically, I'd rather it do the pop-up window thing.

Re:Erm.....What the hell?

[wildstoo]

Forget the Start Button. Use the Windows key and free yourself from mouse tyranny! ;)

I'm getting very used to hitting the Windows key and typing "note", "calc", "fire" or "outl" etc. to launch my commonly-used apps.

The Start Menu is for people who don't know what software they have installed.

Re:Erm.....What the hell?

[wildstoo]

Just tested this in Win7, it works fine. Hit Windows key, type D: or whatever and it opens the drive.

Re:Erm.....What the hell?

[js_sebastian]

If we're talking about CD's, then the user is already assuming the script writer has their best interests at heart - why else would they be sticking the CD in the drive?

Maybe the box said it was an audio CD, and the user rightly expects that playing music from an untrusted source can't harm his computer. Maybe it was supposed to be a data CD, with some pictures he expects to copy and watch, which again shouldn't be able to harm his computer.

When I hold a CD in my hand, I don't know if it has an autorun.inf file. So when the computer finds a CD with autorun.inf in the drive, it does not know the user intended for it to execute that disk.

Re:Erm.....What the hell?

[MightyYar]

This is exactly why a CLI is better than a GUI.

Actually, they are exactly the same. You can remember an exact name, or you can remember an exact location. Some brains do better with location and some with names... just a preference thing.

Anyway, modern GUIs all have some sort of "find" function that makes it very easy to just type the application name. Mac has Spotlight... just type Command-Spacebar and then the application name and then Return. Most of the time you don't even have to enter the entire name. Vista has a very similar item in the Start menu.

Re:Erm.....What the hell?

[Peter+Mork]

I respectfully disagree. I have a USB thumb drive with TrueCrypt. When I plug this device into my machine at home, I am automatically asked if I want to mount the encrypted volume. I hit the enter key (to accept), type in my password, and the drive is accessible, including opening the root folder. When I plug this device into my machine I work, I have to navigate to "My Computer" (8 keystrokes), navigate to the drive (2 keystrokes), navigate to the directory (3 keystrokes), navigate to the executable (4 keystrokes), pull up the file-chooser (2 keystrokes), navigate to the file (4 keystrokes), mount the volume (1 keystroke), navigate back to the new drive (3 keystrokes), and open the root folder on the encrypted drive (1 keystroke). In other words, disabling autorun adds nearly 30 keystrokes to an operation that occurs roughly twice a day (in the morning and after lunch). All of this extra work "protects" me from being prompted to verify that I want to run a program. (Now admittedly, encrypted drives are clearly malware from the perspective of DHS, but that's their problem!)

Re:Erm.....What the hell?

[geminidomino]

Nope. TFS says that it won't affect the behavior of read-only media like CDs.

Re:Erm.....What the hell?

[dave420]

Win+R and type the name of the application, press enter. That's it.

Re:Erm.....What the hell?

[hesaigo999ca]

This is pretty much 90% of the problem with cd-rom boot viruses in today's virus market.
If you do not auto execute the files when you pop in the cd, then you can scan them with an AV app, and ..guess what, I know there is a virus on the cd ...before it plays....imagine that!

Re:Erm.....What the hell?

[vertinox]

What if you don't know the program's name ("Writer" comes to mind) but you know it's a part of Open Office? What if you don't know anything about the program but would recognize it if you saw it?

If you don't know what you are looking for and you don't know what it was called, then do you really need to use it? ;)

Re:Erm.....What the hell?

[AkumaKuruma]

The other nasty one I've seen U3 thumb drives do is have a really weird formatting to them so that it makes the computer think it has a CD-ROM also on it for all the autorun stuff, "safetly" in a read-only partition, with the rest of the media being for storage, and the only way to fix it is to use said software in the read-only part to format the whole drive as storage media. cant even use any OS utilities to do it. so theres a loophole to get around the autorun already

Re:Erm.....What the hell?

[Rolgar]

I guess that depends on your setup. I tried it and got WinZip instead.

Re:Erm.....What the hell?

[Hognoxious]

I don't see either of those options. I'll stop short of assuming that you're an idiot just because you assumed that I'm one, but if the option you say is ther was in front of me, don't you think I'd I'd click it rather than go digging around?

Re:Erm.....What the hell?

[justthinkit]

Wait a minute, this sounds more like DMCA territory. I think the Feds should be involved.

Re:Erm.....What the hell?

[maxume]

Actually, I assumed that you didn't notice it for some reason or another; maybe you don't usually use Explorer or whatever. There is also some chance that I clicked some setting somewhere or whatever, I don't remember. Or it could be something that works on XP Pro and not on what you are using (but maybe you are using XP Pro).

Just to be clear, I only see the option when there is media with an autorun.inf file in the drive.

Re:Erm.....What the hell?

[hansede]

strong AI == np complete

don't hold your breath

Re:Erm.....What the hell?

[jsiren]

In GNOME you can add a button to the panel which hides all open windows. Ubuntu puts it in the lower left corner (the corner pixel is active by default, as are the other three. Apple and MS are STILL too dumb to figure that one out.).

(presses F11 on MacBook keyboard)
(all windows slide away, exposing desktop)
(presses F11 again, all windows slide back as they were)
(presses Shift+F11, all windows slide slowly away)
(wonders who at Apple had too much time on their hands)
(presses Shift+F11 again)
(watches windows slide slowly back)
(posts to Slashdot)

Re:Erm.....What the hell?

[Cajun+Hell]

*no* user is ever going to stick a CD in the drive, and then say "Well, that was fun" and then take the CD back out and throw it away. They're putting it in to install software!

No, they may have put the CD in there to read the (theoretically) harmless passive data, such as music.

I use autorun for my customers.

It sounds like you sell software, and your customers know they are buying software from you. Your customers are people who (by virtue of being customers) have already made the decision to trust you to supply code that will run on their computers.

Not everyone who supplies CDs is actually trusted that much. For example, Sony is only trusted to supply inactive music data, and nobody wants to actually run code supplied by Sony on their own computers. But some people did, because those people were unfortunate enough (or foolish enough, depending on your point of view) to have Microsoft Windows.

You and Sony are not the same, nor viewed with the same level of trust by users! But MS Windows treats your CDs as the same.

Re:Erm.....What the hell?

[CAIMLAS]

USB/PhotoCD, CD/DVD with just images -> autoplay OK

Don't know about you, but I've seen this feature smack a couple people pretty damn hard when they inserted a CD with "special" images on it, in addition to the ones they want to view. Like, naked pictures. That's pretty not "OK".

Re:Erm.....What the hell?

[plague3106]

Maybe for XP, but I think Vista asks you if you want to run the program (setup.exe, or whatever) or view the folder. I haven't had an application launch itself in quite some time... so for Vista users it is just adding a few extra steps.

Re:Erm.....What the hell?

[plague3106]

In Vista's auto-search thing, you can't type "d:" or any other drive.

you must be doing something wrong, because for me that will open up the d: drive explorer window.

Re:Erm.....What the hell?

[severoon]

I hope MS has more luck disabling it than I've ever had. Every time it pops up and asks me what to do I say "Nothing" and check the "Don't ever bug me about this again" box. It never works. I always have to open the Properties sheet for the drive, set each different media type to "Do nothing", then say yes I'm serious, yes don't do it again, etc. It still doesn't work. You have to open the property sheet and do this for each media type and hit Ok immediately after, then open it again and set it for the next media type if you want it to stick. Apply button doesn't work, you have to do it each time for each media type. Each time, every time. On my friend's PCs. Because I'm running linux so I don't have to deal with this crap.

Re:Erm.....What the hell?

[jonadab]

Took them long enough. I've been systematically turning AutoRun off on every Windows system I touch since 1998.

> Why wasn't this the default to begin with?

Same reason automatically downloading and executing any ActiveX code a website asks for was originally the default. Same reason automatically launching executable attachments when you preview a message in Outlook Express was originally the default. Same reason saving downloaded executables from the web on the desktop of all places was originally the default. Because Microsoft does not think about security issues until *after* the problem is exploited in the wild, and they also don't consider usability issues until *after* it becomes obvious that users are having a problem.

> There's no good reason to automatically run anything on media like hard
> disks or flash drives. It's an obvious virus vector.

There's no really compellingly good reason to automatically run anything on a CD-ROM disk either, as far as that goes. Any user who can't figure out how to browse the disk in Windows Explorer and double-click on SETUP.EXE probably should not be installing software without help, anyway. And don't say "but the installation instructions indicate it will automatically launch when you insert the disk". The instructions were written like that *because* that's the default behavior, not the other way around.

Re:Erm.....What the hell?

[jonadab]

> CLIs are great IF you know the command to launch it.

Exactly. Investing a moment or so, once, to learn the name of the command saves you 5-10 seconds every single time you want to do the thing from then on; your initial investment of time is paid back with interest in a few days. And that's for programs that you just want to launch (no significant options, no real interaction).

But a lot of people aren't just ignorant: they are *willfully* ignorant and *determined* to remain that way. These people are so averse to ever *learning* anything, they will retype whole paragraphs to avoid learning to copy and paste, and they'll do it all with 1-2 fingers, every time, for their whole lives, rather than learn to actually type. They *know* that there are faster and better ways, because they have met people who zip right along on the computer, typing 30+ words a minute, magically moving paragraphs around with a couple of keystrokes, and just generally doing everything in less than a quarter of the time. They *know* this is possible, but they DO NOT WANT to do it themselves, because it would require learning.

Re:Erm.....What the hell?

[BikeHelmet]

We're talking about autorun, and not autoplay

Nope. Look at the posts we replied to:

A menu pops up with this stuff anyway: "Hey, want to open this folder?", so it's not like you're doing anything more than adding exactly one step.

By your example, the user would expect the computer to write their reports for them.

You are incorrect. You're comparing unlike things.

The user understanding what the computer is doing when it opens a folder is alike to understanding what the car is doing when it moves. My analogy is spot on. Those of us with cars should know how to drive, and those of us with computers should know how to open a folder. Otherwise, how are you going to use the tool properly?

Re:Erm.....What the hell?

[dcam]

You've got a weird setup. Why did you rename winzip.exe to winword.exe?

Re:Erm.....What the hell?

[ConceptJunkie]

I actually worked at AOL for a while. Never used it, but I did work there. I got cut in one of the annual mass layoffs. I'm much happier now.

Oh, and for the record, I think autorun was one of the worst features ever, especially since it wasn't until relatively recently that you could effectively turn it off... at least without some kind of registry juju. I don't want it. I've never wanted it. Yet for years I would tell it to "Always do this action" where the action is "Do Nothing", which never worked. It's just like Microsoft to create a feature that should be optional, is incredibly annoying to a small subset of users (like me) and can't be turned off.

It similar with turning off file extensions by default. I still cannot come up with a single reason why that ever would have made sense to anyone. Let's see, I'm looking at this program I want to install. There are 6 files named "Setup", but I'm sure I can identify the correct one by identifying one of the completely inscrutable 8x8 icons. And if you ever actually found a file named "README", Windows XP would have no idea what to do with it. I recall that was one of the first things I did when first using XP, and it offers to look online for an answer (which it never finds). I couldn't believe my eyes. Microsoft spends umpty-ump billion dollars creating the allegedly smartest, easiest to use OS ever and it doesn't know how to handle possibly the most common filename in all of computing history.

I wonder if Windows 7 will account for the concept of a file without an extension? Can you assign an action to an empty extension in Vista? You sure couldn't in XP. Yet another in a long string of stupid things I never would have imagined possible until I saw it.

Re:Erm.....What the hell?

[entirely_fluffy]

In Vista you can go: Press Start button, type "word", hit enter. And you open MS Word using a CLI-like interface.

I just tried this - you get WordPad, not Word.

Yay

[ejdmoo]

Yay!

But now how will people figure out how to play Video Professor or install AOL?

Oh well...

Re:Yay

non-writable media will maintain its current behavior however

Heads Up Tech Support

[naubol]

Queue new top 10 Microsoft support complaint...

"My cdrom is broke" "It doesn't know there is a cd in there anymore!"

N

Re:Heads Up Tech Support

[Sj0]

CD is read-only, thus not applicable. RTFS.

Re:Heads Up Tech Support

[TheSovereign]

non writable media will maintain current behavior. pray attention.

Re:Heads Up Tech Support

[jonbryce]

And unfortunately the virtual CD drive in U3 flash drives is also read only.

Re:Heads Up Tech Support

[Sj0]

It's only read only if you activate the software, creating the virtual CD drive.

Re:Heads Up Tech Support

[jonbryce]

I haven't checked the U3 drives myself, but I have a USB wireless (cellphone) modem which comes with a virtual CD drive containing the drivers for it. The CD drive appears until you activate the software, which makes the computer ignore it and use the modem instead. So it is certainly possible to have a USB virtual CD drive that doesn't require drivers to operate.

Re:Heads Up Tech Support

[adolf]

Activate? The...software?

Eh?

On my U3 drives (both of them), the following would happen upon insertion:

Loading drivers
Found USB hub!
Loading drivers
Found USB mass storage device!
Loading drivers
Found USB CD-ROM!

The drives that appear are as follows:

A regular read/write USB flash drive, empty except for whatever I've put into it
A read-only CD-ROM

After the drivers all load (automatically and without intervention, under most Windowses), it would autorun the virtual CD drive as configured in windows.

Of course, I now have U3 disabled (more because I find no need for it, than because it is somehow evil), but that's how it worked for me.

Re:Heads Up Tech Support

[Firehed]

It's 2009. People still use CDs?

Re:Heads Up Tech Support

[HTH+NE1]

non writable media will maintain current behavior. pray attention.

Just like a VHS tape in a VCR: if the tab was removed, it not only plays automatically, it also stops at the end, rewinds its spool, and ejects itself all while you bleed out on the floor.

Re:Heads Up Tech Support

[tepples]

Is a CD-R deemed "writable"? What about a CD-R that still has room for another session? Or a CD-RW? Or a CD-RW in Mount Rainier format?

Re:Heads Up Tech Support

[ProfessionalCookie]

Cause there's no such thing as malicious CDs *cough*sony*cough*

Re:Heads Up Tech Support

[Opportunist]

If you believe the RIAA, yes, they do, and they don't buy it, and that's the only reason why the sales plummet.

Re:Heads Up Tech Support

[Sj0]

Ironically, this changes the game.

If it's a USB CD-ROM, then it's read-only, and it'll autorun without help.

Almost, but not quite

[sqlrob]

Since non-writable media such as CD-ROMs generally aren't avenues for malicious software propagation

Because no that's infected ever burns a CD, nope, never.

Re:Almost, but not quite

[icebike]

Since non-writable media such as CD-ROMs generally aren't avenues for malicious software propagation

Because no that's infected ever burns a CD, nope, never.

Its been my general observation that most people capable of burning an auto-run CD are capable of installing a virus scanner.

Admittedly, that STILL leaves those with malicious intent such as Sony and the purveyors of hoards of CDs full of crapware found in so many Asian street markets.

Re:Almost, but not quite

[CajunArson]

Greetings, you fail 4th grade reading comprehension. Let's take a look at that quote again:

Since non-writable media such as CD-ROMs generally aren't avenues for malicious software propagation

The generally bit is the important part, and the quote is 100% accurate, particularly in the age of Bittorrent when burned CDs are used far less frequently for transporting questionable software. If you disagree with that, then I'm sure you will be the first person to stand up and scream at the top of your lungs when somebody says it is generally more difficult to root a Linux server compared to a Windows server, when there are plenty of cases where Linux servers have been rooted... I'm totally sure you would be that objective.... completely....

Re:Almost, but not quite

[77Punker]

What about someone who intentionally creates a malicious autorun and distributes a CD-R? How about a virus that adds its own autorun to every disc burned by its host system?

It's still a huge problem and the fact that they removed it from other media demonstrates that they don't understand all of the attack vectors.

One more thing: virus scanners are a joke.

Re:Almost, but not quite

[petermgreen]

But flash sticks are a good vector for spreading malware and an annoying proportion of the flash sticks I see are sandisk U3 devices. How long will it be until malware manages to insert itself into the "CD emulation" section of a U3 device?

Re:Almost, but not quite

[EvilIdler]

Yes, the writable status of the source of an infection does not fucking matter! It's the rest of the system which gets it, anyway.

Re:Almost, but not quite

[jabithew]

I've never burned a CD-ROM. Many CDs, but never a CD-ROM.

Re:Almost, but not quite

[Bert64]

You don't intentionally burn an autorun cd...

Someone will try to burn a cd for whatever purpose, on an infected machine. The malware will hijack the burning process and add itself before it burns whatever content you were trying to burn.

Re:Almost, but not quite

[Jeremi]

I've never burned a CD-ROM. Many CDs, but never a CD-ROM.

Well, you haven't been trying hard enough. 20 minutes in the microwave on "high" will get it done nicely.

Re:Almost, but not quite

[kimvette]

An oxy-acetylene torch works nicely as well. :)

Re:Almost, but not quite

[Opportunist]

Why so complicated? How long 'til malware is able to make the system believe the USB stick (whatever brand) you just inserted is a CD?

get around this?

[BigBuckHunter]

@ Will be interesting to see what malware creators do to get around this ..."

Attrib -w? Flip the Writeprotect dword in StorageDevicePolicies?

BBH

Re:get around this?

[Urd.Yggdrasil]

Wouldn't the malware have to already be running on the computer to do that?

Re:get around this?

[Swizec]

You seem to be implying that there is such a thing as a windows machine without malware ...

Re:get around this?

[Aranykai]

Negative mod or not, that made my day.

Finally

[Capt.DrumkenBum]

It is about bloody time too.
It only took Microsoft 14 years to fix this massive security hole.

Re:Finally

You're sitting on the other massive security hole.

Re:Finally

[Opportunist]

"took"? Why the past tense?

Why do you think this is 'fixed' now? Yes, they turned autorun off for non-CD drives. Does that make the system more secure?

1) CDs can still infect you. Malware that writes itself on CDs does exist, we'll just see more of it surface now.
2) Is it certain that malware cannot enable this behaviour with USB device again? Worse, is it being made IMPOSSIBLE to enable this behaviour again, because I'm fairly sure a lot of people will reenable it "because it breaks their system if it doesn't work that way" (read: they'd have to start the program manuall from their stick).

Work around in 3..2...1....

[MasseKid]

Ok, so I'll just convince Windows 7 my writeable media is notwriteable and it'll autorun my viruses right? Hell, if I can get admin rights to an unopened e-mail, how hard should it be to disguise one media type as another?

Re:Work around in 3..2...1....

[Ceiynt]

I'll give you my DVD+/-RW drive, half the time it thinks the blank DVD+R I put in is not writable.

Re:Work around in 3..2...1....

[PitaBred]

Pay $0.03 more per disc and most of that stops. I've found that there are quite a few discs out there that are too cheap, they just don't work.

Getting around this will be difficult?

[gringofrijolero]

I don't think so. Just tell the user to double click the setup.exe icon if it doesn't run automatically. Gotta turn off autorun in the user's brain.

Re:Getting around this will be difficult?

[Archangel+Michael]

"all I see is the drive, where is the setup.exe icon?"

"but I have two CD Drives"

(you obviously have a much higher view of users than me)

Re:Getting around this will be difficult?

[GrumblyStuff]

As someone who is called upon to be tech support for the family, it would take quite a long time and possibly one or more of those dog collars with the electric shocks to get people to learn how to use a computer.

They still type in google in Firefox despite the numerous times I point out the search field to the right of the address field....

It's done right in Ubuntu

[Benanov]

Not sure exactly what's doing it, but in my Ubuntu and gNewSense installs:

If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.

Seemed to be pretty sensible really. I mean *I* inserted the CD, so I expect something to happen.

Re:It's done right in Ubuntu

[EvanED]

If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.

That's what Vista does too... I actually really like that behavior. It's almost as convenient as autoplay is, but without the security risk. (Well, for good users.)

Re:It's done right in Ubuntu

[chis101]

Windows XP does this for me too, by default (although it annoys me so I turned it off.)

I put in a CD, flash drive, etc, it scans it and pops up a message saying "You just inserted removable media. What would you like to do with it?"

Re:It's done right in Ubuntu

[Tetsujin]

Not sure exactly what's doing it, but in my Ubuntu and gNewSense installs:

If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.

Seemed to be pretty sensible really. I mean *I* inserted the CD, so I expect something to happen.

This kind of thing always drove me crazy, and still does. Like sometimes I'll take a CD out of the drive to put another one in - and then when I'm done with the second one I'll put the first one back in 'cause I don't know where the case is. The fact that I put that first CD back in the drive doesn't mean I want to run it...

Re:It's done right in Ubuntu

[microbee]

And you don't read TFA to put a proper comment.

Windows does this too, but it is deem

Re:It's done right in Ubuntu

The fact that you're using a CD drive as a jewel case pretty much invalidates any opinion you may have on this matter.

Re:It's done right in Ubuntu

[Kocureq]

And without the risk that if you enter an unlabelled CD "to check what di you record there 6 months ago", a game installer will popup, consuming a lot of your RAM and time.

Re:It's done right in Ubuntu

[gbjbaanb]

Except that doesn't always happen on Vista. My Sony mp3 player simply pops up an explorer window, as does my phone when I plug it in to charge it (I doubt I clicked 'always do this action' as that never seems to work when I do want it, and for the phone, last thing I want is to use it as a memory stick)

Re:It's done right in Ubuntu

[jnetsurfer]

and then when I'm done with the second one I'll put the first one back in 'cause I don't know where the case is. The fact that I put that first CD back in the drive doesn't mean I want to run it...

Maybe Ubuntu should prompt you you to go find the case then...

Re:It's done right in Ubuntu

[Tetsujin]

The fact that you're using a CD drive as a jewel case pretty much invalidates any opinion you may have on this matter.

Now that's a load of crap. You don't have to agree with me, but saying my opinion isn't valid? Fuck you, man.

In other news...

[MachineShedFred]

Sony Music has announced a lawsuit against Microsoft using the DMCA, claiming that the new software patch circumvents horribly inadequate copyright protection.

Re:In other news...

[mdielmann]

Sony Music has announced a lawsuit against Microsoft using the DMCA, claiming that the new software patch circumvents horribly inadequate copyright protection.

Is there another kind?

FTFA:

[V!NCENT]

In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction.

Whoa...! Wait... they had autorun there too?!?! Dear god...

Re:FTFA:

[Volante3192]

autorun.inf

(although...didn't think you could get shares to do this. Maybe if they were mapped...)

Re:FTFA:

[Yaksha42]

I'm not so sure about this. I explored this option a while ago and in order to get autorun to work on a flash drive, you need an application installed like "Autorun USB."

Re:FTFA:

[Hi_2k]

Yes, mapping a windows network share would indeed cause autorun.inf to be read.

Sony CD

[cant_get_a_good_nick]

Didn't Sony install rootkits as part of CD insertion/autoRun? CD-ROMs are a vector for malware.

Also, I remember some website getting sued because they mentioned how to disable autorun, effectively disabling their anti-copy rubbish. So will Microsoft be sued for removing this?

Re:Sony CD

[iron-kurton]

You just touched on a topic I was going to discuss.

First, to answer your question, Microsoft will NOT be sued since they didn't disable non-writeable media (as has been pointed out many many times).

Second, it's interesting to watch MS stepping through the minefield that is the balance between security and copy protection (aka Sony Rootkits) as well as usability (see: "How Will I Install My Video Professor" comment above). Nonetheless, it's a long-overdue step in the right direction

Re:Sony CD

[Opportunist]

The webpage was also not sued for disabling non-writable media. It was sued because it offered information how to disable autorun on CD, which Sony considered a circumvention of their DRM.

The implications thereof are quite serious. If you disable autorun yourself, to protect yourself from malicious code, you are basically breaking their DRM. How ludicrous is that?

Here's a novel idea. My DRM depends on you running on an account with non-admin privs (because as an admin, you could easily just end the task I create as my DRM). Now I wanna see how you run about 90% of other Windows software.

In Vista, we call this feature "auto-walk"

Because Vista is so slow, Microsoft has graciously renamed this feature "auto-walk"

Re:In Vista, we call this feature "auto-walk"

[jones_supa]

Press Shift, it's the run modifier... :)

Autorun is the first thing I disable

[JO_DIE_THE_STAR_F***]

for optical drives. But they don't plan on changing the default autoplay anyway. So why make the change? Security? Come on. malicious software uses autorun because it is currently the easiest way to do this but it will take all of 10 nano seconds before a new way to do this is used.
Not to be a MS basher but all their talk about security is only lip service.
OK fine I do mean to be a MS basher.

If I were a Malware Author

[braek]

Step 1. Create Malware that will tempt people with free Viagra if they re-enable autorun
Step 2. ????
Step 3. Profit!

Uhhhh

[Idiomatick]

I don't see the problem so many people are having. In XP+ when you put in a CD/flash/w/e you get a windows menu popup saying do you want to open in the browser or play in your media player or w/e. This seems perfectly reasonable. No code is being executed off the disk so no security hole. If you want the CD to run a splash or w/e it is one click. If you want to browse it one click. And it can be set to remember your answer for different devices. I completely fail to see the problem with that.

If this does mean that they are breaking U3 drives I'm happy for the change mind you.

Re:Uhhhh

[Ractive]

I don't see the problem so many people are having.

The problem is that in spite of your logic, computers with said OSs DO get infected by means of this "feature".

Re:Uhhhh

[palindrome]

That's annoying (and it never seems to respect my "never do this again" check) but it's not auto run - you know when the CD just boots and doesn't give you any options?

Re:Uhhhh

[jawtheshark]

Actually it shouldn't do squat. The user inserted the disk, he should know what to do.

Re:Uhhhh

[EXrider]

No, it's not reasonable. Here's the problem. There's malware out there already, that creates decoy buttons in the AutoPlay menu. They look like "Open folder to view files" or "Take no action", complete with the complementary windows icons, but if you look closely, you'll notice they're actually tied to executables! We all know lusers look closely before clicking, right?

Re:Uhhhh

[Idiomatick]

That just means they are doin it wrong. That clearly could be fixed without killing the autoplay menu.

Re:Uhhhh

[EXrider]

How do you suggest fixing that? You can't really control what icons malicious applications use without integrating something akin to facial recognition technology, scanning 3rd party icons for similarity to system ones... good luck with that. Lots of people don't read, they click on shiny icons and expect them to do what they always do.

Re:Uhhhh

[Idiomatick]

Have the options be set by windows not the disk?

Enable it

[NoobixCube]

Malware authors will just enable it again. If the functionality is still there for non-writable media, then it's probably just a hidden setting away from being there for writable media too.

Re:Enable it

[blueg3]

In which case the malware is already running on the machine. Considering the point of adding your malware to autorun was to get it running on the machine, I'm not sure this is a significant security risk.

clue wagon just rolled into Redmond?

[Locutus]

All I can say is WTF, they are just now realizing it's a security risk and instead of disabling it in existing OS's, they're doing it in a beta of the next OS?

Sounds like they're not too sure about it being a risk or not. It's like having 3 sons ages 18, 16, and 14 and realizing condoms might be valuable but then only giving them to the 14 year old.

Security is probably job #10 at Microsoft as marketing rules the day on One Microsoft Way.

LoB

Re:clue wagon just rolled into Redmond?

[symbolset]

It says in the article that there is a patch planned for XP and Vista.

Maybe they're starting to wake up to "default deny" thinking. It would be a welcome change.

any USB plug-in device is insecure, period

[evangellydonut]

take any USB controller, have it emulate a Human Interface Device (aka keyboard), use it for the keystrokes of "windows, up, up, up, enter, virus-website, enter" and it's game over. you can do the same on Mac, just a tad more difficult.

Re:any USB plug-in device is insecure, period

[evangellydonut]

along that line, it's trivial to configure an USB controller such that it acts as a hub, 2 more controllers, 1 as HID, 1 as storage device. Then the HID device can just go willy-nilly and try to run d:\ or e:\ or whatever drive. USB controllers are cheap these days, most users won't know what hit them.

Re:any USB plug-in device is insecure, period

[blueg3]

In your scenario, you are plugging a physical device of your own design into the target machine, either personally or by distributing it to unsuspecting users.

The real attack scenario of interest is malware that propagates by adding itself (and autorun settings to launch itself) to USB storage devices provided by the unsuspecting user. You don't get to choose the physical device, only write to its filesystem.

Re:any USB plug-in device is insecure, period

[complete+loony]

"win+r, iexplore, enter" would be more reliable...

Play button

[fishizzle]

CD-ROMs could have kept the common "Play button" interface from the beginning. Everyone knew this procedure. You insert a VHS into a VCR, you press play. You insert a cassette tape into a Walkman, you press play. CD into a CD player, press play. When the CD-ROM came out, wouldn't it logically follow to insert the CD-ROM, then press the "Play button" to execute any "autorun" functionality? That way it's a user-initiated event, but one that your entire target audience is already going to be familiar with. And the users who weren't intended on "playing" the CD-ROM don't press they play button and can go about, uninterrupted, copying it or navigating the file system as they intended. It's not a huge deal, but I just find it odd that Microsoft's implementation of "Autorun" was the solution to this "problem" back in the day.

Re:Play button

[ascendant]

Don't be talking about "Back in the day"

Back in the day, cd-rom drives already had a "play" button. they had next and previous buttons too. They used these to play music cds, and I assume pass the signal through the audio card. (ever notice a 4-pin header on the back of the drive? even new cd-roms have this, even though it's pretty much useless now)

A second play button would only confuse the user. And make the hardware protocol more complicated needlessly, since that feature can be executed in software soooooooooo much more easily.

And, in case you didn't know, you can disable autorun and still keep the "doubleclick on drive icon -> autorun" functionality in windows.

And finally, lrn2paragraphs.

Re:Play button

[noidentity]

CD-ROMs could have kept the common "Play button" interface from the beginning. Everyone knew this procedure. You insert a VHS into a VCR, you press play.

Actually, VHS players automatically start playing read-only cassettes (and once they reach the end, rewind and then eject them). Pre-recorded tapes have the write-enable tab broken off.

Re:Play button

[Pentium100]

And, in case you didn't know, you can disable autorun and still keep the "doubleclick on drive icon -> autorun" functionality in windows.

Which is as insecure as the "normal" autorun, since the worm can be the program that is launched on doubleclick on the drive icon. It can also make right click->Open or Explore options do the same thing - activate the worm.

Re:Play button

[ascendant]

If you're smart enough to disable autorun, then you're not dumb enough to not notice multiple "Open" and "Explore" entries. Give up.

Re:Play button

[Pentium100]

No, there is a single Open and a single Explore entry. The bad ones replace the good ones.

Just try it:

[autorun]
open=autorun.exe
shell=explore
Shell\open=&Open
Shell\open\Command=autorun.exe
Shell\explore=&Explore
Shell\explore\Command=autorun.exe

Re:Play button

[Trogre]

You insert a VHS into a VCR, you press play.

20 years ago, yes. Most modern (15 years old) VCRs will automatically play video tapes that don't have an intact Write Enable tab, on the theory that since you don't want to record onto it you must want to play it.

sandisk?

[visible.frylock]

Wonder how sandisk will take this? (U3)

Don't get me wrong, I have a sansa fuze and love it. (FYI, it has native vorbis and flac support, albeit with taking a hit on battery life.) But U3 pissed me off to no end.

Re:sandisk?

[UltimApe]

sandisk internally emulates a cd-rom drive to my knowledge. I'd imagine that it is considers to be a read only media.

Re:sandisk?

[JustNiz]

Yeah I will never buy another Sandisk USB drive because they do this crazy thing of also having a small ROM in there that appears as a second drive that has an autroun that installs Sandisk 32-bit windows drivers and bloatware every time you plug the disk in, even on a 64-bit os. Needless to say the drivers and bloatware are completely unnecessary to access the drive itself.

You can disable autorun but cannot do anything to stop the read-only drive appearing and being mounted. To make it even more annoying, the small read-only drive gets the first available (lower) drive letter than the real drive.

Whatever marketing moron at Sandisk though that this was a good idea should be castrated (Preferably with a rusty knife) in an attempt to ensure he can't pollute the human gene pool further.

I for own, applaud them...

[hipifreq]

for finally doing the obvious. I was infected twice (I know, shame on me right?) by taking my flash drive to get photos printed at a kiosk. I finally placed a read-only, hidden, blank autorun file of my own on all my flash drives to avoid further infections.

Of course, it's only a matter of time before the next virus I run into undoes the read-only status and overwrites...

What I always wondered was why disabling autorun for "all drives" in Windows XP doesn't stop flash drives from autorunning, only the CD/DVD drive.

Re:I for own, applaud them...

[drinkypoo]

What I wonder is why you didn't get a flash drive with write protect.

Re:I for own, applaud them...

[Changa_MC]

more expensive, and super lame using hardware to fix a software problem.

Responsible use of Windows

[dontmakemethink]

Granted the typical user won't even know this can be done, but the first thing I do when installing Windows is disable/uninstall autorun, MSN, IE, system restore, drive indexing, and pretty much any other M$ shyte I can. After that, XP is suite stable and very useable.

Re:Responsible use of Windows

[GillyGuthrie]

I agree with MSN == bullshit. Drive indexing, I could go with. System restore?? I've saved many-a-installation by manually restoring the registry from "c:\system volume information\restore 'point'\snapshot" folder. I vote stay on the default SR option, especially with the dirt cheap prices on HDD space these days.

Autorun blows

[EXrider]

I've always despised this feature. Here's one example: when you eject a piece of read-only media, and Windows starts screaming at you relentlessly because a program was auto-running in the background from the media you just removed... hate that shit.

Well then-

[moniker127]

They should show an icon for the device/disk on the desktop if they disable autorun, like on os x/linux. People want visual feedback that their crap is doing something, and they dont like to open up windows explorer/my computer.

startup

[robvangelder]

another good idea is reduce the number of "run on startup" lists to one. theres a billion options for running your stuff on startup. should be just one place.

while im ranting, i hate that i've got two processes in task manager called rundll32.exe that i havent a clue what they do

Re:startup

[Blakey+Rat]

another good idea is reduce the number of "run on startup" lists to one. theres a billion options for running your stuff on startup. should be just one place.

To be fair, there should be two. One for services (which don't necessarily need a logged-in user), one for desktop applications (which do).

But yah, I agree generally.

Re:startup

[El_Oscuro]

I usually just do a pskill run32dll. Just make sure you save your work first.

Re:startup

[Animaether]

and then of course there's
- the things that run for all users
- the things that run for the current user only

- the things that just sit in the background managing who the heck knows what (presentationfontcache.exe)
- the things that are part of your computer's functionality (ntvdm.exe)
- the things that are applications you want to actually start (firefox.exe)

The lack of clear separation between all of those makes it difficult enough now - any changes in the future would do well to make this more clear. There's plenty of information on the web about processes, what they do, whether or not you can safely disable them from start-up, etc. It can't be that hard to write an application around this (somebody probably already did - I haven't looked).

Re:startup

[robvangelder]

yeh, it was nvidia. haha

Re:startup

[Pentium100]

- the things that run for all users

Put them in Start Menu ->Start Up for all users

- the things that run for the current user only

Put them in Start Menu ->Start Up for that user

for things that start up before a user logs on - put them with services.

for things that are part of the OS - well, they are part of the OS, so the OS should know what applications are critical for the OS to work, there should be a read-only list somewhere.

Well, some years ago, applications were more behaving - they put themselves in the StartUP.

Hide extensions for known file types

[snsh]

Long live the readme.txt.EXE virus

Re:Hide extensions for known file types

[EXrider]

"Hide extensions for known file types"... yes, another dumb down the fucking user feature that I HATE!

Re:Hide extensions for known file types

[sexconker]

With a name like readme, NO ONE will open up that shit!

Re:Hide extensions for known file types

[El_Oscuro]

Wait a second. I thought only slashdotters ignored readme files

Pffff

[McGiraf]

Disabling autorun is not enough for me to trust windows, I'm waiting until they disable run.

To Get Around This

[sexconker]

"Will be interesting to see what malware creators do to get around this ..."

I bet $20 that you can just set the booktype to DVD-ROM and have it work.

balance between security and usability

[Phantom+of+the+Opera]

*sigh*
Those axis should have little relationship to one an other.

Re:Autorun is the first thing I disable Talk about

[davidsyes]

Security and lip service. Autorun is not ALL they are disabling.

They are disabling access to vista SP2:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132311

My first thought was that they made this fix, but they "forgot" to involve the various nation's security/intelligence agencies of "fixes" that broke spy tools. So, they need to give the agencies time to "catch up" to ms and "stay ahead" of the rest of us...

Just some wild guessing...

For some mysterious reason,

[Lawand]

I got a feeling that ideas like this and like the "XP mode" are related to Bill Gates no longer being the CEO.

Great news....

[Anita+Coney]

My index finger is sore from holding down the shift key on all the Netflix Blu-rays and DVDs I've ripped.

missing tag:

[Ralph+Spoilsport]

tookthemlongenough

Remember Stealth virus for DOS?

[antdude]

I remember back in the 90s, there was a DOS virus called Stealth or something. Back then, 3.5" disks autorun did not exist. However, if you access 3.5" disks infected, then the memory and HDD get infected. Uninfected writeable 3.5" disks would also get infected even if user only type A: and that's it. I don't seee how disabling autorun for today's devices would help.

How about..

[d_jedi]

letting users choose.

Oh, wait.. we can already do that.

Mod Parent Up!

[criptic08]

Those U3 enabled flash drives will STILL autorun. The second partition is made to appear to be a cdrom to windows, which means that windows will still autorun the crap they put on there.

The U3 mounts 2 devices on windows machines. One is your regular USB mass storage but the other is a *read-only* virtual CD drive. Autorun will run just fine.

Social penetration attacks are ridiculous with these. With a few hours, 100$ or so, one can change the firmware of a handful of U3 dongle, leave them lying on the ground in parkings, sidewalks... wait a few hours and you have a good % of those U3 trojans phoning home...

Re:Mod Parent Up!

[beav007]

That's a pretty slow and expensive way of getting a virus around. After all, we still have the internet...

Re:Mod Parent Up!

[Thinboy00]

Did you somehow figure out how to do anything even remotely hackish with those? If so, my hat is off to you, sir! But more likely, you're just guessing. I called the customer service, formatted the drive like the nice man from India told me, put DSL on it, made it "bootable", and it won't work! WTF??

Re:Mod Parent Up!

[criptic08]

I looked around when they came out. Its really not that hard, but there is a fairly small size limit for the ROM you put on the virtual CD. But all that is really needed is an exec call to the virus on the mass storage device

Why the change?

[Simulant]

I wonder if this has anything to do with the fact that at least one of the Win7 x64 RC build 7100 ISO's floating around has a trojan infected setup.exe that will autorun on 32bit machine.

It's probably been downloaded 100,000 times by now.

Been noticing this quite a bit lately.

The build works fine though and if you boot from it you can get what appears to be a clean install. Just don't run setup.exe from the root of the iso.

You're probably better off waiting for the official release.

OS X Doesn't Have Autorun

[amasiancrasian]

With OS X, almost any one can use a CD or DVD without Autorun. All that's required to install from a CD is the ability to click on the icon in the folder. Mac software do this by setting a background on the Finder window with a large pointer indicating where to click if it requires installation, or an alias to the system Applications folder, where installation means copying the application bundle to the Applications folder. This is by far the most elegant solution.

Why can't Windows 7 do the same? Sure, it still inherits security problems, but at least code requires user interaction to get it going, while CDs can affect computers with rootkits unbeknownst to the user. You know a program that requests UAC or sudo privileges cannot be up to much good if it's on a CD.

Re:OS X Doesn't Have Autorun

[amasiancrasian]

I should also clarify by what I mean on a CD--that is, anything created or produced by an RIAA company.

Re:OS X Doesn't Have Autorun

[Maexxus]

+1, I've always loved how mac software is bundled this way, and how they have special backgrounds/icons (or however it's done) explaining exactly what to do.

Everything old is new again

When I got a laptop loaded with Everybody's Favourite Operating System (Windows Vista), I just started using its indexing search function to launch apps. For example, if I wanted to launch Windows Live Messenger, I'd type in "messenger" and then press enter. If I wanted to launch Firefox, I'd type in "firefox" and press enter.

I didn't make any active effort to do this; it's just more intuitive for me than using my mouse to browse through the labyrinth of Start Menu items.

I've gotten used to doing this in OS X's Spotlight as well (of course, I'd use Quicksilver if I could, but my experience with Macs is contained within my school).

Does anyone else do this, or is it just me?

Re:Everything old is new again

[sopssa]

I also do this and it works really well. Only times I need to go Start Menu is when I dont remember the program name and need to go look it up.

I suggest everyone to try it, makes launching programs a lot easier.

Hold Shift on Insertion

[Maexxus]

I've gotten into the habit of reflexively holding down shift whenever I insert a drive or cdrom, either that or you can just disable it completely.

PROMPT

[Tablizer]

If there's auto-run material, then prompt for it, similar to a pop-up blocker. That's a good compromise.

looks like you're right

[visible.frylock]

CDs and DVDs (including CD emulation), where the IHV specified AutoRun task authored during manufacturing, will continue to provide the AutoRun choice allowing customers to run the specified software.

http://blogs.msdn.com/e7/archive/2009/04/27/improvements-to-autoplay.aspx

Although, afaict, that says it will still give you a dialog rather than just silently running.

Hunt and peck

[tepples]

When did we humans get stuck with the job of finding the actual program we want to run?

When the mouse became faster than hunt and peck typing.

Re:Hunt and peck

[mysidia]

Don't use hunt and peck typing, use proper typing. Starting a program using a KB is a lot faster than using a mouse.

Re:Hunt and peck

[collinstocks]

I have to agree. I use gnome-do all the time to run my applications because I can't be bothered searching through the menus if I already know what the program does. I even use it for my IM client: if I want to chat to someone, I enter their name and hit enter as soon as there are enough letters to match their name.

Re:Hunt and peck

[abundance]

It depends where your hands are when you need to start it.

If you've both hands on the keyboard, yes, if you're using the mouse, maybe not.

Also it depends which app you're starting.
If it's a frequent used app you probably have an alias in your quick launch, dock, desktop, pinned start menu whatever, and your muscle memory is sculpted to reach it fast in a click or two.
If it's something you don't use often it's probably buried in some app folder or all programs submenu, typing would get you to that way faster.

Unless you have to pause your brain to remember part of its name.

Bruce Tognazzini once ran a test with users invoking commands with shortcuts and clicking on them in pull down menus.

Many users reported to feel they were faster invoking shortcuts, while measured response times showed they were actually faster when clicking on menus.

That's because they were able to perceive the time they spent moving the pointer to the menu, while they didn't consciously measure the time that passed while they "paused" their thoughts and workflow to recall the desired shortcut.

This doesn't translate perfectly to the act of typing, and of course heavy power users and touch typist are snappier than most users, but it's interesting to point out that the way your consciousness experience the duration of a task is often not accurate.

Re:Hunt and peck

[ProfessionalCookie]

To open an app on MacOS X 10.5:

• command-space (open spot light)
• type "s" (in this case for safari)
• Press enter

This all happens as fast as I type. S is safari, F is firefox, m is mail, p-space-s is photoshop, t-space-m is textmate etc...

Who still uses the dock??

And serious kudos to Microsoft for turning off autorun- that blesses me.

Re:Hunt and peck

[Sir_Lewk]

Hasn't touch typing been tought in public schools for the past 50 years or so now? I know I at least had several courses in it over the years.

Re:Hunt and peck

[greyhueofdoubt]

>>And serious kudos to Microsoft for turning off autorun- that blesses me.

You're bootable?

Re:Hunt and peck

[EvanED]

Depends on the schoool... my high school for instance offered a typing course, but there weren't a lot of incentives to take it, and it certainly wasn't required. (This was in the past decade.)

I learned touch-typing on Dvorak on my own; I still can't touch-type on qwerty.

Re:Hunt and peck

[mysidia]

Two words: tab completion OR command completion.

I use quicksilver, and Control+Space VL (ENTER) starts VLC.

Control+Space F starts Firefox.

When invoking commands from the CLI, I type two or three letters, TAB, and I have the full command name.

Sure, I could put all the apps I commonly use on a dock or clickable location, but entering 3 key sequences is a lot faster and a lot less brain-intensive than hunting for an icon with a mouse.

Once you reach a certain number of programs, it becomes really cumbersome to keep track of where all those icons are, if you want to click them at any reasonable speed.

I can press Windows+R notepad (ENTER)

In the same time it takes to move the mouse from the upper right region of the screen and click 'Start > All Programs > Accessories > Notepad'

Sure, you could put a small number of programs on your desktop and be able to sort through them.

But this is useless if you have another window open you're working with, and you want to start a second program.

Minimizing a window and THEN hunting for the icon to click possibly takes longer than using the start menu...

Re:Hunt and peck

[abundance]

Minimizing a window and THEN hunting for the icon to click possibly takes longer than using the start menu...

well it's winkey+D then muscle memory, it's surely faster than traversing the start menu.

Also for notepad, I've its icon on the taskbar in the visible portion of the quicklaunch, it's at click range everytime.

I keep the handful of utilitarian icons in (browser, notepad, calculator...) in the visible portion of the quicklaunch, and the other apps I use organized by folder in the quicklaunch ">>" menÃ. Also apps that respond to drag-to-icon are aligned on the sides of the desktop. I almost never need to dig the start menu.

Same on OSX, I've the utilitarian things in the dock plus alias grouped in stacks. It's everything there, one or two click far away, all the time.

Anyway, I don't contest the snappiness of the quicksilvers and spotlights. They're indeed blazing fast, and also they don't need to be curated and optimized like the point and click launcher devices of the various OSes.

I'm just saying that if you take the time to set up the GUI to your usage patterns, you rarely get lost in clickitis and menu scannning.

Also, keyboard launching is perfect when you spend most of your computer time hands on the keyboard, like I guess most developers or writers, less so when your work is mouse centric. When I'm typing html or coding php, I tend to use keyboard launcher more, but when I'm photoshopping it's ankward. I can "cmd+space then F" with the keyboard hand, but I need to leave the right hand from the mouse or traverse the keyboard with the left hand to hit enter. I can click the spotlight results with the mouse but it's easier to go for the docked icon target. Also, when I'm reading in the browser or loosely editing graphics, I often stand with the left hand scratching my head or smoking a cigarette or whatever, so no hands ready on the keyboard.

Also, switching from windows to osx often, I tend to mess up with the key combos and shortcuts. The point and click approach is less confusing when using regularly more than one os. My experience is that the GUI context assist me better. I often catch myself trying, say, to cmd-space on windows or to winkey-e in osx, but I've never mistried to go for the osx dock on the left side in windows, or to reach the quicklaunch down left in osx.

There are many UI approaches as there are users, so there's not one single better approach for everyone.

When pigs fly? Well, swine flew.

[tepples]

I guess people were trying to say that they thought Microsoft would sacrifice the convenience of autorun for security when pigs fly. Well, I guess swine flew.

Disabling Autorun is not the whole solution

[initialE]

I don't know if any of you guys have seen malware that exploits the use of custom thumbnail images - the one supposed to replace the CD-Rom image on your computer when you insert a particular disc.

Average Joe

[nurb432]

Will be confused as hell now.

"I put the disk in and it didn't do anything, it must be broke"

"To play my game i have to open my computer what... ???!!?"

Disable autorun registry key

[foodnugget]

Here's a link to disable autorun on 2k and XP for real. You won't get a prompt for what to do, the system won't try to do anything with a USB key or CD rom or removable drive. I recommend it to anyone who has to put other peoples' USB drives in their systems. http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-Autorun-attacks

Malware

[sjames]

Will be interesting to see what malware creators do to get around this ..."

Nekid_girlz.exe

Nuff said

Been doing it for years now

[droidsURlooking4]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Cdrom DWORD AutoRun=0

I hate autorun

[MpVpRb]

I have always hated, and immediately deactivated autorun.

I think autorun was one of those Mac ideas that Microsoft copied.

I want to be in control of what my computer does.

Re:this philosophy works great until...

[EvanED]

Yeah, but at that point it's not autoplay that's particularly involved. If you'll click the "play media" button that shows up when the autoplay window opens, I would say you're almost certain to open the WAV file if you were just exploring around the drive to see what was there.

Autorun needs to be done from trusted sources

[Skapare]

All autorun needs to be done only from trusted sources. The program to be run needs to have a cryptographic strength signature. The computer keeps a set of public keys to allow autorun. Microsoft would supply their own key to get this started (which means this computer initially will only autorun anything Microsoft signed). And this applies to the entire media, so if a script runs an executable, the malware perps cannot just substitute the executable. So basically, nothing on the inserted media can be run unless everything on that media is signed, AND signed by the same key (in case it is signed by another key the user has added). Also, these keys need to be kept encrypted with access only by a user passphrase. Any attempt to add a key definitely needs some user prompting. And there is no reason to treat even a non-recordable CD/DVD any differently. Only the boot device gets to run things without a prompt (which does mean there is still exposure for computers in which the media is the first boot device when the user reboots with it left inside ... that's another issue to deal with).

Do it yourself (all the way)

[MrLint]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

Save that to a reg file. Disables autoplay system wide for all devices.

Please see http://technet.microsoft.com/en-us/library/dd349797.aspx

Vulnerability

An attacker with physical access to the computer could insert an Autorun-enabled DVD or CD into the computer that automatically runs a malicious program.
Countermeasure

Configure the NoDriveTypeAutoRun entry to a value of 255, disable Autorun for all drives.

Re:Do it yourself (all the way)

[tokul]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=dword:000000ff

It does not disable default user actions that are defined in autorun.inf Malware won't start when you insert flash drive, but it will be executed when you will doubleclick on drive in order to open it.

maybe stupid comment

[dezent]

But this was not a decade too late !

forgive me for being ingnorant

[billsnow]

but what are these flash drives and optical disks containing viruses that autorun when you plug them in? do they come in the mail like AOL disks?

Re:forgive me for being ingnorant

[symbolset]

but what are these flash drives and optical disks containing viruses that autorun when you plug them in? do they come in the mail like AOL disks?

No, we buy them in bulk and leave them in your parking lot. Then some idiot picks it up and sticks it into their PC inside the network. One network admin and it's in the root of a share. The next morning when everybody logs in all your base are belong to us. One successful attach is worth a hundred plants but there's always a chance you'll jackpot with some MCSE who should not have been hired.

They're cheap so it's affordable to sprinkle them around the bathrooms at trendy clubs, leave them on the bar at the country club, wherever they might get picked up and used by somebody with good access to money and/or information. Shiny ones work best for money targets, civil servants and soldiers, but with network admins and engineers we get a higher attach rate with this one.

Re:forgive me for being ingnorant

[dido]

I've seen these all over the place, I've had some USB thumb drives I own turned into them by using them on a virus infected PC, such as those you might see in an Internet cafe. The virus would copy themselves into the thumb drive which becomes an autorun. They're just like the boot sector viruses of the 1980s.

Autorun is useful.. but...

[w0mprat]

If disabled Windows can still parse autorun.inf and start the software on the removeable storage by double clicking on your CD-ROM drive. It is still a nice feature for packaging.

So doing it manually reduces the risk of malware infection by this means. Does not eliminate.

So adding a prompt... like already exists in windows (UAC)... for auto-running content from removable media or even network storage for that matter, is all that is needed.

Nobody has a problem with the feature being there

[symbolset]

And they're not removing the feature. They're just making sure the default is "off". It's the sensible thing to do.

If you're secure enough about what's on the disks/pendrives/cameras/network shares you mount to use it then by all means turn it back on. But that ought not be the default because not everybody is at that level.

I'm not one to praise Microsoft usually, but this is a move in the right direction.

just disable automount already!

[dillee1]

Why stop at autorun? MS should disable automount as well. E.g. One should be able to mount any disc as read only. I have so many UDF disc destroyed just because 3rd party driver fuck up. This should be completely avoidable.

Num Lock

[Unoti]

At first I thought this meant I'd no longer be able to use Num Lock to just run in a direction in World of Warcraft, without having to hold down an arrow key. Imagine my relief when I realized what this was really just about DVD's and stuff.

Re:Story if kdawson had posted it:

[shentino]

If there's no other way to change the default that's a good sacrifice.

I have used this to my advantage

[MobyDisk]

I was arguing with a coworker why autorun is so dangerous. He said he never had a problem with it. So while he was away from his desk, I modified his USB key with an autorun that changes his desktop background to Unicorns and Rainbows. :-)

auto run disable

[t3chn0n3rd]

when is that windows version to be released?

Re:Nobody has a problem with the feature being the

[ProfessionalCookie]

And they're not removing the feature. They're just making sure the default is "off". It's the sensible thing to do.

Just a registry value away. Say hello to millions of crapwares that "Fix Autorun". Not to mention malware itself.

Re:Nobody has a problem with the feature being the

[symbolset]

If a non-essential feature reduces the security of an operating system the correct default is "don't." This is a non-essential feature. They've done the right thing here.

Go ahead and turn it on. Then if your box gets owned this way they bear less responsibility. It probably won't because if you know enough to turn it on you've probably considered the risks and decided your experience mitigates the problem. But for millions of consumers who don't know enough about the question, making them more aware of the risks by making them change the default is the right thing to do.

And as for malware, if they're downloading it to fix autorun then they're going to do it to speed up their PC or get a funny mouse pointer or screensaver or whatever anyway so this is a spurious argument.

meh. too little too late.

[yanyan]

I've been disabling autorun on XP and 2k for many many years now. gpedit.msc, the group policy editor, is your friend.

Best protecshun

[Amiralul]

Just manually create a folder named AUTORUN.INF on your USB stick and no virus could create an autorun.inf file for auto-running.

Re:this philosophy works great until...

[EvanED]

So I'm not quite sure what Vista does with Audio CDs and DVDs; in my Win2008 box, nothing happens. (I do have autoplay on; it works for USB drives for instance.)

Second, even automatically playing the content for those things won't cause any WAVs to play.

Third, if the poster who said that was exactly correct, autoplay doesn't do anything automatically, it just asks you what to do.

It's possible that Vista will automatically play CDs and DVDs by default, and if that's the case, I don't think MS went far enough in stopping autorun. But it's still way, way better than continuing to allow autorun.

why....

[GnomeChompsky]

can't you just have it embedded into the prompt that you can type something like "what" to find out what programs you can run? It's no more intuitive to have to click a series of buttons, really.

Like a prompt that goes something like

User user in Directory directory. Type 'what' for full program list:>

wrong tree?

[Tom]

Wake me when they disable "autorun" for E-Mails.

Seriously, when's the last time you heard about 100,000 PCs getting infected by malware on a USB stick?

It's certainly a good step, but the problem it solves pales compared to pretty much everything else that windos has burdened itself with over the past decade or so.

DVD labels will need to change...

[and235100]

Disabling AutoRun on flash devices will not make a lot of difference - people still can't help to click on something that says "Click the Button Now!"

so....

[smash]

... 15 years after my first encounter with autorun annoyed the shit out of me (about 15 minutes after installing windows 95 for the first time), microsoft has finally acknowledged what the rest of the world has known forever is a bad idea.

Diskettes

[GbrDead]

What about floppy disks? Will the write-protection tab enable autorun?

Am I the only one seeing this?

[RenHoek]

>that is definitely a step in the right direction.

I'm no fan of autoplay. But to call this a step in the right direction is stupid.

They're doing this because of the failing security model of Windows, not to be more userfriendly. If Windows was more secure then this would not have been a problem to begin with. Obnoxious yes, problem no.

CDs are not any better

[js_sebastian]

Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.

This is just as bad on non-writable media. A simple social engineering attack is to send the target company a bunch of free CDs with supposedly something interesting in them, then just wait for some employee to autorun your trojan.

Anyhow I have been doing this for a while, using the TweakUI "powertool" from microsoft to totally disable all forms of autoexecution on all windows computers I touch. Which is sad because automatic default actions can be useful if done correctly. For instance ubuntu opens the folder for me when I insert a data CD, and it starts ripping sofware when I insert a music CD (this is the default, which is cool because ripping it is the only reason I would insert a CD in my computer). XP totally sucks at this, don't know about vista, only booted it twice or so on my laptop since it came pre-installed.

open or run

[viralMeme]

The main problem is Windows inability to differentiate between RUN and OPEN

HOLY ICE SKATES IN HELL, BATMAN!

[argent]

What's next, Microsoft dropping ActiveX?

Yes, you're the only one seeing this...

[argent]

Apple dropped autoplay last century, even for CDs. There's theoretically a scheme for autoplay for Linux... but nobody sane implements it. Autoplay is one of those things that can not, even in theory, be implemented safely... because what it does is automatically grant full local user execution privileges to any random media you stick in your computer. Once you do that, you're penetrated... and you know what they say about that: "Security is like sex, once you're penetrated you're ****ed".

So I dearly hope you ARE the only one who thinks that it's even potentially a good idea to implement "autoplay" for executable content.

Starter motor

[professorguy]

But is autoplay/autorun an automatic turn signal or is it a starter motor?

It's a starter motor that automatically starts the car whenever you get in. This is a great feature most of the time, but when you just wanted to run out to the garage to get your sunglasses out of the glove compartment, it accidentally starts up and asphyxiates everyone in the house.

Re:Starter motor

[maxume]

So the garage is poorly designed and built?

I'm not real sure where this is going.

Final Hostilities

[PingPongBoy]

Will be interesting to see what malware creators do to get around this ....

Seppuku

Re:Autorun is ALREADY disabled!

[Pentium100]

Autorun is already disabled on Flash drives, at least in Windows XP and Vista.

Don't know about Vista, but on XP, the autorun.inf file is still processed and you can get infected by double clicking the drive icon or right clicking and selecting Open or Explore.

Good Idea Autorun sucks

[docmur]

This is definiatly a step in the right direction. Autorun might be one of the worst ideas in OS history. In many cases you might just not want to switch a DVD or CD thats in a drive, and if you don't it shouldn't keep popping up reminding you it's in there. The question about this being a step to increase the security is also in the right direction. Although windows will never be truly a "Secure" OS I agree this will start to move in the right direction. Other implementations that might help would be, better user account options, better file system managament and less start up services. After auto run goes I think the next best step is for the system to require the user to build the start up services process. If I have learned anything though the years of being a Linux user (gentoo) it's that the more you leave in the hands of the user the better. Sure the system should have to take care to manage itself and I'm not going to try and take out and argument on that, but I think windows has gone to far and to out there with doing it for the users. I think the truly right move it to slowly start getting windows users to manager there computer and when the user starts to get the right input control to the system it can really start to be a secure OS