Slashdot Mirror
Windows 7 Users Warned Over Filename Security Risk
nandemoari writes "Would-be Windows 7 users have been warned to change a default setting which could leave them vulnerable to attack via bogus files. As a result, Microsoft is taking flak for failing to correct a problem found in previous editions of Windows.
The issue involves the way Windows Explorer displays filenames.
In all editions of Windows after Windows 98, the default setting hides the filename extension (which identifies what type of file it is). This means that a Word file titled 'partyinvite.doc' will show up in Windows Explorer as simply 'partyinvite'. The only exception to this rule is if Windows does not recognize the file type.
The reason for this setting is that it makes for a less cluttered look and avoids filling the screen with redundant detail. However, a flaw in the way it works leaves it liable to exploitation by hackers. They can take an executable file (which can do much more damage to a computer when opened) and disguise it by calling it 'partyinvite.doc.exe.'"
How can this possibly be? I thought this was the most secure OS on the planet.
it shouldn't be made executable by the default umask though, so when you go to click on it it'll just try to associate an application with the .exe extension.
Paying taxes to buy civilization is like paying a hooker to buy love.
Old news is old
This is a non-issue. With all of the vulnerabilities in applications that think they are a programming interface (like Acrobat), EXE's might actually be safer to open.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
or any of the others that make you jump through hoops to get at something.
1. Partial menus (Office)
2. The Search Dog (Windows XP)
3. I don't what else but the way they have features turned off and on makes no sense at all.
The I'm done sig.
In most explorer views isn't there a little thumbnail that shows an image of a type of file? Partyinvite.doc.exe would show a cmd window probably, instead of a blue W. Either way, you should be able to tell what type of file it is.
Maybe I read this somewhere else, as I can't find it on here.
Anyway this is just some prick trying to get a bunch of publicity over something stupid.
You want a solution? How about this: Windows should only hide file extensions for files that don't use custom icons. IOW, a .doc would show up as a Word document (by icon), so it doens't need the .doc. But if you change the icon of your .exe file to be the word doc icon, then the .exe still shows up.
Now, I'll go make a quick patch and submit the .diff... oh, wait, nevermind.
All say hello to brittneyspearsnaked.jpg.exe !
Gah, these things never die, do they. You'd think the only people falling for this old trap are senior-citizens and six-year-olds.
Today I had to explain to my father that he didn't need to reinstall flash just because some website said so. One of those video sites had simply changed media-servers and since it wasn't on the whitelist the vids began suddenly getting blocked by noscript again.
So I glad I was young when computers were new ._. and old before they got really dangerous (in virus terms).
"I Don't Have Enough Faith to be an Atheist"
Why is this happening everytime there is a new important release from Microsoft? Is it because everybody focuses on that or because they did not do their homework?
Seriously?
The next story will be warning you that the default account made has Admin privileges and blame Microsoft for not setting up 2 accounts.
Most people wouldn't change their behaviour even if the did see the file extension.
Email programs such as Outlook block .exe attachments, and Executables downloaded using IE display a stern warning before execution.
Changing this wouldn't have helped anyone.
And associating this with Windows 7 is mostly FUD, jumping on the bandwagon just because you don't like it.
Here's the thing: UAC is one layer of defense against this (even though UAC is never called a protective layer, it seems). If there is no verified publisher, UAC will say that the publisher is unknown and thus, in theory, it should trigger a red flag with people. That's how all of my computer illiterate friends approach it, and they've never had problems.
Second, the default view for most folders in 7 is the details view, which means whether a file is an executable will be exposed to the viewer by default regardless of whether extensions are hidden.
By all means, edit this setting if you must, but realize that 7 has already taken a good number of steps to deal with the danger.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
As the summary says, this is a "feature" from windows 98 onward. What the fuck does it have to do with windows 7? That they havent removed this stupid "feature" yet? Big surprise?
this is NOT news!
As a potential lottery winner, I totally support tax cuts for the wealthy
Welcome to Windows 95?!
Filename extensions have been hidden by default for many years now, in all shipping versions of Windows. And they've been making it easy for malware authors to fool users for just as long.
It was an insanely stupid policy on MS's part, and it borders on negligence that they're still doing it.
OSX hides extensions, too, and what's arguably worse, OSX allows you to arbitrarily replace the icon of any file, thereby allowing you to disguise files more easily. Don't some Linux DEs do the same thing?
It's sort of unfortunate that we rely on filename extensions to identify file type at all. Users have a tendency to accidentally remove extensions when they're renaming if you don't hide them. But then if you hide them, then users are missing the single most important cue as to what file-type a file is.
I am a Microsoft Hater.
Having said that, Win7 is *not* yet a release, so I do not think that they can be blamed for this with regards to Windows 7.
That this was apparently a real problem on every OS they have released in the last 11 years, on the other hand, is blameworthy.
Security risk or not, most email programs Microsoft has put out already block potentially harmful files by blocking them from been executed by an uncanny user.
Having said that, why bother using double extension? If you are already hiding file extensions what is to stop you from creating an EXE file with the icon for a word document? That would avoid the mysterious trailing ".doc" on the file - oh no lock up your daughters and your wives!
I'm for having a good anti-virus program and educating users.
many years ago when i was using win98 i would always set folder options to NOT hide file extensions and it still hides that second extension, i had what looked like an ordinary bitmap file file_name.bmp but i clicked on it to open it and bam! its true colors show up and it disappears completely even with show all files enabled (file_name.bmp.js) shows for a second and its gone, so i fdisk windows off and reinstall since anti-virus did not find anything and that looked too fishy to be innocent, that taught me no not click on a file to open it, always open a graphics editor/viewer and use file > open to open them then if something is wrong the graphics app will complain if something is wrong with the file.
Politics is Treachery, Religion is Brainwashing
At least it'll take the really dumb Windows users out of the loop for a while so the rest of us don't look so bad.
mmmm...forbidden donut
>>>This means that unless the user has the 'Details' view switched on and notices that the file is listed as an 'Application', they would have little chance of realizing it was not a legitimate Word file.
Perhaps noticing that this alleged word file is the ONLY file in their list that actually shows a *.DOC extension might be a cue. But if they don't notice something like that, then they're probably just as likely to click on an *.exe file that was assigned a Word DOC icon.
Joe User is, and has always been, his worst security hazard.
Do we really think that it's going to make a difference to Joe Schmoe? If it has a Word document icon, our hapless friend is going to be duped regardless of whether it ends in ".doc" or ".doc.exe".
May I remind you that, with file extensions hidden by default, ONE SHOULD NEVER SEE A FILE ENTITLED "partyinvite.doc", because that extension should be hidden. The fact that it isn't hidden is already a glaring red flag — which Joe Schmoe is obviously oblivious to.
I turn extensions on by default, but I really don't think that would help Mr. Clueless. Somebody needs to sit him down and explain to him what's going on, and nothing is going to save him from the trouble of paying the proper attention to the files he opens.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Man, wouldn't it be great, if the window 7 filesystem contained, oh I dunno, a bit that one could turn on and off, telling the OS that this file was an executable or not?
Hi, I Boris. Hear fix bear, yes?
If there is no verified publisher, UAC will say that the publisher is unknown and thus, in theory, it should trigger a red flag with people.
In general, software not sponsored by a corporation has no verified publisher. This includes a lot of freeware and free software, as a lot of developers don't feel like blowing upwards of $200 per platform per year on certificates to digitally sign new versions of each program.
The original article is here: http://www.f-secure.com/weblog/archives/00001675.html George Ou has "debunked" this "fail" here: http://www.formortals.com/Default.aspx?tabid=36&EntryID=180 This is nothing more than FUD IMHO
The filename should not contain any metadata. The date is not included in the filename, so why is the filetype in there?
Maybe an OS should think to something beyond a file extension to identify the role of a file.
-- if you mod me down, I will become more powerful than you can possibly imagine
If less clutter was the design goal, MS could have started somewhere else. Like the explorer toolbar (just leave the up, back, and forward buttons thank you), the "Go" button beside the address bar, the big explorer sidebar with the many superfluous items, the cluttered search side bar, the pointless icon view, i could go on. They could probably even drop the whole Start menu paradigm and move to right-click on desktop to display the start menu contents, leaving the whole taskbar for application tabs.
Users have a tendency to accidentally remove extensions when they're renaming if you don't hide them.
That's why a good file manager, like the version of Nautilus that comes with Ubuntu Hardy, selects everything before the extension when the user chooses "Rename".
I never did understand why this fuss wasn't made when it was still such an idiot default setting in XP.... and then AGAIN in vista. I was utterly flummoxed it was still so in win7. I'm sure they have the 'well we've got security right now so it doesn't matter' attitude but they're still wrong.
As an Apple fan-boy, I am chagrined to have to point out that there is an analogue of this problem on OS X. Meta information about a file will contain information about its "Creator" (which is often used to determine what application it should be opened with) and also the file Icon.
This allows for a file to have, say a plain text icon but open as something else altogether. Apple has taken some mitigating steps (warnings before executing downloaded files for the first time), but has not changed the underlying problem which stems from concealing information from the user.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
This seems pretty stupid that they just figure this out now and that people actually dont change the settings to show the extension, this would be the first thing you would want to change when you get a computer. So really it isn't all microsoft's fault, it is mostly their's, but people need to take the time to fix their settings so things like this wont effect you in any possible way.
I don't use windows much, but does it have anything resembling launchers for gnome?
My point is, if you make a launcher in gnome you can give it any icon you want and any filename you want and have it run any command you want. If windows has something like that then I would say the extension problem is moot.
As informative. never knew about the reactos project... just burned the live cd to try it out!
No comprende? Let me type that a little slower for you...
On every windows system I've configured, one of my first tasks is to change the file exlporer to show extensions and a detailed list view. /.ers would be the same, but what do you find your users prefer?
I've always found extensions much easier to use than an icons, and a list view with size/dates much easier than a page of freaking big icons.
I assume most
46137
How can this possibly be?
Your question actually has a face value in excess of it's sarcasm content. How did we get here?
I'm stating common knowledge but it's worth reflection since it paints a large picture. In the begining there was the file and the file was just a marked off stretch of physically contiguous bytes on a tape or drum. it had no internal structure. Have a directory that associated names with files regions was something you had to implement yourself. The filesystems formalized this to having names, hierarchies, and even non-contiguous allocation tables for blocks.
Since that time every new file system has tried to codify the notion of metadata. And in this land of babble, the only common durable hiding place for meta data has turned out to be the filename itself.
Look at HFS for example as a valiant effort in defining meta data like "kind" and "creator", and defining different kinds of forks some of which had uniform storage protocols for resource, so that programs other than the creator could inspect and edit them. And boy what a snarl that has perpertually been. While these still exist, apple has punted and gone to just using file structures and a specially named file (plists) to hold meta data in a quasi XML format.
And so here we are 30 years later and were still putting suffixes on our files just like back in the days of DEC and Prime and even before.
And think about perhaps the biggest failure of the Longhorn Debacle. The promise of a revolutionary new filesystem that put meta data and it's inspection first. An entirely relational storage system underneath that only mimmiced the hierachical system for legacy purposes.
Deleted from Longhorn, promised again for vista, and then gone. Promised for windows 7 then gone.
It's bizzare. Everyone knows what the problem is. HFS was much maligned precisely because it was more complex than suffixes but it's what we really needed back in 1984. and all the others all made so much sense too.
Why are suffixes so enduring? How can this be?
Some drink at the fountain of knowledge. Others just gargle.
The filename should not contain any metadata. The date is not included in the filename, so why is the filetype in there?
Perhaps before we start pointing fingers at Windows, we should look way back before Bill was writing software at this whole extension nonsense?
Take away extensions from Windows l-users and a *NIX SysAdmin noob and see who cries first.
Run virus.exe in XP (SP2), Vista, or (I presume) 7.
What's that box? A security warning about unsigned code?
Rename the file to virus.txt.exe and try again.
What's that box? A security warning about unsigned code?
Fuck off insecurity experts.
Spouting off about "moot" this and "moot" that.
I am very small, utmostly microscopic.
...to allow the typical Windows users to easily rename a file without having him or her remember the particular extension of the file.
Think of a noob trying to change the name of a file: "Image1.jpg" would become "Picture of my Dog Fluffy".
Of course after changing the name and eliminating the file extension, the file would no longer work with the user's favorite program, and chaos would ensue. MS merely nipped that problem before it started (and created another problem in the process!)
If someone says he and his monkey have nothing to hide, they almost certainly do.
4chan is down
I've never understood what was supposed to be more "user friendly" about looking several inches over on the screen to figure out what kind of file you're looking at. It's possible, I suppose, that most people are either still not accustomed to the standard file types--and therefore need the long descriptions over in that column--or just don't mind the clunky design. Then again, I think the default display type for Windows is still "Large Icons," isn't it? With that view, I really don't even know how people keep their unrecognized-type files apart, other than perhaps memorizing their icons and re-learning them whenever they install a new program.
The way a person interacts with a computer (that they'll use for any length of time) is very much an individual preference, possibly as much as the seat and mirror positions in a car. Maybe even more so. One of the first things any of us does when we set up a new system for our own use is to go in and set up the preferences we are used to using, making up the aliases we're accustomed to use, and so on. And then we largely forget about it.
Warning! Windows 7 allows people to steal your identity! *
* if you have browser cookies enabled and password caching and they have physical access to the keyboard.
We would be hearing by now that it wasn't a real vulnerability, since the user has to click on it.
Win 95 called, they want their story back.
I mean seriously, are we going to get a "security researchers uncover HUGE NEW RISK in Windows N" story, for every damn piece of crud Microsoft haven't fixed from the previous versions.
The extension "exploit" was being used to spread malware for donkeys years, and any sensible user turns it off the minute they do a fresh install. Why MS haven't fixed the default is beyond me, but it's NOT new, NOT huge, and definately NOT news for nerds.
Never hide the file extension.
The same feature exists in XP too - it's simply in the folder preferences of HIDE file extensions of known file types - I fail to see how this is new. Again just another over-exaggerated "problem" with Windows 7.
"i lost my dignity on a slippery wiener"
Great. And? Mac OS X does the same thing. WHO CARES? It's the fault of the users for being stupid, not the fault of whoever made the OS.
This would not be too much of an issue if M$ just implemented a simple rule. File names with multiple periods should never be executable even if the file extension is EXE, COM, BAT, VB etc. Something like this should not be too difficult to implement.
RMS is right now hunting you down to kill you. Possibly by suffocating you in his armpit. What a way to go.
Install
Disable "Start Navigation Sound" (WHY MS? WHY DO YOU KEEP THIS ON?)
Unhide known extensions
Unhide system files
Wow people are really scraping the bottom of the barrel these days to dis windows. Lets come up with something worth while thats not a feature that not 20 years old.
Upon reading this, I wondered whether MacOS X suffered the same issue, so I decided to test. I disabled the showing of all extensions (Finder preferences), duplicated Text Edit, so it appeared as "TextEdit 2" and then edited the visible name to "TextEdit 2.doc". The result was displaying itself as "TextEdit 2.doc.app". For other file types, such as a PDF doing the same thing results in being asked if you are sure you want to change the filename extension, though renaming from the Terminal a PDF from "toto.pdf" to "toto.doc.pdf" resulted in the same visual behaviour as the one observed for the application. Its an interesting solution to the problem, since basically if the file has multiple extensions they are all shown.
The issue described in the post has already caused me issues in the past on Windows XP, on a developer's machine, where extensions were not shown by default. Imagine an Apache conf folder that contains:
http.conf
http.conf.bak
The first one appears as 'http' and the second one as 'httpd.conf'. I didn't hit me straight away that the wrong file was being edited.
Does anyone know how Linux handles this in the various GUI file managers?
Jumpstart the tartan drive.
Aw. It looks like the good old days where people created a .com virus with the same name as a valid .exe file.
Privacy is terrorism.
Why is this a warning? "Warning! Nothing has changed!" As TFA says, this is the way Windows has worked for years across versions. Security people have always lamented this, and over the years many have suggested turning it off. This really isn't a new warning or news.
Well, TFA is surprised that Microsoft has kept a setting unchanged from one Windows version to another. But, I would think that if Microsoft were to have a change of heart and change the default setting, they would first do it for current versions of Windows in a service pack or maybe just an update. And if they were to introduce a new policy or dialog notice to reduce the threat of this default setting, they still would have done it in an update or service pack first, before doing it in a new version of Windows.
why do they keep burying the windows explorer
You can always hit "Windows Key + E" to get Windows Explorer. Ironically, for reasons that are simply a quirk in my brain, I mentally say "Apple+E" every time I hit those keys...
This issue is a bit more complicated than you think.
From my point of view, there's nothing like a good Microsoft bashing, and this is nothing like a good Microsoft bashing. Can we get the editors to only publish Microsoft bashes that make a bit of sense?
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
How is knowing what kind of file is going into your computer redundant?
What kind of gas is that you're putting in your car? 92? 87? LEADED? It's redundant!
What kind of batteries are you putting into that device? 9 volt? AA? It's redundant!
There's no way a user would actually want to know want they're clicking on, right Microsoft?
The eternal struggle of good vs. evil begins within one's self.
...another Windows bug I ran into the other day with how the IE engine deals with URLs.
Given the following URL (with the server properly responding with mime-type of octet-stream and an otherwise proper response):
... IE decides that since it doesn't know what a ".exe?query=string" extension is, so it strips the "extension off" and tries to connect to:
... which (in my case) doesn't exist.
http://www.somedomain.com/url/path/to/file.exe?query=string
http://www.somedomain.com/url/path/to/file
This is another example of why injecting proprietary meaning, which often contradicts with more fundamental established protocols, into processes/protocols is problematic.
Faith is a willingness to accept something w/o complete proof and to act on it. Reason allows you to correct that faith.
If you did not permit extension types like .doc and .jpg you would potentially have little Jonny confused why he could not call a word document "My Holiday" and a picture also called "My Holiday".
The file extension lets the user have different types of files with the same name... hell never mind folders and files with the exact same name :)
One thing I do agree Windows/Dos got right was case insensitivity; I had a rather intense debate with a guy at work saying Linux is case sensitive and is the right way to implement the file system. I then say this will make no sense to the user:
Hello.txt
HELLO.txt
hELLO.TXT
hElLo.tXt
(ditto for unicode characters that look identical but are different byte codes underneath)
These would be valid different files in the Linux world but only one could exist in the Windows world ... which one is more useful to 99.9% of users in the world?
One of the reasons: There is not a standard way to transfer metadata when sending a file as an attachment via email. So we have to rely on the extension.
but its not boarding on negligence to be an idiot that clicks everything they download after getting a bunch of warnings from Windows, your email suite and your virus scanner? I mean, seriously, do we really need to warn people that if you pick some food off street vendor you shouldn't just eat it? Look for some signs! Is his cart disgusting? Is he licensed? Is there a bunch of people puking all over the area? How is using the internet any different? Are we all just children the pick food out of garbage cans and pop it right into our mouthes? Not showing the file extension, which a lot of users don't even know what the fuck it means anyway, is not going to solve the problem of idiots being idiots.
Oh wait, how many OS's do the exact same thing? Most? Really? So wheres the /. news story about some Linux installs and Mac OSX having shitty security? If everyone around here wasn't to busy bashing Microsoft and sucking the penguins dick maybe we would see some nonpartisan news around here, not just the tech version of Fox's "fair and balanced" bullshit. Not that I'm defending Microsoft, I'm just saying they aren't the only ones cocking things up.
And using OLE Automation, you can spawn Word on a document that is actually embedded in the executable. Of course, when I actually tried this, I got a warning that the file was executable and that I shouldn't open it unless I fully trusted the source, but we can get around that by naming it "dancing bunnies.exe" and giving it an AVI icon and ditto camouflage.
F-Secure points out that .PIF files will have their extension hidden even if you change the display option.
Repton.
They say that only an experienced wizard can do the tengu shuffle.
That explains why I had to manually rename a .exe I downloaded for antivirus software. Figures.
Comment removed based on user account deletion
Surely, this makes more sense if the file is named partyinvite.exe and give the executable the same logo as Microsoft Word! I would think it a bit weird to see a file labelled partyinvite.doc if everything else has the .doc hidden! Whereas, an executable file with the Microsoft Word logo could fool me when not thinking about it!
MIME?
Help! I'm a slashdot refugee.
How else could I as an average /. reader have figured out what an executable file is.
This has got to be one of the dumber anti-Windows trolls presented as news I've seen in a while. An evil hacker could also put a post-it note on an idiot's computer telling them to type "FORMAT C:" at a command prompt. People too dumb to recognize icons or use AV software just shouldn't be using computers.
That all said, I've always thought that extension hiding default was one of the more annoying things I have to kill every time I install Windoze. Seems like Redmond just keeps dumbing down the interface, forcing me to work harder at getting the details I need.
Ask me about my sig!
PEBKAC situation. We can't fix that. Sorry. :-\
RUGBYRUGBYRUGBY
that is all.
So why are they just now making this suggestion?! Windows has turned off filename extensions by default for 14 years now... since Windows 95!
In my opinion it is possibly the single stupidest thing Microsoft has ever done, and is always the first thing I turn off when sitting down at a Windows machine. Well, after turning off those stupid sounds and setting the UI to the Windows 2000 theme instead of that butt-ugly default theme in XP (and Vista too, if I used it, which I don't).
You are in a maze of twisty little passages, all alike.
I remember when this was how viruses spread on the Mac in the late 80's. It was clever 20 years ago... Are all architects/developers amnesiacs?
First thing I do with any new windows install is to both "Hide file extensions for known file types" and enable "Show hidden files". I do not like my computer hiding things from me. Ever.
Sig? What's that? Oh, 'signature'...and it's supposed to be witty? Right...
I think it would be a better idea to show the extension while hovering over the icon or highlighting it.
This is a combo of two issues.
1. Who came up with the "smart" idea of encoding the file type in the file name in the first place?!
2. Anyone with any kind of pre-win98 experience will look for the 3 letter code anyways as its been around since ms-dos 1.0 or something...
Oh, and "dual-typed" files are not the only issue. Lately i have seen IM messages from people about some page, that really is a download link to a .com file...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
Don't get me wrong, it is a useful feature. It can be really annoying to write out a new file name only to have it wiped for forgetting the file extension, for which you have to restore the original file name to discover.
.exe actually was, it may just be helpful to some of them. Instead, they just tell you which program has been associated with that extension. I honestly can't believe no one at Microsoft has ever even considered this. It's one of my most common grievances.
The really frustrating thing however is that Windows simply refuses to let you discover what that file extension is without making you go through the tedious task of turning them all on. How hard could it be to list it in the properties window for that file? Or perhaps be wildly radical and actually even let you change the file extension there! In fact, if it unequivocally told the average user what the real file extension on a maliciously named
Man leaves car unlocked, is shocked to discover it stolen. Immediately tells everyone not to buy that car brand.
I simply do not understand how somebody can talk so much about something that should have been discussed in during the '90
You can make 'My xxx' point at any location you like, even on a network drive - it doesn't have to be inside your profile folder.
Always hated and turned of "Hide extensions for known file types".
This attack vector has been well documented. Windows usually warns you when you launch an exe so only people that have the knee jerk reaction to continue all pop-ups. These people are not even saved by linux. They probably don't use linux because the password thing slows down their experience. It is not the OS's fault.
[By the way, the security problem is not hiding the extensions. The real issue ... being executable by double click].
I don't agree.
I think the real security problem is that the only way to tell what a program does is
For proprietary software, that leaves only "by running it". I don't know about you, but I don't read all the open-source code I run. See also the underhand C code contest (write malicious code that's read-the-source-resistant).
What would improve security somewhat is if each program specified what it wanted to do*, and then got promptly killed if it did anything else; AppArmor does something like this.
* Say, like "I want to write files below /home/${user who runs me}/.emacs.d/**", or "I'd like to make outgoing connections on all tcp ports", or "I'd like to listen for connections", or "I'd like to execute the following programs: [...]".
By having programs explicitly state their externally visible behavior, the user can know what the program does, and whether it's safe to run.
It won't be a panacea, and most people probably won't understand all the implications of letting programs listen for incoming connections on all ports and be able to run arbitrary other programs. But it will allow at least the technical users to have a security policy better than trusting or not trusting the source, which is all you realistically can do.
Well, back when I used windows I always turned this off anyways, but do the users who leave it on not notice that their .doc.exe file is the only one that shows a .doc extension on it?
After consider all your opinions I've decided that this setting will be left alone. This way, incapable or less intelligent computer users will self-eliminate. Only those who take an active interest in their own security will be safe, as it should be. We must get rid of this attitude of "I pay money and nothing is my responsibility after that". It was never true.
And maybe 95
Windows has a few of these misguided attempts at being "user friendly".
Whenever I set up a new Windows PC (or whenever I first log on to a Windows PC) the first thing I do is fix certain defaults that I hate.
Here's what I do:
* Show the file extension
* Switch all folders to "Details" view
* Turn on "always show full menus" (or turn off the "personalize menus")
* Go back to Windows classic start menu (I hate what they did to it from XP onward)
* In Vista, I disable all the theming stuff to get rid of the GIANT DAMN ICONS that you get when dragging/dropping
* Turn off "friendly HTTP errors"
* Turn off automatic searching from the address bar in IE
* Remove Live as the IE search provider and set it to Google instead
* Install Firefox with NoScript and IE Tab and make it the default browser
* Set Windows Update to notify but not download or install (I wanna SEE what they're calling "Critical"... NO, IE8 is NOT. Thank you very much)
Right up there along side hiding known file extensions in the "what were they thinking" department was the IE Auto Search option for "just take me to the most likely site". I have to think that a LOT of folks got hit by phishing sites through that wonderful feature.
Feh.
The Digital Sorceress
This is an optional profile-specific feature Windows has turned on by default for years, and LOTS of users like it and use it every day. I'm not one of them, but I support many of them.
Most users don't understand file extensions or why a file may not open without the proper extension. If the extension was displayed as part of the file name by default, most users would go about renaming the file and accidentally removing the extension. This windows feature prevents them from doing that - the appropriate action. I hardly think this is something that should be turned off - tons of users would suddenly not know how to manage documents on their computer.
To change this they'd have to have a different way of identifying what type of file it is, so there was no file extension to be manipulated.