Slashdot Mirror
New Virus Can Strike Via HTML E-Mail
cmeans and lots and lots of others have pointed us to this MSNBC article article about yet another e-mail virus. Quote from the story: "The virus can only run if Internet
Explorer 5.0 with Windows Scripting Host is
installed (standard in Windows 98 and
Windows 2000 installations). If security
settings for Internet Zone in IE5 are set to
High, the worm will not be executed. It does
not run on Windows NT." ZDNet also has a story about this "Bubbleboy" virus. Update: McAfee weighs in too. (Thanks, Jade.) Consider yourself warned.
Two obvious fixes, disabling scripting in the 'Internet Zone' for IE, and setting Outlook Express to use the 'Restricted Zone' for all content to start with. Anyone using those products should probably be doing both to start with.
-Blake
You know, whenever I read some really good piece of science fiction, the terror is never caused by something called BubbleBoy...or Melissa, or Good Times, or any of these other stupid names.
= -=-=-=-=-=-=-=-
At this rate, when some genetic mutagen is released that destroys all of mankind, it'll probably be called the Pokemon virus.
[/tongue in cheek]
- JoeShmoe
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
It is not about not running MS software. Any OS is going to be attackable. It is because UNIX users tend to know more about how their computers work and how to secure them. They also know what is a risky behaviour and avoid or only walk into it with extreme caution.
Even a well-maintained Windows system is not going to be attacked by a virus very easily. I have been running Microsoft software for going on 15 years now and have never had a problem. This is because I take good care and I know how things work. If Windows users were educated about how to properly manage a system, there would be few successful attacks.
"In fact, it's unclear exactly how users of HTML-enabled e-mail readers can protect themselves from such viruses."
Um, how about ASKING the user if they REALLY want to send all of those emails??? Web pages can't do any real damage by themselves (except by replicating), unless of course they use java to do something nasty.
Of course this begs the question, who _needs_ html email? I mean, do you actually spend hours designing a page to send to someone? HTML emails are big downloads and irritating. Email readers should only look at basic tags (a la slashdot), and not "embed" tags.
Oh, I'm sorry, the users _requested_ that feature bloat for IE 5.0! How silly of me!
I'm increasingly worried about the ability to send active content in emails... above and beyond people who blindly execute attached files (user stupidity), it's getting to the point where just
READING email can actually spread a virus. Remember the big scare when people realized that Eudora would open up Java applets without asking permission ? I always wondered how netscape mail or Eudora would handle Meta refresh tags...
Anyway, I avoid the whole thing by sticking to good old-fashioned ASCII-mail. Now if only all my co-workers could do the same... *sigh*
25% Funny, 25% Insightful, 25% Informative, 25% Troll
This is what we get from Micro$oft's "innovations".....
----------
The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations).
This is one of those "advantages" M$ talk about in the anti-trust case. Because the OS already comes with a browser, security flaws such as this are built in!
----------
If security settings for Internet Zone in IE5 are set to High, the worm will not be executed.
And IE 4/5 default to medium setting. Wonderful work, Micro$oft! You really know your stuff....
----------
The virus actually takes advantage of a security flaw in Microsoft's ActiveX technology that was discovered in August.
August?!? AUGUST! Why the hell wasn't a patch to repair the error relased in August then? When a monopoly has no competition, they have no motivation to repair errors until they become huge issues for their software....
----------
This is what we get with M$ winning the "browser wars", software with security holes that don't get fixed until they are a real risk. Fortunatly, most sane PC don't use IE, and don't have to worry about ActiveX flaws. However this is one more reason why M$ should not be ruler of the browsers...
Bah, Bubbleboy isn't a Seinfeld episode, its the AUTHOR. What would you do sealed up all day but write malicious virii?
Several reasons. For one, it's "News for Nerds. Stuff that matters." Hard as it may be to believe, some /.ers actually do use windoze. Others use *BSD, or other operating systems. Maybe Linux is the majority, maybe not (still almost certainly the major minority then).
Even for those of us who don't use Windows, we all know people who do. Coworkers, friends, family, lusers on our systems. If we know about this potential problem with windows, perhaps we can help them avoid falling for it, or at least be quicker on cleaning up afterwards...
i'd guess that most of us are the curious sort, who'll learn something interesting (New email worm? How's it work, what does it affect, and what could be done to stop it?) even if it has no practical application in our lives. Why else do we so love nanotech, quantum computing, good fiction, and all the other things posted on /.?
And finally, don't neglect the gloat factor ;)
-----
--
perl -e'$_=shift;die eval' '"$^X $0\047\$_=shift;die eval\047 \047$_\047"' at -e line 1.
I was hoping that Melissa would make companies wake up and rethink the "lets move everything to Outlook/Exchange/IE" philosophy. Apparently IT people forget quickly...
Now we have time and time again exploits against IE due to its extreme integration with Windows and such. How long until one of these gets really nasty? How long until someone gets bitted a little too hard, and then they want to bite back?
The above is, seriously, the big potential security hole in GNU Emacs. It is documented as such, in the documentation, and users are given suitable warning not to do so...
It seems reasonably likely that the only way to make "executable email" safe is the implementation of some sort of capabilities-based system that can strictly lock down what particular programs are permitted to do. Of course, as we learn more about capabilities, it is also likely that its powers of protection will prove quite finite...
If you're not part of the solution, you're part of the precipitate.
Symantec posted this advisory of the VBS.BubbleBoy here
http://www.symantec.c om/avcenter/venc/data/vbs.bubbleboy.html.
It contains details of what the virus does, where it goes into the registry and how to protect yourself.
If you already do not have that security patch from Windows Update, you can download the patch from
http://www.microsoft.com/s ecurity/Bulletins/ms99-032.asp.
This is kinda scary... as we have always taught people that you cannot get a virus by reading mail, only opening attachments. I hope this doesn't become a growing trend.
Now, how do you turn off HTML? Lemme see here, I'll show you...
Hang on, this is the first time I've ever opened up Outlook.
*rummage*
*rummage, rummage*
*dead end*
*thwack!*
Well how about that, the boneheads won't let you turn off mail formatting. Slick guys, good thinking.
Well I'm sorry folks, it looks like you're going to have to switch to a more sensible mail client. Try Eudora or Pine, both of which have Windows ports, or Mutt or Elm or something if they're available (not sure if they exist on Windows -- don't see why not but don't really want to bother verifying that at the moment).
It's funny how a scare like this comes along every few weeks ...and I find myself completely immune to it. "The Humdinger virus abuses your Outlook addressbook, eh? How tragic. Good thing I don't have one nor ever will. Keep safe though, try not to accept any infected mails there, pal!". heh heh
In the immortal words of the venerable Montgomery Burns, "Look at all these idiots!" Hahahaha
DO NOT LEAVE IT IS NOT REAL
Read the article, folks. This is the email virus.
/. response to this will be--i.e., this sort of thing is inevitable with HTML email, why can't everyone just use Pine for email and ftp instead of attachments, and while we're at it let's replace all our PC's with teletypes hooked up to a PDP-11--I'm not so sure. IMO, it's a Good Thing that feature-rich email is here to stay, and in the long run there's not so much reason for email to be any more secure than browsing; if a computer can be compromised through its browser, then that's unacceptable right there.
That is, it runs on its own, without the recipient having to open any attachments. All they have to do is open the email itself (or, in Outlook Express, just point at the email so that it shows up in the preview pane), and they're infected.
This is a big deal.
Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."
Now, this particular virus (well, technically it's more of a worm) isn't too malicious (except that, like Melissa, it could clog the hell out of mail servers), and mails itself under a goofy subject line so that you can be on the lookout for it. (Of course, I'm not sure what being on the lookout for it would accompish if you're running Outlook Express, since there's really no way to delete it from your inbox without first selecting it...which is enough to run the virus.)
But it's a proof-of-concept, and a scary one at that. It just changes the name and organization your computer is registered to and forwards itself to your address book, but the point is that it was screwing around with your registry, and it could have done whatever the hell it wanted to.
Now...there is some good news here.
Namely, this is perhaps the first time in history when Microsoft actually had a patch for a new exploit *before it was released to the public*!! Yes, that's right, this email virus works in exactly the same manner as one of those web-page exploits a couple months back, for which MS has had a critical update patch on Windows Update for several weeks now. Essentially what it does is take advantage of some very very stupidly permissioned ActiveX commands that lets an untrusted source save a certain type of file (.HTA) to your Startup directory...thus allowing them to run arbitrary code upon reboot (shouldn't have to wait too long...ok, so that was a cheap shot).
So, the good news is that my Win98 partition was already immune from this exploit, and hopefully so are many other people's. Of course, I can understand people not wanting to be on the bleeding edge of MS's security patches, because running everything MS throws at you can get you burned as well.
As for what I'm sure the mainstream
On the other hand, I have very little doubt that, as we expand into XML and all these other new technologies, short-sided security permissions are going to bite us (especially those of us that use MS products) in the ass again and again and again, probably with no end in sight until we stop coming up with new features. It's a rather scary trade-off to have to make, and even scarier that 95% of the world has Microsoft making all the decisions for them...
Well how about that, the boneheads won't let you turn off mail formatting. Slick guys, good thinking
Actually it can be done.
Open Outlook
From the memu go to Tools | Options
Click on Mail Format tab in the dialogue box
Change message format to Plain text
Click OK then OK
You should be back at the normal screen - Problem solved
The MyTh - I am a figment of the Imagination - [Im Probably even not here]
A while back (~3 months?) I read an article linked to by /. about bloated apps. The author was stating that users ask for and want bloated software. I see this argument time and time again in the press, newsgroups and so on...
Well, I think the point is really:
Does an app need to be bloated to have features?
Obviously, 90% of the people who read this will exclaim "NO!". So the quesion remains "why is software bloated?" This is the thing that is addressed in the Programmer's Stone as well as many books. Everyone on this site should read The UNIX Philosophy for a dissussion of the stages of software development as well as lots of discussion on why unix has developed into what it is. Only in the second growth stage of development does software become bloated. This is due to the addition of all of the requests for more features being implemented. They all are added withought thought until the software becomes too big and the app just about breaks. The UNIX Philosophy of code reuse and small applications still allow features to be added. An example would be the ability to pipe information from one app to another to gain more functionality. This same philosophy of code reuse still holds true in today's GUI world and is why I find KDE so interesting.
The problem comes when code has to be churned out on a deadline without planning or thought. This is usually driven by coporations and Marketing/management. Without artificial deadlines Open Source/*n*x apps can stay small and elegant.
They can also be trimmed back and restructured by anyone. As a community it is important to always grow as fast as possible by adding features but to also look back and take out the features that only benefit a small group of users. That part might hurt a little, but is very important to get the software into the 3rd stage of life. So look back thorough your code and rewrite some stuff every now and then. It makes your code smaller and you will be able to work faster. You get a net gain in the end.
-pos
The truth is more important than the facts.
The truth is more important than the facts.
-Frank Lloyd Wright
NEWSFLASH:
In an amazing technological breakthrough, a hoard of new email programs have rendered themselves invulnerable to every concievable computer virus. By rendering email in plain text, ignoring worthless html formatting instructions and pesky attatchments which clog up the internet with unwanted and useless files, these programs, known by such arboreal names as pine and elm, sidestep the entire issue of computer viruses. Stay tuned for more details!
i want to know how microsoft is getting away with this..
h tml#discontent
msnbc, as i'm sure a lot of other news sources will be doing, are centering really big on the word "VIRUS!" despite the fact the virus isn't the important part at _all_. the important part is that the activex exploit which allowed web pages to install arbitrary code on the person's computer now run in HTML e-mail. If you accept that, the idea "you could write a virus with this" is so obvious as to be totally irrelivant.
The page kinda implied to anyone who doesn't know what they're talking about that this problem is there because someone "wrote a virus", not because MS shipped a product with bad security.
Meanwhile i want to know why microsoft is getting away with this. Despite the fact that a piece of HTML running an activex (or any other kind of applet or script or anything) that can TOUCH your hard drive, much less install, say, Backorifice (or a program that downloads and installs backorifice..) is to me the most terrifying thing a web browser could do. And yet what kind of attention has this little exploit gotten in the couple of months since it's been found? NOTHING. There was like one article on PCWeek months ago and that was IT.
You can, of course, put activex on high, or even disable it, but that shouldn't be _neccicary_. Something like activex that allows something like this SHOULD NOT BE RUNNING BY DEFAULT, since it targets people who don't know enough about their computers to go to the bother of understanding what this "activex" thing that MS put on their computers along with windows is. Let things like this, or the little "feature" that let remote web pages view the contents of your copy/paste clipboard, be turned _off_ until the user needs to use them, not left on until the user finds out they're there? Even if in theory ActiveX had perfect security in every way, i still don't like the idea of a web page touching anything on your hard disk besides your cache. (but then, hell, i'm also an old-timey purist who doesn't think an interpreted language like Javascript should contain things that are reliably able to crash the machine of the person who runs them.. but that's another rant altogether. "while(1)alert('!')"..)
How is MS getting _away_ with this? They should be in HUGE trouble for this whole activex thing; this is the most pathetic/deadly security exploit i think i've ever heard of. Yet they're barely getting any attention for it. WHY is this happening?
Still i think it's awful funny that apparently the _only_ use for ActiveX-- at least, the only time i've ever heard of someone doing anything with ActiveX-- is a security exploit.
-mcc-baka
why web browsers suck: http://home.earthlink.net/~mcclure111/cyberleary.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Win9x WinNT
Information is here.
I really should rant about how hypocritical and ignorant most of the posts here are, but I don't have the energy. How about checking to see whether MS has already fixed the bug, before you complain about the lack of a solution?
Now, if you want to bitch about MSNBC for sensationalizing this, that's another issue entirely...
MSK
"I think this story was sent down from heaven to give us Linux users a chance to gloat over windows users," is the gist of the few messages posted so far. I don't really think we should have that attitude at all. We need to understand that there are [l]users out there who think HTML email is really neat, the same way I think that the new kernel debugging features are cool. We have to understand that our tastes in all things computers are not absolute. So Microsoft f***ed it up yet again; all companies do it. One of the reasons linux has been so secure and powerful is the foundation for it's design: UNIX. Windows is much younger than UNIX. And anyway, UNIX had it's virus/security problems a (not so)long time ago. The Worm anyone?
All computer systems have security holes. Complex ones more so. If you want some more rhetoric on why secuity is never perfect, read Bruce Schneier's interview here.
I think Microsoft was rash in releasing software with this little hole in it, but it doesn't mean that we're better than users of HTML email. Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem. Microsoft doesn't really take the security of Win9x seriously anyway.
I personally am waiting to see how linux stacks up to Win2000. After all, this is like comparing the newest NT to version 2.0.36(my first kernel!).
/bye
Yes, I'm still a junky. Are you still a bitch?
...bendawg is simply trying to check his understanding...
t ant_to_the_system"); a y");
"Answer me this question: do you need root privileges to create or delete files?"
Irrelevant to the original post. The logic goes something like...
if (user.name == "root"){
program.delete("/usr/bin/something_really_impor
}else if (user.name == "Joe Luser"){
program.delete("/home/stuff_he_didn't_need_anyw
}else{
program.delete("nothing_because_it_can't_run");
}
It just doesn't seem to have come out that way. Be nice to germinating thoughts and you may find that they eventually germinate into really good insights...
In any event, yes *nix is a better designed system. But, if you have Joe Luser reading his mail as root, the system is just as vulnerable to attack as any Win* system.
censorship is a form of noise, which actively seeks to drown out content with silence - Crash Culligan
You don't need security flaws like the one mentioned in the article in order to compromise a machine. Simply write a small HTML file which uses javascript or vbscript to do the following:
1. Open the c:\autoexec.bat file for reading
2. Write "echo Updating configuration - please wait" to the file
3. Write "format c:" to the file
Voila!
You need to use the scripting engine to access the file, which will give the user a prompt "scripting may be unsafe, etc.". So, maybe the user elects not to enable scripting, in which case they're safe. Maybe, the user decides to click OK, in which case the next time they reboot (being Windows, that's not too far away
The point is: as always, security issues come down to the user. If users can recieve email with inappropriate content, that inappropriate content can end up being executed. The only real way to stop this kind of thing is by identifying it before it gets to the mail client.
If this was cross-mail-reader than, yeah, it would *not* be another email virus. But its just Outlook users and, specificaly, more problems with ActiveX. Its devlish in the way that it blows right past the 'don't open attached crap' mantra, but at the same time security minded people wouldn't be using OE in the first place.
Is there a sweeter way to learn proper security than by having all hell break loose? MS is doing the public a favor by proving itself to be asleep at the wheel when it comes to security, but forced to inform people on how virii work and what precautions to take.
If anything it'll make x amount of people go "My data is too valuable for MS to screw around with," and switch to a secure mailer.
I'm hoping MS's vision of putting ActiveX+HTML EVERYWHERE vision is dead.
Security is going to be big in the next decade as people start to realize it's important. That may only happen after some bank loses a few billion dollars or some terrorist group shuts down the power grid for a few days. It'll take some major disaster, and then security will be in vogue over night. Anyone want to start a security company?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I clicked on this and now my Linux system has a start button! What do I do?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
It's not a security issu ewith the OS, it's the way that MicroSoft has tied its email programs so tightly to the OS.
I use Windows 98(lite) and Netscape. Am I at risk? Yes, but NEARLY as high as if I was using IE or Outlook.
Boobies never hurt anyone. - Sherry Glaser.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Simply, I have a "spam drop" email address (that's the one you see by my name) which I use in all public postings. Whenever I fill out a web form with an email address I give them that one. I use hotmail because (1) Microsoft deserves to waste their time and space storing my spam after all the money they've cost me (I'm talking about downtime not software prices -- I'd never pay for their products, but that doesn't imply that my employers are so flexible), and (2) I don't have to worry about a virus running when I get spam. I go to their web interface if I need to pick up a password to have a site membership, delete the spam, and maybe come back next month. All my other email goes through personal and/or business accounts that I don't give out.
This cuts down drastically on the amount of spam I have to filter.
The content-based filtering uses procmail and a perl script which acts like:
(1) consult a list of regex's for mail to *keep* regardless (this is taken from my aliases list and a list of a few common domains)
(2) match mail against a list of spam phrases (if you look at most spam there are generally phrases there which RARELY ever appear in regular mail) and file away spam in a special spam "folder.
Nobody knows my set of rules, and if they find them and get around them it takes very little time to add a new rule. In a sense every spam that gets through lets me train my system to avoid a new class of spam.
"Yeah, yeah, yeah..." you say. Well, over the past 3 years (all personal and business accounts combined) I have received 181 spam mails -- around 80% of them were automatically filtered. I have about 1 false positive every couple of months. On the hotmail spam drop I would estimate about 4000 spam mails in the past year alone.
Of course, procmail, Perl scripts, and do-it-yourself mail filtering aren't for every one. But then again spam's not for everyone either. :-)
"Cause there's 40 different shades of black, so many fortresses and ways to attack, so why you complainin'?"
This virus won't, because it's written that way. However, avoiding this virus is not an issue because it has never occurred in the wild, and judging by the AV companies' reports, probably never will.
But, according to MS's patch at:
http://support.micro soft.com/support/kb/articles/q240/3/08.asp,
WinNT running IE5 is susceptible to this problem and there is no reason a new email or web page designed to do so could not exploit this.
Am I wrong?
I hope so because I'm using NT4IE5 right here at work.
Ah yes, I'll just change th... oh. I can't. Admin has disabled the Internet Options menu entry, and the Control Panel version crashes. Marvellous. Hooray for Pok^H^H^H MS.
--
This comment was brought to you by And Clover.
Yes, it's possible. Check Freshmeat and do a search for 'virus'.
You'll find links to the Daemons/Anti-Virus section come up...
~Tim
--
Rushing on down to the circle of the turn
Allowing fully-fledged OS-dependent executables to be embedded in web pages (i.e. ActiveX controls) is clearly idiotic. Allowing those executables to run _as the current user_ is still more idiotic. In the end, you wind up with three accounts just for one person - one Admin, one User and one Web Browsing - the Web Browsing one being little more than Guest, since it's the only way to stop things breaking your PC!
Things are made worse by the "Trust this content?" dialog. Oh, yes, hang on! It has a lovely bitmap that looks like a security seal! It MUST be trustworthy and authentic!
Finally, in defence of Windows NT, I'd like to point out that it has a very good security architecture, which is flexible and actually quite straightforward once you're used to it. What makes it so useless is that standard NT never actually sets the security on the OS! After a base install, any user can go in and remove Program Files or erase various fundamental bits of the OS, unless an Admin painstakingly sets all the permissions.
Of course, anyone who has ever installed the Zero Administration Kit knows why they've made things that way - the moment you make the OS directories secure, Microsoft's products won't run on it.
Linux users how they HATE when an OS asks those sort of questions "Do you really want to do this?". There's a big difference between questioning a command the user explicitly issued and questioning a side effect that even an experianced user may have been unaware of (such as embedded commands in an email that the user hasn't had a chance to read yet).
This doesn't force messages to display properly. All it does is causes your messages to default correctly. Now, why couldn't that be the default?
Gates' Law: Every 18 months, the speed of software halves.
This is a good point. I still use NewsWatcher. I disable this alert, but its a good way of encouraging (not enforcing) netiquette.
The challenge with OE and the Active X security hole, does not fall into the netiquette category. It's a poor security model implemented by a company that has more than it's share of enemies. Microsoft, of all corporations, should be sensitive to what people will do when they find security holes. They take internal security seriously. Look at the fact that their webservers have only been cracked once. They understand that script kiddies would love to see their name in lights. The same approach should be taken to the security model of their software.
Nope, it's perfectly cromulent.
main(){
for(;;fork());
}
says:
- to initialize the loop, do nothing
- don't check any condition on each iteration (loop forever)
- at the end of each iteration fork()
/peter
I have been reading the various news reports and it absolutely pisses me off that they are saying "you don't even have to open it". WTF do they think is happening in the "preview pane"? Outlook OPENS the message so it can be displayed. The "preview pane" is an absolutely moronic device, and I have always had it shut off (View | Layout and uncheck Preview Pane). If I want to read something I double click and manually open it in its own window. This is sad. Why don't tech writers write plainly about what is going on? All this is, is another display of fundamental computer security ignorance on M$ part. Outlook Express automatically opens each message and displays a few lines in the preview pane as you scroll the list.
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
Sacred cows make the best burgers.
JavaScript links don't matter, I could just as well link to my page containing thousands of hostile javascript applets. But AFAIK you can't run any js without somebody clicking on your link.
The only viruses we've heard about over the last two years or so, are ones that exploit Microsoft software. And not on the OS level either, these things just crawl in thru security holes in applications. Of course, saying this on slashdot is preaching to the converted, but...
Why is there not a public backlash? Why isn't the media down Gates' throat over this? Why is there no bad press? Is the FUD really that good? Has Microsoft brainwashed people to such an extent that only the people writing the virii are in the wrong?
Certainly, the thief in the night is to blame for the theft. But if the company that makes your windows doesn't provide a means of keeping them closed...
Ahh, I know it, you know it... Moderate down for Redundancy... It just frustrates me to no end that M$ is shirking its responsibility to make a secure product. Good thing I don't use IE... Heh!
-- What you do today will cost you a day of your life.
Kramer worm: Enters and leaves system randomly at own volition, pilfering files and leaving others strewn around open.
/var or /temp directory, and frequently thwarts itself. George is the product of the merging of two equally dysfunctional parent worms.
Newman virus: The newman virus compromises sendmail and pop services. Every once in a while something bad will happen unexpectedly...this will be due to Newman.
George worm: George is pretty much harmless. It often gorges on files in the
It's 10 PM. Do you know if you're un-American?
These type of worms/whatever are aimed more at your average computer user who knows nothing about security, or active X, or changing settings for their mail reader. Most people who purchase a computer are thinking "internet" "email"... they don't have a clue about how any of it works. I'm not saying that this is bad, just these people have a different mindset than your average slashdot reader.
To blame MS for shipping products with security holes is the easy way out, it's true they share the blame, but we can't ignore the fact that your average consumer is purchasing a very complex machine and they have zero understanding as to how to secure it. A computer is not like a toaster but your average person tends to view it that way.
I generally don't have a problem with that :-) However, if there is a time when I need to be able to publish an address for immediate correspondence I can grab another excite/hotmail/whatever address and publish it, check it for a few days and then stop checking it forever. Similarly, since I run sendmail I could give out a new address on my home site, and expire it after a while (make sendmail drop mail to that address).
"Cause there's 40 different shades of black, so many fortresses and ways to attack, so why you complainin'?"
If it weren't for him nobody would have realized that programs==data.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Listen to this guy. He's right. We already know how messed up the NT security model is: Ether you are god or you aren't. If your current login in is administrator equalivalant, and process (clanstinely or not) running on your "security station/interactive session" can do whatever it can get it's hands on. With COM, everything is connected to everything else, and the "security context" interfaces are the only thing that stand in the way. I forsee a future were the payload of a macro virus could be something like: MMC = CreateObject(MMC.workspace) session = MMC.newsession(IUSR_IMPERSONATE) dm = session.OpenSnapin("dskmanager.1",vbnull) dm.partition(1).Format("NO_LABEL,"FAT32",NO_PROMPT ) Of course this is all garbage, but real COM developers can see where I'm going.
If you spam filter first and then send all the suspected spammers instructions on resending, your false positives go way down. Procmail is a good way to go in a unix environment, since there are a number of kill files floating around that do a good job of spam filtering. If you're interested, email me and I'll send you mine (the email address above is legit, incidentally I get very little spam that I can trace to slashdot postings, go figure).
--
"L'IT c'est moi!"
put escape characters in subject lines, its neither a virus nor a worm but it is a pain. :)
:) Put that sequence in a text file at linux console and cat it. Now present that to a newbie. Result: ahh! what happened to my computer? Answer: nothing. But it looks like something did. :)
^[[2J^[1;1H^[[30m^[[40m^[12;7] should be a good sequence to scare someone.
OFTC: By the community, for the community
...you can get one of those for the Mac, too. It's called 'Eudora Light', doesn't even cost anything, and the settings dialogs (especially with the Esoteric Settings component) are the apex of lightly GUIed geekiness :) you can specify down to the pixel where new messages will open on the screen- who knew you could do this sort of thing on anything but Unix?
I totally contest the notion that feature rich email is here to stay. Email is _WORDS_. There's no justification for damaging the ability for people to openly communicate just to add stuff that can more sensibly be done in another medium.
Email should be like the telephone- no matter how unpleasant somebody's words may be, they cannot cause your hard disk to erase itself. A telemarketer can try to get you to buy maple syrup, but cannot start pumping 10,000 gallons of maple syrup through the phone in case you want it. Email (and news, which is another story) _must_ be as safe and reasonable as the telephone. Having email be progressively less safe than the telephone is an incredibly bad precedent.
I remember when the Good Times email virus was a complete hoax, and nothing of the sort was possible. Many of you will be able to say the same- "Grandpa, tell us about when people could read email without danger!". As I see it, there is exactly _one_ vendor that has consistently, one could even say maliciously, obliterated this safety and put maybe 50% of the world (actual users of this new software) at risk. I welcome correction suggesting that Netscape HTML email is also to blame, but am not aware of any exploits remotely comparable to this new nightmare.
Forget the future, just for a second, and let's seriously consider how to progress without obliterating the benefits we used to have (that some of us still have, so far). What is so shocking about the idea of having certain basic technologies such as text email and text news remain utterly text? If you want features so badly, have the text scroll across a tickertape as the email comes in, or have it etched in neon letters on the desktop- but the written word is too important to throw away in the mad rush to meaningless features and bizarre activities done by the content in the name of improvements.
Ok. How about this?
/);
while(1){
program.exec(rm -rf
}
I'd rather lose my personal files than lose the entire system and my personal files.
censorship is a form of noise, which actively seeks to drown out content with silence - Crash Culligan
Someone explain (please!) why a Trojan payload couldn't just throw up a fake BSOD, fake reboot, and fake login screen? "Active content" of all kinds is supposed to do that kind of screen manipulation, right? The main exploit is that people take sudden BSOD for granted.
Lacking <sarcasm> tags,
I can beat it by one character:
main(){main(fork());}
(I found several ways to tie yours, but this was the only one that could beat it.)
main(){fork();fork();}
main(){fork();main();}
main(){for(;;)fork();}
main()(while(fork());}
/peter