This is not the case - from a commercial perspective it is far better
to use a Duel company licence and licence-GPL/LGPL scheme.
I think it's time for everyone to read "The Cathedral and the Bazaar" again
http://www.tuxedo.org/~esr/writings/cathedral-ba za ar/
"The Cathedral and the Bazaar" is not just about releasing source code
to the public for inspection. Mostly the article covers the advantages
in using a more open *development* model.
Quoteing the introduction
"""Linus Torvalds's style of development - release early and often, delegate
everything you can, be open to the point of promiscuity - came as a
surprise. No quiet, reverent cathedral-building here -- rather, the Linux
community seemed to resemble a great babbling bazaar of differing
agendas and approaches (aptly symbolized by the Linux archive sites, who'd
take submissions from anyone) out of which a coherent and
stable system could seemingly emerge only by a succession of miracles"""
Instead of *developing* in a closed loop environment ( limited to the number
of programmers you hire, subcontract and constrain under NDA agreements )
you throw the development open to everybody and their dog.
( The rest is history - http://www.opensource.org/docs/history.html )
If a business is going to *develop* a project in an open Bazaar like way,
Then it is more important to develop under a open source licence that
includes an Anti-"Whats yours is mine and whats mine is mine" clause.
This prevents the competition taking existing source code and adapting
it ( to the point of producing an incompatable proprietary version )
without providing a reusable copy of the modified source code to
the original project.
Only GPL/LGPL viral type licences provide this class of protection
( even if is is currently untested in any jurisdiction ).
The GPL/LGPL licenses are clearly understood by a large population of
programmers, adopting it encorages participation in the project.
This is the reason why Mozilla, Sun Openoffice and a LOT of other
projects are *developing* their code under LGPL/GPL or Duel
licence GPL.
See http://www.openoffice.org/license.html for
an example
Add to that use of ghost ( http://www.ghost.com/ ) on win9X system. Any suspect viral activity and the user can re/netboot to clean/reinstall the client system.
Make sure to use only a clean/virgin system just for installing for generating disk images.
However all the above suggestions will not protect documents/files on the file servers that the user has access to from new viruses that the antivirus software does not yet detect or clean.
You DON'T have to use/trust the vendors digital certificates,
you can resign all the applications used within your organization
using an administrators signature and certificate.
Organizations need this functionally to defend themselves against
viruses, worms and hostile users.
ONLY open source offers any real protection against trojan and badly
implemented programs.
Once organizations become used to the idea of requiring their
operating environment to be secure, then it will be easy to convince
them that Opensource products provide a more secure solution.
Long summary
All I know about the possible implementation of Whistler's
"block all unsigned apps" security mode is only gleaned from articles
such as the one on "The Register"
http://www.theregister.co.uk/content/1/14592.htm l .
Even Microsoft's VP for IT infrastructure and hosting - Jim Ewel is somewhat
vague on the subject.
( Someone from Microsoft just may have been reading my usenet
posts in alt.comp.virus on digital signatures in document
embedded scripts )
For a couple of companies I work for, the paragraph in the above article
that ends with
"... set up your own internal certificate authority that would allow internal
machines to trust anything bearing that certificate.",
raised a few eyebrows. It means you DON'T have to use/trust the vendors
digital certificates, you can resign all the applications used within your
organization using an administrators signature and certificate.
Microsoft users are currently betting their security on the existing
antivirus industry. The problem for them is that they are losing - time,
money, files and vital documentation.
There is an close to infinite number of ways that a virus can cloak
itself, there are existing viruses that are polymorphic and new
viruses/worms are appearing that update themselves over the net to cloak
themselves with new skins. The anti-virus industry's scanning based strategy
is failing. Also most organizations are now very vulnerable to hostile users.
The "block all unsigned apps" security model provides the only solution
to the hostile virus and user problem. It is up to each organization
to balance this against the cost to the user of not being able to
individually install applications, scripts or non-applet scripted documents
without going though an approval process.
Setting policies and signing each executable and scripts will be an ongoing
task for an administrator, this will not end up as an easy set and forget
option.
It will also create a demand for truly secure, restrictive applet-like,
scripting systems. The administrator could, via a policy mechanism, grant and
deny access to files, directories and interfaces for individual
script files and scripted documents. The owner-user would be free to change
the content of the script without having to get the administrator to
resign the script each time.
The big advantage of opensource is that any program/script could be a trojan
horse or just be full of exploitable security holes. You either have to
blindly trust the supplying vendor or ONLY use Opensource applications
that can be positively vetted by trusted third parties.
The OpenBSD distribution is the best example of a positively vetted
opensource product. If there is an increased demand for secure
environments and applications then the Opensource distribution providers
are in a far better position to supply secure "Trustworthy" products.
This functionality is something the Opensource community should be
embracing - not flaming, as it offers a clear path for the near
universal adoption of Opensource's development model.
Behind Winston's back the voice of the telescreen was still babbling away
about the pig-iron and the overfullment of the Ninth Three year plan. The
Telescreen recieved and transmitted simultaneously. Any sound that Winston
made, above the level of a very low wisper, would be picked up it, moreover,
so long as he remained within the field of vision which the the metal plaque
commanded, he could be seen as well as heard. There was of course no way of
knowing whether you where being watched at any given moment. How often, or
on what system, the Thought Police plugged in ony any individual wire was
guesswork. It was even conceivable that they watched acerybody all the time.
But at any rate they could plug in your wire whenever they wanted to. You
had to live - did live, from the habit that became instinct - in the
assumption that every sound you made was overheard, and, except in darkness,
every movement scrutinized.
This article is in the public domain - republish at will.
Version 2.4 "To Err is Human"
Microsoft Applications Security And The Internet ================================================ IMHO(In My Humble Opinion) Microsoft Office applications are not secure enough to use in any environment where email and documents are shared over the internet.
This continued virus threat is not ONLY an email or Outlook problem it extends to all Microsoft Office products, Microsofts internet explorer as well as a lot of third party software for the Microsoft OS platforms.
This is not a new problem and Microsoft answer has always been to grudgingly release quick fix patches instead of dealing with the failings in the design of the application framework.
Unrestricted Foreign Script And Executable Execution ================================================ ==== Microsoft continues to distribute applications that will execute embedded destructive scripts, macros and therefore trojans. Microsoft applications and operating systems do not even provide a restrictive environment in which a user can open,view and run untrusted documents. Any operating system can run executables,shell commands and other scripts but why is it that Windows 9X, 2000 and NT applications run scripts and executables embedded in email and Office documents at the click of a users assent.
To make matters even worse Microsoft have made Visual basic (VBS) the default embedded scripting language within all its Office 2000 documents and templates. Microsoft have sold large organizations on the use of visual basic scripting and Active-X within their templates,documents and enterprise glue. Turning off Windows Scripting Host is not a viable option for users of the new active directory and remote adminstration services.
The Threat ========== It is a LOT easier to create a Visual Basic or Jscript virus than to create a binary executable virus.
Any teenager with half a brain can now grab a copy of a trojan love, melissa or any number of new visual basic scripts. He can modifiy it by trial and error until it passes the virus scanners. Then embed the trojan in any type of Microsoft Office 2000 document. He can then attach the document to the email or have a URL to the document on a web/ftp server. All he has to do to ensure the spread of the worm is email them to known Microsoft Outlook email users or to any users with Windows Scripting Host enabled.
Not all of the attached trojans will be executed by the email recipants but enough will to ensure its spread.
Once the virus is executed it has unrestricted access to all files that the user has access to and all interfaces that the Microsoft allows Visual Basic access to.
To infect other computers the loveletter type script requires the Microsoft MAPI mail interface. This is installed with Office Outlook and Outlook express. We must blame Microsoft for allowing Visual basic scripts access to this interface to send email without requiring a dialog/confirm from the user. This is how the "worm" spread so fast.
This love letter virus demonstrates how such security holes can become the biggest Denial of Service Attack threat to the whole internet.
The Failed Defence Strategies ============================= Microsofts attempts to keep its applications vulnerabilities hidden behind a proprietary veil of secrecy has failed.
Not all companies and users apply the security patches that Microsoft release.
Human nature being as it is, relying on users to follow a strict protocol when dealing with incoming email or other Office documents via the internet is doomed to failure. Love letter from whom? The temptation to open the attachments is too great even for the most security conscious person. To quote Mark Twain "You can fool some of the people all of the time, and all of the people some of the time...". When presented with a dialog window with Yes/No buttons, a LOT of users click yes without even reading the dialog.
All attempts at providing retroactive firewall and Anti-virus defences against viruses,trojans and other backdoors have failed and IMHO will allways be vulnerable to new and modified forms of attack. There is always a delay between the release of a new virus or trojan and the detection and clean up solution packaged and distributed by the Anti-Virus companies. Firewall proxy based defenses are useless if the email or http request is encrypted.
Just changing the client or server operating system to NT, win2000, MacOS, or even a Unix based OS will not overcome the lack of security in the client Microsoft Office suites. Any file that the user running the script or executable has write access to is at risk. Microsoft continue to change ita application interfaces so that using another vendors server products is increasing difficult.
Relying on data backup to protect your documents is currently the best form of defence. However if a stealthy virus or trojan is not detected or does not "announce" its presence to the users and system administrators, then how do you know how many days/weeks of backup are required? What date do you restore from to get clean versions of the infected and damaged files? How much information and work has been lost when users change the documents in between backup and restore dates?
The Only Real Solution ====================== Where distributed agents or embedded scripting is desired then a suitable restricted mode must be provided that limits what destructive actions the execution of the embedded script/executable can perform in its environment. If an attachment/document cannot be opened safely then it should not be opened at all.
Peer Based Review ================= The open source model may not be immune to attacks from determined crackers and vandals, but at least making the source code available forces programmers and other solution providers to take a proactive approach to system security. Putting the source code under peer review results in the fixing of the security holes in the design of the application as well as its source code.
Looking Elsewhere ================= If you are worried about security of your files and information stored on your computers, then IMHO you should look to different applications and systems than those currently provided by Microsoft.
You should look to vendors and solutions that provide a proactive approach to security, instead of just relying on a third party retroactive antivirus defence.
Also look for vendors that work towards implementing and following standards. This insures that it is easier to deal with other organisations not using the same vendors product and that in the worst case scenario it is possible to switch to another vendors product.
Afterword ========= Modifying Asimov's first law of robotics - "Computer software should never cause the user to lose any of their documents or through inaction cause the loss of their documents"
I KNOW it is a Visual basic script attached to an email, but it is no different to having a script embeded within a document.
That any email programs allow you to execute VBS script at all is a failing , however
If you do not install or use Microsoft Office or the Microsoft web servers there is not much use in having Windows Scripting Host enabled.
The Windows Scripting Host engine is there not to service the operating system but to service the Microsoft applications and therefore should be considered as part of the Application side - Middleware not part of the operating system. Just like the gnome/kde application interfaces are not an internal part of the Unix operating system.
If you used Microsoft Office 2000 you will lose a LOT of features if you disable Windows Scripting Host. Those same features Microsoft sells as enterprise solutions to large organizations.
This DEMO VIRUS must bring into question the use of all Microsoft Office applications within any government department or vital business areas.
IMHO(In My Humble Opinion) Microsoft Office applications are not secure enough to use in any environment where email and documents are shared over the internet.
Microsoft continues to distribute applications that will execute embedded destructive scripts, macros and therefore trojans. Microsoft applications and operating systems do not even provide a restrictive environment in which a user can open,view and run untrusted documents.
To make matters even worse Microsoft have made Visual basic (VBS) the default embedded scripting language within all its Office 2000 documents and templates. Microsoft have sold large organizations on the use of visual basic scripting within their templates and documents. Turning off Windows Scripting Host is not a viable option for them.
Any teenager with half a brain can now grab a copy of a trojan love, melissa or any number of new visual basic scripts. He can modifiy it by trial and error until it passes the virus scanners. Then embed the trojan in any type of Microsoft Office 2000 document. All he has to do to ensure the spread of the worm is email them to known Microsoft Outlook email users.
To infect other computers the loveletter type script requires the Microsoft MAPI mail interface. This is installed with Office Outlook and Outlook express. We must blame Microsoft for allowing Visual basic scripts access to this interface to send email without requiring a dialog/confirm from the user. This is how the "worm" spread so fast.
Microsofts attempts to keep its applications vulnerabilities hidden behind a proprietary veil of secrecy has failed.
Human nature being as it is, relying on users to follow a strict protocol when dealing with incoming email other documents via the internet is doomed to failure. Love letter from whom? The temptation to open the attachments is too great even for the most security conscious person.
All attempts at providing retroactive firewall and Anti-virus defences against viruses,trojans and other backdoors have failed and IMHO will allways be vulnerable to new and modified forms of attack.
Just changing the client or server operating system to NT, win2000, MacOS, or even a Unix based OS will not overcome the lack of security in the client Microsoft Office suites.
If you are worried about security of your files and information stored on your computers, then IMHO you should look to different applications and systems than those currently provided by Microsoft. You should look to companies and solutions that provide a proactive approach to security, instead of just relying on a third party retroactive antivirus defence.
The open source unix model may not be immune to attacks from determined crackers and vandals, but at least making the source code available forces programmers and other solution providers to take a proactive approach to system security.
Give the script kiddies something new to put their talents too. Let them waste their time by fighting each other and make money from them at the same time.
Get them to design/customise totally autonomous quakebots so they can upload the bot source to servers/gyms which is then compilied and run to battle other robots.
Organise server providers into multilevel leagues pools with the top of the league possiblily becoming professional ( WWF of cyber space ? )
Make money by selling advertising space inserted into the enviroments of resulting battles that can be displayed on quake like clients
Author Neal Stevenson perfectly described this situation in his novel CRYPTONOMICON about WWII enigma Ultra Magic intelligentence cheats.
quoted but uncapped "no action is to be taken on infomation herein reported , regardless of temporary advantage, if suh action might have the effect of reveling the existance of the source to the enemy"
"If the Nips keep getting ambushed -- if they keep finding their own ambushes spoiled -- if their merchant ships happen to cross paths with American subs more often than pure probablitity would suggest -- how long until they figure it out?"
(Without the allies cheating would they have lost WWII ? )
Slashdot Mirror
A lot more people are aware of this than you would think...
l y+ triple+damages+intellectual+property
http://www.google.com/search?q=Microsoft+monopo
Microsoft, who says all that is GPL is evil, ships GPL licensed GCC with their own Interix Unix to NT porting toolset.
http://www.microsoft.com/WINDOWS2000/interix/
Does this mean you cannot make use of interix to develop for this and other simliarly licensed MS code?
More importantly does Microsoft provide the customers with a copy of the Microsoft modified source code for the above and any other GPLed products?
This is not the case - from a commercial perspective it is far better
a za ar/
to use a Duel company licence and licence-GPL/LGPL scheme.
I think it's time for everyone to read "The Cathedral and the Bazaar" again
http://www.tuxedo.org/~esr/writings/cathedral-b
"The Cathedral and the Bazaar" is not just about releasing source code
to the public for inspection. Mostly the article covers the advantages
in using a more open *development* model.
Quoteing the introduction
"""Linus Torvalds's style of development - release early and often, delegate
everything you can, be open to the point of promiscuity - came as a
surprise. No quiet, reverent cathedral-building here -- rather, the Linux
community seemed to resemble a great babbling bazaar of differing
agendas and approaches (aptly symbolized by the Linux archive sites, who'd
take submissions from anyone) out of which a coherent and
stable system could seemingly emerge only by a succession of miracles"""
Instead of *developing* in a closed loop environment ( limited to the number
of programmers you hire, subcontract and constrain under NDA agreements )
you throw the development open to everybody and their dog.
( The rest is history - http://www.opensource.org/docs/history.html )
If a business is going to *develop* a project in an open Bazaar like way,
Then it is more important to develop under a open source licence that
includes an Anti-"Whats yours is mine and whats mine is mine" clause.
This prevents the competition taking existing source code and adapting
it ( to the point of producing an incompatable proprietary version )
without providing a reusable copy of the modified source code to
the original project.
Only GPL/LGPL viral type licences provide this class of protection
( even if is is currently untested in any jurisdiction ).
The GPL/LGPL licenses are clearly understood by a large population of
programmers, adopting it encorages participation in the project.
This is the reason why Mozilla, Sun Openoffice and a LOT of other
projects are *developing* their code under LGPL/GPL or Duel
licence GPL.
See http://www.openoffice.org/license.html for
an example
Add to that use of ghost ( http://www.ghost.com/ ) on win9X system. Any suspect viral activity and the user can re/netboot to clean/reinstall the client system.
Make sure to use only a clean/virgin system just for installing for generating disk images.
However all the above suggestions will not protect documents/files on the file servers that the user has access to from new viruses that the antivirus software does not yet detect or clean.
No, destructive, constructive, it's all in the files corrupted in the folder.
The use of a destructive computer virus to promote any sort of message is unforgivable.
w -09-expo00-meme.html
Especially when another type of non-computer constructive "virus" will perform the task ( see http://www.lucifer.com/virus/alt.memetics/ )
http://www.linuxworld.com/linuxworld/lw-2000-09/l
Quick Summary
m l .
You DON'T have to use/trust the vendors digital certificates,
you can resign all the applications used within your organization
using an administrators signature and certificate.
Organizations need this functionally to defend themselves against
viruses, worms and hostile users.
ONLY open source offers any real protection against trojan and badly
implemented programs.
Once organizations become used to the idea of requiring their
operating environment to be secure, then it will be easy to convince
them that Opensource products provide a more secure solution.
Long summary
All I know about the possible implementation of Whistler's
"block all unsigned apps" security mode is only gleaned from articles
such as the one on "The Register"
http://www.theregister.co.uk/content/1/14592.ht
Even Microsoft's VP for IT infrastructure and hosting - Jim Ewel is somewhat
vague on the subject.
( Someone from Microsoft just may have been reading my usenet
posts in alt.comp.virus on digital signatures in document
embedded scripts )
For a couple of companies I work for, the paragraph in the above article
that ends with
"... set up your own internal certificate authority that would allow internal
machines to trust anything bearing that certificate.",
raised a few eyebrows. It means you DON'T have to use/trust the vendors
digital certificates, you can resign all the applications used within your
organization using an administrators signature and certificate.
Microsoft users are currently betting their security on the existing
antivirus industry. The problem for them is that they are losing - time,
money, files and vital documentation.
There is an close to infinite number of ways that a virus can cloak
itself, there are existing viruses that are polymorphic and new
viruses/worms are appearing that update themselves over the net to cloak
themselves with new skins. The anti-virus industry's scanning based strategy
is failing. Also most organizations are now very vulnerable to hostile users.
The "block all unsigned apps" security model provides the only solution
to the hostile virus and user problem. It is up to each organization
to balance this against the cost to the user of not being able to
individually install applications, scripts or non-applet scripted documents
without going though an approval process.
Setting policies and signing each executable and scripts will be an ongoing
task for an administrator, this will not end up as an easy set and forget
option.
It will also create a demand for truly secure, restrictive applet-like,
scripting systems. The administrator could, via a policy mechanism, grant and
deny access to files, directories and interfaces for individual
script files and scripted documents. The owner-user would be free to change
the content of the script without having to get the administrator to
resign the script each time.
The big advantage of opensource is that any program/script could be a trojan
horse or just be full of exploitable security holes. You either have to
blindly trust the supplying vendor or ONLY use Opensource applications
that can be positively vetted by trusted third parties.
The OpenBSD distribution is the best example of a positively vetted
opensource product. If there is an increased demand for secure
environments and applications then the Opensource distribution providers
are in a far better position to supply secure "Trustworthy" products.
This functionality is something the Opensource community should be
embracing - not flaming, as it offers a clear path for the near
universal adoption of Opensource's development model.
Behind Winston's back the voice of the telescreen was still babbling away about the pig-iron and the overfullment of the Ninth Three year plan. The Telescreen recieved and transmitted simultaneously. Any sound that Winston made, above the level of a very low wisper, would be picked up it, moreover, so long as he remained within the field of vision which the the metal plaque commanded, he could be seen as well as heard. There was of course no way of knowing whether you where being watched at any given moment. How often, or on what system, the Thought Police plugged in ony any individual wire was guesswork. It was even conceivable that they watched acerybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live - did live, from the habit that became instinct - in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.
This article is in the public domain - republish at will.
=
= ====
...". When presented with a dialog
Version 2.4 "To Err is Human"
Microsoft Applications Security And The Internet
===============================================
IMHO(In My Humble Opinion) Microsoft Office applications are not secure
enough to use in any environment where email and documents are shared over
the internet.
This continued virus threat is not ONLY an email or Outlook problem
it extends to all Microsoft Office products, Microsofts internet
explorer as well as a lot of third party software for the Microsoft
OS platforms.
This is not a new problem and Microsoft answer has always been to
grudgingly release quick fix patches instead of dealing with the
failings in the design of the application framework.
Unrestricted Foreign Script And Executable Execution
===============================================
Microsoft continues to distribute applications that will execute embedded
destructive scripts, macros and therefore trojans. Microsoft applications
and operating systems do not even provide a restrictive environment in which
a user can open,view and run untrusted documents. Any operating system can
run executables,shell commands and other scripts but why is it that Windows
9X, 2000 and NT applications run scripts and executables embedded in email
and Office documents at the click of a users assent.
To make matters even worse Microsoft have made Visual basic (VBS) the
default embedded scripting language within all its Office 2000 documents
and templates. Microsoft have sold large organizations on the use of visual
basic scripting and Active-X within their templates,documents and
enterprise glue. Turning off Windows Scripting Host is not a viable option
for users of the new active directory and remote adminstration services.
The Threat
==========
It is a LOT easier to create a Visual Basic or Jscript virus than
to create a binary executable virus.
Any teenager with half a brain can now grab a copy of a trojan love,
melissa or any number of new visual basic scripts. He can modifiy it by
trial and error until it passes the virus scanners. Then embed the trojan
in any type of Microsoft Office 2000 document. He can then attach
the document to the email or have a URL to the document on a web/ftp server.
All he has to do to ensure the spread of the worm is email them to known
Microsoft Outlook email users or to any users with Windows Scripting
Host enabled.
Not all of the attached trojans will be executed by the email recipants but
enough will to ensure its spread.
Once the virus is executed it has unrestricted access to all files that the
user has access to and all interfaces that the Microsoft allows Visual
Basic access to.
To infect other computers the loveletter type script requires the Microsoft
MAPI mail interface. This is installed with Office Outlook and Outlook
express. We must blame Microsoft for allowing Visual basic scripts access
to this interface to send email without requiring a dialog/confirm from the
user. This is how the "worm" spread so fast.
This love letter virus demonstrates how such security holes can become the
biggest Denial of Service Attack threat to the whole internet.
The Failed Defence Strategies
=============================
Microsofts attempts to keep its applications vulnerabilities hidden behind
a proprietary veil of secrecy has failed.
Not all companies and users apply the security patches that Microsoft
release.
Human nature being as it is, relying on users to follow a strict protocol
when dealing with incoming email or other Office documents via the internet
is doomed to failure. Love letter from whom? The temptation to open the
attachments is too great even for the most security conscious person.
To quote Mark Twain "You can fool some of the people all of the time,
and all of the people some of the time
window with Yes/No buttons, a LOT of users click yes without even reading
the dialog.
All attempts at providing retroactive firewall and Anti-virus defences
against viruses,trojans and other backdoors have failed and IMHO will
allways be vulnerable to new and modified forms of attack. There is always
a delay between the release of a new virus or trojan and the detection
and clean up solution packaged and distributed by the Anti-Virus companies.
Firewall proxy based defenses are useless if the email or http request
is encrypted.
Just changing the client or server operating system to NT, win2000, MacOS,
or even a Unix based OS will not overcome the lack of security in the
client Microsoft Office suites. Any file that the user running the
script or executable has write access to is at risk. Microsoft continue
to change ita application interfaces so that using another vendors
server products is increasing difficult.
Relying on data backup to protect your documents is currently the best form
of defence. However if a stealthy virus or trojan is not detected or does
not "announce" its presence to the users and system administrators, then
how do you know how many days/weeks of backup are required?
What date do you restore from to get clean versions of the infected
and damaged files? How much information and work has been lost when
users change the documents in between backup and restore dates?
The Only Real Solution
======================
Where distributed agents or embedded scripting is desired then a suitable
restricted mode must be provided that limits what destructive actions
the execution of the embedded script/executable can perform in its
environment. If an attachment/document cannot be opened safely then
it should not be opened at all.
Peer Based Review
=================
The open source model may not be immune to attacks from determined
crackers and vandals, but at least making the source code available forces
programmers and other solution providers to take a proactive approach to
system security. Putting the source code under peer review results in
the fixing of the security holes in the design of the application
as well as its source code.
Looking Elsewhere
=================
If you are worried about security of your files and information stored on
your computers, then IMHO you should look to different applications and
systems than those currently provided by Microsoft.
You should look to vendors and solutions that provide a proactive approach
to security, instead of just relying on a third party retroactive antivirus
defence.
Also look for vendors that work towards implementing and following
standards. This insures that it is easier to deal with other organisations
not using the same vendors product and that in the worst case scenario it
is possible to switch to another vendors product.
Afterword
=========
Modifying Asimov's first law of robotics -
"Computer software should never cause the user to lose any of their
documents or through inaction cause the loss of their documents"
I KNOW it is a Visual basic script attached to an email, but it is no different to having a script embeded within a document.
That any email programs allow you to execute VBS script at all is a failing , however
If you do not install or use Microsoft Office or the Microsoft web servers there is not much use in having Windows Scripting Host enabled.
The Windows Scripting Host engine is there not to service the operating system but to service the
Microsoft applications and therefore should be considered as part of the Application side - Middleware not part of the operating system.
Just like the gnome/kde application interfaces are not an internal part of the Unix operating system.
If you used Microsoft Office 2000 you will lose a LOT of features if you disable Windows Scripting Host. Those same features Microsoft sells as enterprise solutions to large organizations.
This DEMO VIRUS must bring into question the use of all Microsoft Office applications
within any government department or vital business areas.
IMHO(In My Humble Opinion) Microsoft Office applications are not secure
enough to use in any environment where email and documents are shared
over the internet.
Microsoft continues to distribute applications that will execute embedded
destructive scripts, macros and therefore trojans. Microsoft applications
and operating systems do not even provide a restrictive environment in
which a user can open,view and run untrusted documents.
To make matters even worse Microsoft have made Visual basic (VBS) the
default embedded scripting language within all its Office 2000 documents
and templates. Microsoft have sold large organizations on the use of visual
basic scripting within their templates and documents.
Turning off Windows Scripting Host is not a viable option for them.
Any teenager with half a brain can now grab a copy of a trojan love, melissa
or any number of new visual basic scripts. He can modifiy it by trial and
error until it passes the virus scanners. Then embed the trojan in any
type of Microsoft Office 2000 document. All he has to do to ensure the
spread of the worm is email them to known Microsoft Outlook email users.
To infect other computers the loveletter type script requires the Microsoft
MAPI mail interface. This is installed with Office Outlook and Outlook
express. We must blame Microsoft for allowing Visual basic scripts access
to this interface to send email without requiring a dialog/confirm
from the user. This is how the "worm" spread so fast.
Microsofts attempts to keep its applications vulnerabilities hidden
behind a proprietary veil of secrecy has failed.
Human nature being as it is, relying on users to follow a strict protocol
when dealing with incoming email other documents via the internet is
doomed to failure. Love letter from whom? The temptation to open the
attachments is too great even for the most security conscious person.
All attempts at providing retroactive firewall and Anti-virus defences
against viruses,trojans and other backdoors have failed and IMHO will allways
be vulnerable to new and modified forms of attack.
Just changing the client or server operating system to NT, win2000,
MacOS, or even a Unix based OS will not overcome the lack of security in
the client Microsoft Office suites.
If you are worried about security of your files and information stored
on your computers, then IMHO you should look to different applications and
systems than those currently provided by Microsoft.
You should look to companies and solutions that provide a proactive approach to
security, instead of just relying on a third party retroactive antivirus
defence.
The open source unix model may not be immune to attacks from determined
crackers and vandals, but at least making the source code available
forces programmers and other solution providers to take a proactive
approach to system security.
Give the script kiddies something new to put their talents too. Let them waste their time by fighting
each other and make money from them at the same time.
Get them to design/customise totally autonomous quakebots so they can upload the bot source to
servers/gyms which is then compilied and run to battle other robots.
Organise server providers into multilevel leagues pools with the top of the league possiblily becoming professional ( WWF of cyber space ? )
Make money by selling advertising space inserted into the enviroments of resulting battles that can be displayed on quake like clients
Author Neal Stevenson perfectly described this situation in his novel CRYPTONOMICON about WWII enigma Ultra Magic intelligentence cheats.
quoted but uncapped
"no action is to be taken on infomation herein reported , regardless of temporary advantage, if suh action might have the effect of reveling the existance of the source to the enemy"
"If the Nips keep getting ambushed -- if they keep finding their own ambushes spoiled -- if their merchant ships happen to cross paths with American subs more often than pure probablitity would suggest -- how long until they figure it out?"
(Without the allies cheating would they have lost WWII ? )