It would have been nice if you'd read some of the comments that I'd referred to before parroting my post. If you had, you'd see that I covered that very web page. It has nothing to do with ILOVEYOU. When Outlook executes embedded code, it executes it with restrictions, just like when a web browser executes Javascript. Barring bugs, it is not possible to run malicious code on someone else's machine by sending him an Outlook email.
Based on what I've heard, that doesn't really matter. I've heard that Outlook will automagically load the.vbs file, spreading the virus before the user ever sees it.
You've heard wrong. Unfortunately, misinformation about this issue has been spreading far too quickly to be contained by the few level-headed folks who've tried.
I won't rehash the arguments here, since I'm a little sick of typing them, but check my posting history if you're interested.
(I hope somebody reads this, I'm posting it too late...)
Everyone from the clueless media to Slashdot's "experts" have been warning people about how bad Outlook's "security" is, and how anyone can send you an email that will make your computer explode. I've been one of the few people struggling to point out that ILOVEYOU was a trojan, not a virus; it cannot run when you read an email, it can only run if you launch the executable attachment.
But the media has been telling everyone to "delete any email with X/Y/Z in the subject line before even opening it!" Whenever I complain that that's not necessary, the response is, "Better safe than sorry."
Well, spreading false information in the name of "better safe than sorry" is almost never safe. That advice is useless against this new program. On the other hand, if folks had spent the past two weeks telling people that protecting against trojans is the user's responsibility, not Outlook's, then this new variant would be a non-issue.
Granted, the false information on Slashdot has probably had less of an impact on the public's misunderstanding of the issue than the false information being spread by CNN, NBC, etc. But considering that Slashdot is (by and large) a community of experts in the field, I think we should be providing some sane leadership, instead of helping the hysteria along.
Unfortunately, none of those question have anything to do with the matter at hand.
That was my first thought too. IANAL, and so I'm wary about criticising someone who IAL, but the letter looked kind of amateurish to me.
What I really don't get is why Slashdot didn't just assert what would clearly be their best defense: "We're a common carrier. Go away." Isn't that pretty much it?
Maybe intelligence will emerge, but if it will, it'll emerge out of what the systems have been programmed to do
What they've been programmed to do, huh? Like, say, to carry five astronauts to Jupiter to investigate an alien artifact, while keeping the details of the mission secret, and completing the mission autonomously if the crew becomes incapacitated?
"Restricted Zone" uses the "High" level of security, which leaves "Script ActiveX controls marked safe for scripting" and "Active Scripting" enabled.
Yikes... You're entirely right. I just checked again, more carefully this time, and I discovered a nasty Outlook bug: When I "Default Level" for Restricted Zone, the setting changed to "High". Then I hit "Custom" to see what had changed... but I realize now that it showed me my old settings, not the new "High" settings. Grumble.
Anyway, I still think it's moot. Barring bugs, it would be impossible to do anything malicious in an email that is being read with those settings. That's the whole point of restricting scripts. And, again, ILOVEYOU would not work as an embedded script using any default security settings.
kaphka sez: it has nothing to do with the ILOVEYOU virus, which would run just as well under Pine (assuming you're running Pine on a Windows machine.)
Hm. How would it propagate itself?
Technically I said it would run just as well under Pine.:-) But it could still propagate, if the user has any email addresses in their Windows address book (or whatever they call it.)
Sure, that's an outlandish scenario. But it still has nothing to do with Outlook. ILOVEYOU could easily be rewritten to pull addresses from Netscape's address book, or Eudora's, or Pine for Windows', etc. Outlook is only targetted because it's so common.
That chart that you linked to is interesting; I didn't even realize that Outlook 2000 disabled scripting regardless of your settings.
But that's beside the point. VBScript is just a language... a language can't be inherently "secure" or "insecure". I'm sure (at least I hope) that you can write a Java program that will delete everything on your hard drive, or arrange for itself to be run on startup; however, that Java program (again, I'm hoping) will not run in a web page. It's the environment that matters.
Having said that... Yes, some versions of Outlook execute embedded VBScript and Javascript by default. So do web browsers. Is Netscape inherently insecure because it executes Javascript? It's the exact same thing.
Once you run an email attachment, you're in a different environment, and the rules are different... that's how ILOVEYOU did damage. But that has nothing to do with scripting. ILOVEYOU could easily have been written in Javascript, and in principle, it could also have been a binary, or a batch file, or a Tcl script, or anything. That is what I'm referring to when I say that Outlook (any version of Outlook) does not execute scripts automatically.
And once again, none of this has any bearing on ILOVEYOU... ILOVEYOU would not have run as an embedded script, period. It relies on the ignorance of the users, who download the program and run it on their own.
Excellent points, but I think this bit is a little misleading:
The GOFAI idea that human cognition is a matter of disembodied symbol processing is dead, and good riddance.
For one thing, even if that idea (which is basically the strong symbol system hypothesis) is dead, that doesn't have any impact on the feasibility of GOFAI. Just because human's aren't symbol sytems (for the sake of argument,) that doesn't mean that symbol systems can't be as "intelligent" as humans.
As a matter of fact, I think that most of AI's practical successes have been entirely GOFAI. Take Cyc, for example. (Incidentally, "Cycorp" has got to be the coolest name for a company that I've ever heard, especially considering that their business is actually as creepy as their name.)
Actually, now that I read your post more closely, I don't think we're disagreeing... With today's technology, most useful AI projects are best implemented using GOFAI, or at least a solid GOFAI foundation. It's just a question of politics, whether you consider GOFAI a kludge or a genuine model for AI.
Outlook does not run embedded programs automatically.
*thud*
Outlook does not run embedded programs automatically.
*thud*
Outlook does not run embedded programs automatically.
*thud*
I know I take this too personally, but the rampant ignorance about this issue, among such otherwise intelligent folks, is really depressing.
To clarify: The ILOVEYOU trojan exists as an inert attachment. It will not run when you read the email; it will only run if you then launch the executable attachment. Yes, there are ways to run safe code automatically in Outlook, and yes, there have been bugs that allow you to run unsafe code automatically in Outlook, but none of that is involved here.
But what if your desktop KNEW that you downloaded updates from site ABC and put them in dir/home/me? It could make it easier to put them there, instead of always having to scroll/click around to find the same damn directory over and over again.
I dunno, maybe I'm a curmudgeon, but I think even that is pushing it. Presumably that would mean that every time I see a "Save As..." dialog , the AI would pick a default directory to display. That would still mean that I'd have no idea what directory I will see when I'm saving any particular file.
There's only one way I could see something like this working:
1) If the AI sees that I'm doing something repetitively, it asks me if I want it to do it for me in the future. But...
2) It must be done in a non-magical way. So, to continue your example, there would have to be a "rule file" somewhere that says "abc.com:/home/me slashdot.org:/home/me/important_stuff etc.," which could be edited using conventional tools. In other words, the AI shouldn't do anything that can't be done manually.
"UI AI" is, IMHO, an ill-concieved idea that has had way too much work done on it in the past decade. The problem is very simple: if I spend a few minutes (or hours, or days,) learning a new interface, I want it to stay the same! I don't care if I never run "Backup", or if I visit Slashdot so much that it may as well be my home page... I don't want those settings changing unless I tell them to.
MS Office is a notorious example of this. In the newer versions, if you don't use a menu item frequently, it vanishes, so users aren't "confused" by too many options. I used to work tech support, and believe me, having your menus change for no reason is far more confusing than having "too many options"... and it is frustrating to new users and experienced users alike.
Grrrr... I think I'm going to have to stop reading Microsoft-related discussions on Slashdot, before I injure myself from banging my head against the wall so much.
The ILOVEYOU "virus" was a trojan horse. As Microsoft has tried to explain to the public for years now, trojan horses cannot be prevented as long as users run untrusted code on their systems. (I'd be happy to hear any ideas, but I don't think it's possible.) But all the computer pundits kept spreading FUD and demanding a solution, so Microsoft implemented the only solution possible: prevent users from getting access to untrusted code in the first place. Kinda like banning cars because people won't fasten their seatbelts.
Anyway... Ahem... I was planning to not rant about that, but I ended up going on for quite a bit. What I really wanted to point out was a small factual correction... actually two. First, I don't know how you have your Outlook configured, but by default, "Restricted Zone" does disable all scripting. Second, despite the "press release" quoted, Outlook's current default security zone is "Internet", not "Trusted". ("Internet" is the default zone for browsing web pages.) I don't know if this was a MS typo or your typo. (By "your" I mean the author of the article that Xemu lifted.)
Changing the security zone defaults is a good idea. But, as few people seem to understand, it has nothing to do with the ILOVEYOU virus, which would run just as well under Pine (assuming you're running Pine on a Windows machine.)
Where on this Earth did you get that from? Have you been watching too many "X-Files" shows?
Now, don't get silly. The basis of the government's case (at least part of it) is that, in their opinion, a web browser cannot be part of an OS. Microsoft disagrees. For the DOJ to win their case, the judge would have to decree that MS's definition of "OS" is wrong, and the DOJ's is right. In other words, the DOJ will have decided what is and isn't part of an OS.
(I'm glossing over the legal issues, partly because they're complicated and partly because I don't know them all, but please accept my rough interpretation of the case.)
The difference is that IE is "tied" into the operating system.
Ironically, that's exactly the opposite of the argument that the DOJ is making. If IE can be separated from the OS, then MS is "bundling", which is illegally anti-competitive. If it can't be separated, then MS is okay. That's partly why MS has tried so hard to integrate the two, and why all of the anti-MS pundits have been emphasizing how easy it is to remove IE.
It's a perfect example of my point: Do we want to give the government the power to determine how software is designed, when they've created situations like this one above?
I don't mean to be a karma whore, but I happened to be looking into this very issue last night, and I found a whole lot of information in the DVD FAQ. In particular, this section gives details on all the various writeable DVD formats.
Personally, I'm trying to decide whether to archive all my videotapes on VideoCD now, or wait for some kind of recordable DVD format. (Quality isn't an issue for these tapes; if it was, I'd just buy them on DVD.) My main problem with VideoCD is the 74 minute capacity, which is just enough to almost, but not quite, fit an entire movie...
Breaking up Microsoft into one OS vendor and one Applications company won't prevent Microsoft from adding stuff like TCP/IP or DirectX to it's OS!
Okay, what about a text editor? How about telnet? Lynx (or an equivalent)? What about a real browser, like IE?
Slashdot readers probably have some reasoned opinions on which of the above can be considered "OS features", and which can't. But the problem is, if Janet Reno and Co. get their way, programmers won't have the power to make that decision anymore -- the government will. And once you give the government a sweeping power like that, they'll never give it up, not even when Microsoft and Windows are long gone. That's a fundamental law of nature.
Not only is France almost completely nuclear powered, but they generate far less nuclear waste than the U.S. does. That's because they "recycle" the waste in breeder reactors. (I think that's what they're called.) In the U.S., however, we're terrified by the prospect that terrorists/rogue dictators/religious fundamentalists/Slashdotters will get a hold of the weapons-grade nuclear material that is produced as a side effect of the "recycling" process... so we just bury our nuclear waste, and let our descendants figure it out.
Anybody remember Red Dawn, one of the best cold war paranoia movies of all time?
As soon as the commies take over Patrick Swayze's home town, they look up the local gun registration records, and use them to track down all of the gun owners. They get a chuckle out of how easy it was, thanks to the U.S.'s own bureacracy. I don't know if it actually would be that easy, but it's food for thought.
I should just try this out myself, but I'll let you guys do the work instead...
When I last tried voice over IP (about four years ago,) the biggest problem that I could see was the latency. The one or two second delay completely destroyed my precise comic timing, which is the only thing preventing people from seeing me as the evil, hearless bastard that I am.
It's good to see that Intel is finally handling this issue. It's too bad they didn't announce this a few weeks ago, before I snapped my cc820 in half and mounted it on my wall, to serve as a constant reminder to avoid Intel products at all costs.
My point was, that even if you wanted to Elm and Pine cannot execute this code. And even then it would show the full filename and not chop off the final extension.
The extension-hiding is an interesting point, I hadn't thought of that. (I turn that off, of course.) But Outlook still warns you that you're launching an executable.
A lot of people are complaining that Outlook just makes it too easy to launch executable attachments. It may be true that ILOVEYOU wouldn't have spread as much if users had to save the attachment to a file, then run it from the shell... but isn't it better to handle it directly? That would be kind of like requiring an obscure key combination to close a document without saving it. Instead of making it hard for users to do something that might be bad, why not make it easy, but explicitly warn them of the danger?
When you get down to it, it's still a matter of education. We wouldn't have this problem if users knew the difference between code and data, and what it means to execute code. But then, a lot of folks have an interest in obscuring this sort of thing. (I.e. computer security companies.)
in preview mode, a word document could have run automatically.
I've heard a lot about this "preview mode", but I haven't been able to figure out what it is. I just tried several tests with Word documents containing macros, and I wasn't able to get the macros to run in Outlook, even after setting the security to considerably weaker than the defaults. If I'm missing something, please let me know.
it's very easy to write code that will automatically execute embedded code.
I explained this. It is very easy to execute embedded code (assuming that the user hasn't just disabled it, like I have,) but that code is JScript or VBScript, which by its nature will not allow the code to do bad things. Again, it's just like visiting a web page that has javascript on it.
activex with the settings that microsoft wants you to have can also run system code!
"Settings that microsoft wants you to have?" I don't know what MS "wants", but both IE and Outlook will give a stern warning message before installing an ActiveX component, by default.
Thank you for illustrating my point about the public's ignorance. Outlook does not execute random code either. Outlook sees the ILOVEYOU trojan as a data attachment, just like a jpeg file. The code only executes if the user double-clicks on it to run it, and ignores a warning message about running untrusted code.
Now, a few big caveats: Technically, Outlook does run random code, but only random VBScript/JScript. VBScript and JScript are both designed with security in mind. The ILOVEYOU trojan could not have run as an embedded script in an email message. Do you browse the web with Javascript turned on? If so, your browser is "executing random code" too.
Caveat two: Yes, Outlook has had a few notorious bugs in its scripting security. A lot of programs have security bugs, even UN*X programs. Does Outlook have too many? Maybe, or maybe they're just more obvious, because more people use Outlook. Is Outlook more susceptible to bugs, because it tries to do too much? Quite possibly. But if that bothers you, just set your email security zone to "restricted" (which disables scripts in email, among other things.)
Caveat three: Win9x doesn't have any intra-system security, so any malicious code can do more damage on a Win9x machine than it could on a UN*X machine. But Win9x isn't supposed to have that sort of protection. If you need it, you can always run Windows 2000 (which, like UN*X systems, would not allow one user's carelessness to affect anyone else.)
But, again, none of these caveats has any bearing on ILOVEYOU, which would work just as well on any mail program that can handle attachments.
Anything to make the headline scarier to grab more attention.
Reminds me of something (off topic)... The term "statutory rape" has always bugged me, and others, because "statutory rape," by definition, involves consensual sex. (If it weren't consensual, it would just be "rape.") Apparently, the media have noticed this contradiction, so they've started to avoid using the term. Did they switch to a more accurate term, like "sex with a minor"? Nope. Now they call it "child rape."
Slashdot Mirror
It would have been nice if you'd read some of the comments that I'd referred to before parroting my post. If you had, you'd see that I covered that very web page. It has nothing to do with ILOVEYOU. When Outlook executes embedded code, it executes it with restrictions, just like when a web browser executes Javascript. Barring bugs, it is not possible to run malicious code on someone else's machine by sending him an Outlook email.
I won't rehash the arguments here, since I'm a little sick of typing them, but check my posting history if you're interested.
(I hope somebody reads this, I'm posting it too late...)
Everyone from the clueless media to Slashdot's "experts" have been warning people about how bad Outlook's "security" is, and how anyone can send you an email that will make your computer explode. I've been one of the few people struggling to point out that ILOVEYOU was a trojan, not a virus; it cannot run when you read an email, it can only run if you launch the executable attachment.
But the media has been telling everyone to "delete any email with X/Y/Z in the subject line before even opening it!" Whenever I complain that that's not necessary, the response is, "Better safe than sorry."
Well, spreading false information in the name of "better safe than sorry" is almost never safe. That advice is useless against this new program. On the other hand, if folks had spent the past two weeks telling people that protecting against trojans is the user's responsibility, not Outlook's, then this new variant would be a non-issue.
Granted, the false information on Slashdot has probably had less of an impact on the public's misunderstanding of the issue than the false information being spread by CNN, NBC, etc. But considering that Slashdot is (by and large) a community of experts in the field, I think we should be providing some sane leadership, instead of helping the hysteria along.
What I really don't get is why Slashdot didn't just assert what would clearly be their best defense: "We're a common carrier. Go away." Isn't that pretty much it?
Anyway, I still think it's moot. Barring bugs, it would be impossible to do anything malicious in an email that is being read with those settings. That's the whole point of restricting scripts. And, again, ILOVEYOU would not work as an embedded script using any default security settings.
Technically I said it would run just as well under Pine.
Sure, that's an outlandish scenario. But it still has nothing to do with Outlook. ILOVEYOU could easily be rewritten to pull addresses from Netscape's address book, or Eudora's, or Pine for Windows', etc. Outlook is only targetted because it's so common.
That chart that you linked to is interesting; I didn't even realize that Outlook 2000 disabled scripting regardless of your settings.
But that's beside the point. VBScript is just a language... a language can't be inherently "secure" or "insecure". I'm sure (at least I hope) that you can write a Java program that will delete everything on your hard drive, or arrange for itself to be run on startup; however, that Java program (again, I'm hoping) will not run in a web page. It's the environment that matters.
Having said that... Yes, some versions of Outlook execute embedded VBScript and Javascript by default. So do web browsers. Is Netscape inherently insecure because it executes Javascript? It's the exact same thing.
Once you run an email attachment, you're in a different environment, and the rules are different... that's how ILOVEYOU did damage. But that has nothing to do with scripting. ILOVEYOU could easily have been written in Javascript, and in principle, it could also have been a binary, or a batch file, or a Tcl script, or anything. That is what I'm referring to when I say that Outlook (any version of Outlook) does not execute scripts automatically.
And once again, none of this has any bearing on ILOVEYOU... ILOVEYOU would not have run as an embedded script, period. It relies on the ignorance of the users, who download the program and run it on their own.
As a matter of fact, I think that most of AI's practical successes have been entirely GOFAI. Take Cyc, for example. (Incidentally, "Cycorp" has got to be the coolest name for a company that I've ever heard, especially considering that their business is actually as creepy as their name.)
Actually, now that I read your post more closely, I don't think we're disagreeing... With today's technology, most useful AI projects are best implemented using GOFAI, or at least a solid GOFAI foundation. It's just a question of politics, whether you consider GOFAI a kludge or a genuine model for AI.
*thud*
Outlook does not run embedded programs automatically.
*thud*
Outlook does not run embedded programs automatically.
*thud*
I know I take this too personally, but the rampant ignorance about this issue, among such otherwise intelligent folks, is really depressing.
To clarify: The ILOVEYOU trojan exists as an inert attachment. It will not run when you read the email; it will only run if you then launch the executable attachment. Yes, there are ways to run safe code automatically in Outlook, and yes, there have been bugs that allow you to run unsafe code automatically in Outlook, but none of that is involved here.
There's only one way I could see something like this working:
1) If the AI sees that I'm doing something repetitively, it asks me if I want it to do it for me in the future. But...
2) It must be done in a non-magical way. So, to continue your example, there would have to be a "rule file" somewhere that says "abc.com:/home/me slashdot.org:/home/me/important_stuff etc.," which could be edited using conventional tools. In other words, the AI shouldn't do anything that can't be done manually.
"UI AI" is, IMHO, an ill-concieved idea that has had way too much work done on it in the past decade. The problem is very simple: if I spend a few minutes (or hours, or days,) learning a new interface, I want it to stay the same! I don't care if I never run "Backup", or if I visit Slashdot so much that it may as well be my home page... I don't want those settings changing unless I tell them to.
MS Office is a notorious example of this. In the newer versions, if you don't use a menu item frequently, it vanishes, so users aren't "confused" by too many options. I used to work tech support, and believe me, having your menus change for no reason is far more confusing than having "too many options"... and it is frustrating to new users and experienced users alike.
Grrrr... I think I'm going to have to stop reading Microsoft-related discussions on Slashdot, before I injure myself from banging my head against the wall so much.
The ILOVEYOU "virus" was a trojan horse. As Microsoft has tried to explain to the public for years now, trojan horses cannot be prevented as long as users run untrusted code on their systems. (I'd be happy to hear any ideas, but I don't think it's possible.) But all the computer pundits kept spreading FUD and demanding a solution, so Microsoft implemented the only solution possible: prevent users from getting access to untrusted code in the first place. Kinda like banning cars because people won't fasten their seatbelts.
Anyway... Ahem... I was planning to not rant about that, but I ended up going on for quite a bit. What I really wanted to point out was a small factual correction... actually two. First, I don't know how you have your Outlook configured, but by default, "Restricted Zone" does disable all scripting. Second, despite the "press release" quoted, Outlook's current default security zone is "Internet", not "Trusted". ("Internet" is the default zone for browsing web pages.) I don't know if this was a MS typo or your typo. (By "your" I mean the author of the article that Xemu lifted.)
Changing the security zone defaults is a good idea. But, as few people seem to understand, it has nothing to do with the ILOVEYOU virus, which would run just as well under Pine (assuming you're running Pine on a Windows machine.)
(I'm glossing over the legal issues, partly because they're complicated and partly because I don't know them all, but please accept my rough interpretation of the case.)
It's a perfect example of my point: Do we want to give the government the power to determine how software is designed, when they've created situations like this one above?
I don't mean to be a karma whore, but I happened to be looking into this very issue last night, and I found a whole lot of information in the DVD FAQ. In particular, this section gives details on all the various writeable DVD formats.
Personally, I'm trying to decide whether to archive all my videotapes on VideoCD now, or wait for some kind of recordable DVD format. (Quality isn't an issue for these tapes; if it was, I'd just buy them on DVD.) My main problem with VideoCD is the 74 minute capacity, which is just enough to almost, but not quite, fit an entire movie...
Slashdot readers probably have some reasoned opinions on which of the above can be considered "OS features", and which can't. But the problem is, if Janet Reno and Co. get their way, programmers won't have the power to make that decision anymore -- the government will. And once you give the government a sweeping power like that, they'll never give it up, not even when Microsoft and Windows are long gone. That's a fundamental law of nature.
Not only is France almost completely nuclear powered, but they generate far less nuclear waste than the U.S. does. That's because they "recycle" the waste in breeder reactors. (I think that's what they're called.) In the U.S., however, we're terrified by the prospect that terrorists/rogue dictators/religious fundamentalists/Slashdotters will get a hold of the weapons-grade nuclear material that is produced as a side effect of the "recycling" process... so we just bury our nuclear waste, and let our descendants figure it out.
At least, that's how I heard it.
Anybody remember Red Dawn, one of the best cold war paranoia movies of all time?
As soon as the commies take over Patrick Swayze's home town, they look up the local gun registration records, and use them to track down all of the gun owners. They get a chuckle out of how easy it was, thanks to the U.S.'s own bureacracy. I don't know if it actually would be that easy, but it's food for thought.
I should just try this out myself, but I'll let you guys do the work instead...
When I last tried voice over IP (about four years ago,) the biggest problem that I could see was the latency. The one or two second delay completely destroyed my precise comic timing, which is the only thing preventing people from seeing me as the evil, hearless bastard that I am.
Is it any better today? The latency, I mean?
It's good to see that Intel is finally handling this issue. It's too bad they didn't announce this a few weeks ago, before I snapped my cc820 in half and mounted it on my wall, to serve as a constant reminder to avoid Intel products at all costs.
(And you think I'm kidding...)
A lot of people are complaining that Outlook just makes it too easy to launch executable attachments. It may be true that ILOVEYOU wouldn't have spread as much if users had to save the attachment to a file, then run it from the shell... but isn't it better to handle it directly? That would be kind of like requiring an obscure key combination to close a document without saving it. Instead of making it hard for users to do something that might be bad, why not make it easy, but explicitly warn them of the danger?
When you get down to it, it's still a matter of education. We wouldn't have this problem if users knew the difference between code and data, and what it means to execute code. But then, a lot of folks have an interest in obscuring this sort of thing. (I.e. computer security companies.)
Now, a few big caveats: Technically, Outlook does run random code, but only random VBScript/JScript. VBScript and JScript are both designed with security in mind. The ILOVEYOU trojan could not have run as an embedded script in an email message. Do you browse the web with Javascript turned on? If so, your browser is "executing random code" too.
Caveat two: Yes, Outlook has had a few notorious bugs in its scripting security. A lot of programs have security bugs, even UN*X programs. Does Outlook have too many? Maybe, or maybe they're just more obvious, because more people use Outlook. Is Outlook more susceptible to bugs, because it tries to do too much? Quite possibly. But if that bothers you, just set your email security zone to "restricted" (which disables scripts in email, among other things.)
Caveat three: Win9x doesn't have any intra-system security, so any malicious code can do more damage on a Win9x machine than it could on a UN*X machine. But Win9x isn't supposed to have that sort of protection. If you need it, you can always run Windows 2000 (which, like UN*X systems, would not allow one user's carelessness to affect anyone else.)
But, again, none of these caveats has any bearing on ILOVEYOU, which would work just as well on any mail program that can handle attachments.