let's torture and kill virus writers

[ddm at mclinux.com (Derek Martin)]

On Thu, 4 May 2000, David Roberts wrote:

> Haven't played with M$ mail for a long time (ignorance is bliss, at
> times), so here comes a stupid question...  Why don't the Admins turn
> off this "feature", or hasn't M$ given them the ability to do so?  It
> is an obvious security breach - make the user click on something,
> *anything*, before running ("previewing") any attachments!

I think it's partially a matter of education and partially one of time.
For example, here, we are a mostly linux environment, and neither Paul nor
I have much experience with Outlook.  We wouldn't know to look for it,
because it doesn't make sense that there should be such a feature.

But, even if you did know, every time you set up a PC you have to go in
and make sure its disabled.  Many people just aren't that dilligent,
especially since the average IT person has way more than enough to do
without having to worry about so-called "small issues" such as this one.

I think it boils down to people in general are not security
paranoid nearly enough.  Most people just think "it won't happen to me" or
they simply don't know anything about securing a computer system, and
haven't had any reason to consider it.  People are simply victims of their
own ignorance and naivete.  You can't know everything, and no one should
be expected to.

There is another puzzle, and if you can solve it you will eliminate this
problem entirely. 

 The majority of the latest rash of viruses exploit weaknesses in MS
Office and related products.  The answer to plugging up this hole is to
get people to STOP USING OFFICE.  Who the hell needs a 1.7MB word
attachment that boils down to a 20k ASCII text file anyway?  

So the puzzle is this: Why do management types insist that they need to do
this?  They'll save money on disk space and administration time by getting
rid of this stuff.  It takes one sentence to ask a business associate
"Please send ASCII text documents, no MS Word attachments."  But no one
will listen to this argument.  I've made this point to people in the past
and they either seem to think I'm joking, or they just ignore me entirely.

Moreover, why do people choose to hire "IT experts" and then not listen to
them?  

I just don't understand people I guess --  evidently I think differently
from the entire rest of the world...

-- 
Derek Martin
System Administrator
Mission Critical Linux
martin at MissionCriticalLinux.com 

Today's mantra is "ASCII text"
Chant it with me now.  "ASCII text.... ASCII text.... ASCII text..."

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).