OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   RE: [xml-dev] Painful USA Today article (was RE: [xml-dev] ANN: RESTTuto

[ Lists Home | Date Index | Thread Index ]
  • To: "Anderson, John" <John@Barbadosoft.com>,"Joe English" <jenglish@flightlab.com>
  • Subject: RE: [xml-dev] Painful USA Today article (was RE: [xml-dev] ANN: RESTTutorial)
  • From: "Joshua Allen" <joshuaa@microsoft.com>
  • Date: Fri, 24 May 2002 12:13:23 -0700
  • Cc: <xml-dev@lists.xml.org>
  • Thread-index: AcIDKgtBDi0rsf5lSZS2AcHA62Y1ggAKR7HQ
  • Thread-topic: [xml-dev] Painful USA Today article (was RE: [xml-dev] ANN: RESTTutorial)

>Maybe it was relevant 10 years ago when "Is it plugged in?" was a 
>reasonable question to ask. But now that we are breeding a generation 
>of computer literates, isn't it about time to deliver software with all

>the idiot features turned off rather than on? John 

* Half of the users who got code red did not even know that a web server
was running on their machine - perfect example of your point

* Every SQL Server worm I have seen so far depends on the DBA having
installed SQL Server with a blank password - this is more a case of
"laziness" than idiocy, and not really a "feature" that could be left
turned off.  But certainly the setup program could demand that SQL
admins do not use blank password when installing.  Protect them from
their own laziness, basically.

* The vast majority of Outlook worm damage did not rely on "automatic
invocation" of code, but instead deliberately launching an attachment by
the victim.  But launching attachments with double-click could be
considered a "feature" that helps the user be lazy.  If users are forced
to save the attachment to file, then open it from disk, would that have
slowed the pace of the viruses?  Probably slightly at least.

* Installed by default in Outlook was the ability to have code send
e-mail and lookup addresses on behalf of the user.  The first outlook
worms used that API.  The new versions of Outlook (and patches for
previous versions) made this impractical, so the next batch of worms
connected TCP directly using port 25.  Would installing with CDO (the
automatic e-mail API) off by default have made a big difference?

So I guess the answer to your question is a resounding YES!  In the four
cases I mention above, the software has been changed and people are now
forced to deliberately choose to be exposed, and are not exposed by
default installation.  "Deliver software with all the idiot features
turned off rather than on" has become something of a religion at
Microsoft in the past year.  Along with, of course, a bunch of other
axioms of good security, like "why the heck are you installing that as a
service??" :-)


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS