Lists Home |
Date Index |
Dare Obasanjo wrote:
> That solution basically amounts to creating a user hostile system where users can't run applications unless allowed to by the system administrator.
Most large businesses want to create just precisely that!
> As for the home user, I don't see how this ultra-cumbersome approach
would even get off the ground let alone fly with the average IMing,
music downloading teenager.
> Even if you did all that they'd just go through all the steps and
launch the application.
The problem is that applications can be launched without being
installed. If there was no way of running executable code in an
application other than having the attachment being a software package
wrapped up in a distribution file format that was handled by a standard
system app (like RPM or apt or whatever), so you had to say "yes I want
to install this software" and so on, THEN actually go and run it, then
people won't be fooled into thinking they're just opening a file. Which
is what MyDoom tries.
Obviously, if somebody can install software on their machine - either
the owners of the machine permit it, or they own the machine themselves
- then they can always be socially engineered into installing and
running arbitrary applications. But that's not what MyDoom has done.
MyDoom is claiming that the attachment isn't an executable, because the
action of opening a document is the same as the action of running an
executable under so many GUIs!
On the command line, one is not so easily fooled. If an attachment
claims to be Unicode text or whatever, you will save it them run:
If it asks you to directly execute the attachment with:
...the user might think "Why's that then?" :-)
> How many people would have believed that requiring a user to download
> a zip file, unzip it's contents then launch the contained executable
> would be a virus vector that would actually work let alone be one of
the fastest spreading of all time?
The same people who thought that popping up those dialogs saying "This
web page contains ActiveX controls signed by XYZ Corporation. Do you
want to trust content signed by XYZ Corporation?" was a stupid idea :-)