Shawn: I do not disagree with you on all points, just some of them. Comments below.
******************** Mike Carlson [EMAIL PROTECTED] http://www.domitianx.com ******************** > -----Original Message----- > From: Shawn Connelly [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 09, 2001 7:38 PM > To: Exchange Discussions > Subject: RE: exchange digest: November 08, 2001 > > > Mike, I really wanted to bow out of this over-discussed > thread but I felt compelled to comment. > > >Subject: RE: Outlook blocked access to the following > potentially unsafe > >From: "Mike Carlson" <[EMAIL PROTECTED]> > >Date: Thu, 8 Nov 2001 17:45:21 -0600 > > > >No reason to blame MS for stupid people that open every > >"clickmetof*ckupyourcomputer.exe" they get in an email. > > > >When are people going to take responsibility for stupid > stuff they do > >and their own incompetence. > > Hello? Mike are you there? (Apologizes for the sarcasm...but...) > > For the last time (I HOPE), it's not about clicking on .exe > files!! It never has been about click on .exe files!! It's > always been about scripting files that execute simply by > having a preview pane open or masquerading as a benign > graphics file or a seemingly innocent MS Word document or MS > Excel spreadsheet or... just about anything else Microsoft > has had their hands in. > > Why is this so difficult to understand? Because vbs files and what not are only but a part of the problem. People don't get screwed only by vbs files or other scripts. FunLove was an executable. That ripped through networks and is still around. We still battle that one. The security update was not implemented to stop only vbs files and other scripts. It was developed to prevent all types of viruses and worms. The vbs ones just got the most attention recently. > > Sure, you may want to add that is what anti-virus software is > for... but I say MS should just listen to their customers and > figg'n remove the potentially damaging 'features' of their > scripting language. They have listened. Thats why we have the patch. I would think that it would be hard to remove the damaging features of the scripting language when that is what runs Outlook. The forms are built from the very same scripting language. As a VBScript/Outlook/ASP developer I would find it very difficult to do my job if Outlook could not interpret the script that I have in my forms. > > Sure, you may want to add that all a user must do is disable > the vb scripting components of their OS? Really now, so > AGAIN, instead of fixing the problem, let's just remove it > entirely? What about the many situations where basic > scripting is required? Why isn't Sun's JAVA dangerous? It can be. I have seen Java stuff that could do serious damage with the click of the mouse. A in-house Java developer demonstrated that. Click.....Grind....Dead Computer. If someone wanted to they could do just as much damage with a Java app than you can with VBScript. Since Java is such a low level language you don't find the 10th grade script kiddies creating Java apps that do damage. Those same kids can go out and search on the web for 15 minutes and put together a VBScript that will do damage since the only tool you really need is notepad. > > Oh, what's the other common excuse I read.... > That MS products are so much more popular (ubiquitous?), that > is why there are so many vulnerabilities? > What utter nonsense! > Microsoft products have so many vulnerabilities because their > products have so many more vulnerabilities than other products! > Have you forgotten that there are most Apache servers than > IIS installations and more Novell Servers than Microsoft > Servers. Why are these facts so difficult to understand? The excuse is not that they have more vulnerabilities because they are popular, it because they are popular that they are targets. Since there are more uninformed, untrained and irresponsible people using Windows, viruses and worms spread faster on Windows. I have said it many, many times. If linux was as popular as Windows, you would see about the same amount of Linux viruses. There are some linux viruses out there, but the penetration isnt that great because it isnt that common place. The Apache argument is becoming less and less valid. If you do more research on the Apache/IIS debate you will see that even NetCraft is modifying their stats to reflect that Linux installations can have thousands upon thousands of TLDs on a single server where as IIS averages around a few hundred. One ISP I used had 3,000 websites on one linux box. > > Do I hate Microsoft like some of you have erroneously > assumed? Of course not! For the most part Microsoft was > very successful in making computers > available to the masses and making them easy to use. In > addition, from my > point of view, Microsoft provides some of the > best/friendliest support in the business. Comparatively > speaking, Novell could learn much from Microsoft; those > %^#!@$% are clueless when it comes to caring about their less > than 1000 user clients. My experience was actually reversed. That is until I subscribed to MSDN. Now I get decent support. :-) > > However, because Microsoft is the most ubiquitous OS in the > world, they have an additional RESPONSIBILITY to make for > damn sure their products work properly (reliable, bug free > and vulnerability free as much as a billion dollar company can). > In my opinion, Microsoft has done a piss-poor job.... > especially when comparing them to Sun, Novell and even free Linux. I agree they need to take more responsibility. They have proven that in the last couple of Patches they have released. Again, the penetration level of the other OSs hasn't reached that of Windows. If it ever does you will see more viruses for those platforms. Check out the SANS digests. Those other OSs actually show up on the list more than Microsoft as far exploits are concerned. I wouldn't say Sun has done a good job. I think they have upset customers more over multi-million dollar systems with defective processors than Microsoft have with a bug in Word. I know I would be a little more upset. > > >If you don't know how to drive are you going to blame the > person that > >runs into you? > > Yes, if the person runs into my backend or is drunk coming in > the opposite direction! > > >If you don't know how to use a shotgun are going to blame > >the person who sold you the gun when you blow your arm off? > > Anyway where is the relevance in your analogies? The relvance would be, if they same thoughts came out my fingers that are in my head, that you don't blame someone else for your own incompetence or failings. > > >have no clue. We had to send a tech down to help a person log into > >their computer. They didn't know how to press CTRL+ALT+DEL. The > >keyboard had CTL instead of CTRL on the key. > > And? I once had to show a client how to turn on a power bar > before they could turn on their computer. So what? Some > people are not technically inclined, that is one of the > reasons why we have jobs in this business. > > >Or the other fabulous ones that reboot their computer and call us > >saying their hard drive crashed when all they did was leave a > >non-bootable floppy disk in the drive. > > I used to see that one often, at least until, the option to > make the floppy a secondary boot device became available. So you modified the boot sequence to not go to the floppy first. How is that different that going in and modifying the registry to allow attachments. I suppose you could complain to Intel because they have not fixed their boot sequence to go to the next device when the floppy isnt bootable. > > >Because people think they are computer geniuses even though they > > I wouldn't trust anyone who claims to be a genius. Even > Einstein refrained from using that misused term. > > >Don't blame MS. They are just responding to all the crap > they got about > >not being secure. If people wouldn't click on every stupid > theng they > >get via email, MS would ahev NEVER released that patch. > > No, you're WRONG Mike. It is the people who complain that > make changes happen. Yes, they complained about security and supposed vulnerabilites. So MS made it secure and closed the supposed vulnerabilities. The propogation of viruses and worms would not be as it is today if people would take more responsibility and not click on every attachment they get. I don't think you will see the same issues with Outlook now. > > Complacency is a very dangerous thing! > People werent complacent. They were all over MS after ILOVEYOU came out. MS responded. Now I may not agree totally with the way they resolved the problem, I do understand where they are coming from and I am going to live with it. There is a work around. People just ripped MS after ILOVEYOU. I think they should have disabled access to certain areas of the system from VBS files unless they had a digital signature and the user agreed to them. Something like ActiveX stuff on the web. Since Windows and Office are so dependent on VBScript, they couldn't just filter out bad script right away. They need to figure out how to still use VBScript but not allow malicious script to get by without at least letting the user know. The script behind the forms can have the same access as the bad script in the worms going around. Difficult to say the least. They would have to figure out how to stop mailcious script yet not break their own apps and remain backwards compatible with legacy applications. I would normally use an analogy here, but since I havent quite been typing them the same as I am thinking them, I will refrain. > I'm a little bit of a %^$$ disturber and because of that, I > have helped make a number of commercial products better > and/or safer. > If you want a diligent beta-tester, I'm your man! > Unfortunately, these > days we much purchase beta software. > > Shawn > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
