At Tue, 09 Dec 2008 11:55:20 -0500 roger at qux.com wrote: > > >>>>> Robert Heller <heller at deepsoft.com> writes: > > > In this [corporate] environment, it is perfectly viable for the various > > in-house office workers to share all sorts of legitimate company stuff ... > > Naw... you can't tell me that there's ever an excuse for automatically running > executables received in attachments. Macros in Word documents are a different > issue (running with root permission? Hello??) but they aren't the primary > infection vector for spam-distributed malware. *I* agree with you, but the 'Pointy Haired Corp. Bosses' might have other thoughts. And of course the *marketing* dept. at Microsoft is generally clueless WRT sensible software design principles. Also, there is the MS-DOS/MS-Windows weirdless of 'self-extracting' archives, and other similar nonsense, mostly because MS-Windows tends NOT to have all of the 'essentual' utilities installed and/or MS-Windows users are clueless about these sorts of utilities and because people who deliver stuff (software, media, etc.) have been ingrained with it idea of making things 'easy' (?) for the end-user, by bundling stuff into a 'click here' lump to install/setup/configure/view/whatever, using some sort of 'wizard' to do all of these steps with a series of friendly dialog boxes... The problem (of course!) is that *anything* can be delivered this way, including malware of all sorts. Microsoft makes this easy, by including all of the tools to make it very (end-)user friendly with pretty dialogs and suchlike. > > > The problem is that when a home user ... connects a MS-Windows machine ... > > No, I don't buy that argument. The trade journals report that 99%+ of the > machines on botnets are behind decently-maintained firewalls at big > corporations. And the system administrators at Intel (as an example of one of > the more vigilant big companies) tell me they can't do much about the problem > as long as they support Windows. I'm not claiming that the corporate worker bees are any more clueful than home users (since they are generally the same people!) or that MS-Windows-oriented corp. IT depts are necessarily any more clueful either (what really can one learn about proper network security in only 6 months of night classes* -- yes you might be MSCE certified, but what does that mean, really?)... I would agree that the sort of promiscious (one-click *or less*) media sharing that Microsoft (and the corp. culture) encurages/expects is generally bad, no matter what sort of (good, bad, or indifferent) 'protections' (firewalls, virus scanning, etc.) are in place. Even if the proported sender is legit, there should be a vetting and confirmation process for all attachments. And of course this is all on top of Microsoft Windows's *nortoriously* *bad* security model (which only adds fuel to the fire). *There is a radio ad for some night school that claims that one can spend 6 months 'studying hard', get your MSCE certification, and go off into the high paying world if IT work... Ha! -- Robert Heller -- Get the Deepwoods Software FireFox Toolbar! Deepwoods Software -- Linux Installation and Administration http://www.deepsoft.com/ -- Web Hosting, with CGI and Database heller at deepsoft.com -- Contract Programming: C/C++, Tcl/Tk