be7a wrote: > I just looked at a few web sites to see how BadTrans works. It relies > on the user to save and /run/ the attachment. All email viruses I've > seen take advantage of the ease with which a careless user can run an > attachment. I /still/ don't understand how HTML can launch anything.
The thing is, the virus doesn't have to launch to cause the damage. Who knows, maybe they took the over zealous approach of AV apps into account. Though it doesn't launch, have you ever clicked on a ".reg" file through a web page or E-Mail? Both Netscape 4.7x and IE 5.5 would give you a minor dialog box warning, then slap that entry into play. Saw this with one user who couldn't figure out why both browsers kept going back to this one site as his home page. Turned out, he happily clicked away on a .reg file that overwrote this section. > With a simple warning popup message, Mozilla could help dispell the > FUD[1] Micro$oft has perpetuated (because they want to allow things to > be executed easily from within their products). A pop-up warning in > Mozilla could even include a link to an "email viruses explained" page > that discusses this topic in very understandable language. Had a user I know start using one of the latest version of MS Lookout(tm) on his PC recently at home. I won't let that product into my office so long as I have a pulse! Anyhow, he's taking some kind of computer classes at night. From the class he sent himself home a perfectly legitimate executable that he needed. That's when he calls me. He can see the mail, but the new Lookout(tm) won't even allow the user to see an executable attachment. I understand there's a tweak somewhere to get around this, but I wasn't familiar enough with the product to get him there. I think he eventually had to copy the file to a floppy to move it. Mind you, I don't believe that the interaction between apps is where Microsoft messed up with security. Their biggest sin was in bundling their Internet apps so closely to the OS. They don't differentiate between a .exe clicked on from an E-Mail to one that was clicked on from the desktop as they both look to the same place to find what to do. I also think that this is going to eventually come around and bite KDE in the butt. The web browser and file manager really should keep their own associations. > <HalfSerious> > You should start a business that caters to newbies. You could develop > an SMTP server that removes viruses /as they are received/. Neophytes > might pay you a lot of money if you can convince them that this is the > only way to be truly safe! > </HalfSerious> Someone already thought of this darn it! :) http://www.satirewire.com/features/siliconpines/acf.shtml > One could take this even further and develop separate mechanisms for > email and file transfers. I don't believe this is useful; nor do I > believe Mozilla has to detach the attachments automatically on receipt. > > I believe Mozilla should have a /simple/ OS boundary where the user > requests a file to be attached (encoded) and detached (decoded). > PERIOD. Everything else should stay MIME encoded in a standard email > format using standard protocols. Always converting attachments to > local files to get around user ignorance about viruses is just not a > useful way to combat FUD: it perpetuates it further. One of the problems with this discussion is that there really isn't a "standard" for this exactly. The mbox format at best could be described as a fairly common format that most folks seemed to agree upon. There's certainly nothing that I could find that discusses how attachments should be "properly" handled. What has been common with most E-Mail clients is to simply store the incoming mail pretty much as they get it in, leaving the decoding of attachments to a later routine. I'll grant you, the difference between being common and being a standard is fairly slim. There's just no spec or RFC that's been written to really nail down exactly what mbox is. > I agree that uuencoded and base64 attachments use more space, but > there are several useful ways to deal with it. > > One of the great things about IMAP is that you can leave attachments > on the server until the user decides what to do with them. Mozilla > could use no disk space at all to delete an unwanted attachment. Well, that still uses disk space, it just displaces it elsewhere. Servers have limits too. > Another neat feature to add to Mozilla someday would be transparent > compression. That would /significantly/ speed the sending, transit, > and receiving times for many kinds of large files. If Mozilla had > this feature, the attachment would often take up less space in its > encoded form than the unencoded file uses! Ahh, but there's a real nasty trade off to this. Performance. So far Mozilla Mail still hasn't quite got up to the speed of NS 4.7x for handling mail. Yeah, I know the benchmarks are getting better. Also, in order for the compressed messages to actually save you bandwidth, both the sender and recipient would have to understand how to decompress the message properly. Talk about breaking standards! > I agree: people don't pay attention, or they don't understand. > Perhaps an ominous popup message would do the trick. > > Another point to ponder: who is the intended audience for Mozilla? > Will AOL ever make Mozilla/Netscape the standard email client for > their less-savvy users? The present audience is people who /will/ > read the release notes and /are/ willing to take risks with new software. > > This leads me to propose a two-phased approach. In the first phase > (i.e., /now/), when Mozilla has near-zero market share, just document > the problem in the release notes. In the second phase, when > Mozilla/Netscape gains a larger market share, implement a more > sophisticated mechanism that warns the user when they're saving or > launching a script or executable file. This might help > Mozilla/Netscape /gain/ market share because it's /safer/ than the > alternatives! Personally, I don't ever want my E-Mail client to launch anything ever. The only pop up I ever want to see is where the file is to be saved. Not nearly as convenient I know, but I've watched all too often as users blindly click through dialog boxes just to get them out of the way of what they're doing. The vast majority of dialog boxes a user is presented through the day are informational, or just plain useless. I'm talking about all the apps a user works with, not just Mozilla. After a while, users get desensitized to them. Kind of like how you may be startled by a single loud noise, but be perfectly comfortable at a rock concert with a lot of loud noises. Later on, -- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx
