[rescue] (Offtopic) X-Message-Flag fun for Outlook users

Jonathan C. Patschke jp at celestrion.net
Wed Aug 2 17:41:56 CDT 2006


On Wed, 2 Aug 2006, Ethan O'Toole wrote:

> Yea, Macros in documents were a bad idea. But I don't believe those
> viruses are widespread today. Perhaps I am wrong, but coming from a
> UNIX engineering house where management wanted modern Exchange, I
> never once saw any of this. Perhaps Trend Micro's small business virus
> scanner was cleaning it all up... I'm not sure.

VBScript and ActiveX objects and ActiveX scripting are merely extensions
of the same brain-damaged way of thinking at Microsoft.  This stuff has
-finally- gotten curbed a bit in XP SP2 (after having been a problem for
a little under a decade), but you still have companies like Verisign
granting certificates to spyware companies under names like "Click Next
to get FREE ringtones and wallpapers for your mobile phone", so
requiring signed code is still a pretty low barrier to entry.

The problem, as I've said before, is more social than technological.
Granted, Microsoft's attitude towards patches (especially now, where
people running unauthorized copies of the OS can't even -get- security
patches easily) hasn't helped matters, and the multitude of exploits[0]
for every consumer-facing application they're written ensures a
tremendous amount of vulnerability.

But, users don't see the problem in downloading code and running it.
Webmasters don't see the problem in stuffing code (through ActiveX,
Mozilla plug-ins, and (arguably safe) Java applets).  Video games like
WoW and Unreal Tournament[1] download -live code-, usually without the
express permission of the operator (that is, you may have "agreed" to it
in the 50-page license agreement, but you haven't said "Yes, I want to
run code that does $foo").

Microsoft, bless their stupid little hearts, just really didn't see the
problem with Outlook 97 shipped in such a way that users could just mail
VBScripts at each other and have them run on the remote end.  The
project manager who signed off on that feature probably thought it was
really "cute" that he could send people messages that would pop up
messages boxes saying "Hey, look what I can do!".

That fits the mentality of the end-users very well.  They'll download
anything.  Free NASCAR screensaver?  Hey, download it.  Free password
manager[2]?  Download it!  Run it!  Install it!  Give it to me!  Don't
make me think!  It's only a computer!

> But it has been a while since we had the widespread devestating
> exploits like winnuke, or the Microsoft web server worms, that
> effected the majority of systems on the intarweb.

We're affected by Microsoft -every single day-.  Your average mail
system receives approximately 15% - 30% more spam (both in terms of
messages and octet count) than it does actual email.  A very, very large
portion of that traffic is generated by zombified PCs running Microsoft
Windows.

> I use pine, and there have been similiar exploits for it.

Oh yeah, and for the the server bits of the UW-IMAP code, too.

> Of course not as widespread, since, well according to the rap songs no
> one uses outdated pine anymore. It has no problems dealing with HTML
> email and all that fuss either.

I wish I could remove HTML support from my pine binaries.  I'd prefer to
not get any HTML-encoded email at all.  If I want HTML, I can open
Mozilla, provided I can find a web site that's actually -written- in
HTML, rather than Flash, Shockwave, and whatever other manner of
proprietary garbage Adobe is shoveling out these days.

> Being forced to use outlook, I just clicked the box that defaulted it
> to plaintext. I still had issues with it forcing me to top post
> though.

With sufficient application of a rolled-up newspaper, Outlook can be
beaten into an acceptable mail client.  To be honest, I quit using it
when it lost a 620MB .pst file for me; it just decided to open it up and
zero out all my messages for me, truncating the file to 64KB or
whatever.  As Murphy would have it, my Segate tape drive shredded the
DLT containing the backup of that file minutes later.

I used Eudora until I kicked the PC off my desk in favor of an SGI.

I can't say I'd like using the more recent versions, though; the UI has
gotten pretty silly.

> I think he might have been right, that a Microsoft environment (to
> someone knowledgable in that environment) can be secured.

It can, but it requires a level of vigilance that borders on
mind-boggling.

> It's sad that as bad as Microsoft is, it's really that far ahead of
> the open source stuff in many regards.

It's all about audience.  Microsoft makes tools and toys for people who
use computers as toys.  The Lunix folks make toys for tools who use
computers instead of people.

> Exchange? Show me a good open source alternative. Even some of the
> linux ones like Scalix required IE as the web browser when I last saw
> it. Yes you can get iCal and IMAP and plugins and all this stuff, but
> it isn't quite as integreated.

Who needs an open-source Exchange when Sun's messaging platform is
available at no charge?


[0] Old vulnerabilities don't ever really die.  Someone, somewhere,
     somewhy is almost certain to be running some old craptacular build
     of Internet Explorer or Outlook or -something- for no reason than
     having gotten burned by updates in the past.
[1] Originally the downloads were just code that run in the game
     engine's interpreter, but about the time I stopped playing video
     games for lack of time, quite a few servers tried to shove native-
     code libraries at me.
[2] Talk about something that REALLY makes my head explode: people
     downloading software they've never investigated for the purpose of
     memorizing bank passwords and the like.
-- 
Jonathan Patschke    )   "A man who never dreams goes slowly mad."
Elgin, TX           (      --Thomas Dolby, "Valley of the Mind's Eye"



More information about the rescue mailing list