[plug] More news?

[Craig Ringer]

>> I know Linux and the Mac OS attracts its share of maladjusted jerks
>> just like Windows does; surely my other machines would have been
>> infected with something by now
> 
> It's not that there aren't gaping holes, it's just harder for
> "executables" to spread without user intervention or bizarre application
> defaults that just aren't traditional for those platforms. 

In fact, they /just don't make sense/ under UNIX. An executable file is 
a file with the 'executable' bit set - not something ending in any one 
of many different 3 letter codes. So the system doesn't even think "I'll 
run this program when it's clicked on" unless it's explicitly marked 
executable. Currently, thankfully, mail clients will NEVER mark files 
executable when they save them.

This does not avoid user stupidity exploits and hoaxes - 'this program 
will clean the BigBadScary virus off your computer....' but raises the 
amount of /effort/ required considerably. We all know how good the 
average user is at effort and following instructions... excellent, but 
only when doing the "right thing" is the worst possible thing they can do.

I'm sure many people on PLUG know some Windows user who has deleted 
C:\Windows\<somethingimportant> because an email told them to - "it's a 
virus!!!" - right?

Nonetheless, currently it's not possible to send a trojan that can be 
easily executed from any and all mail clients on a UNIX system by 
something like double clicking. As a result, the number of people 
running it should be much lower, it's more obvious that it's something 
fishy, and it should be easier to educate people about what not to do. 
"Don't ever follow instructions in an email that ask you to save a file, 
then use a program to open it."

I'm constantly worried that the quest to make mail clients "easier" and 
"more user friendly" under *nix will end with mail clients that ignore 
MIME types in favour of file extensions (to be compatable with broken 
mailers on Windows and MacOS the world over), then support easy 
execution of '.sh' etc. BAD PLAN. Mail clients should be paranoid about 
executable MIME types.

Unfortunately, one 'default' that is very much traditional on UNIX 
systems is 'install any/all daemons available, and run them all by 
default with minimal default security.' It's getting better on Linux 
these days, and I expect the other UNIXes are too - but lots more work 
is needed.

> For example,
> Mac OS version 1 though 9 didn't ship with unsecured Internet services
> running by default. 

MacOS <10 was an excellent example of "so simple that there's nothing to 
attack." Sometimes this isn't a bad thing, though it's infuriating for 
'power user' types.

Craig Ringer