7 May 2000 bernhard   » (Master)

Sketch

Friday night I Released yet another stable version, 0.6.7, because of the file loading bug. The bug is grave enough for this, even though it's only a one line fix.

ILOVEYOU

Many articles on this email virus/worm correctly state that in principle it would also work on Linux, if the mail clients would let the users execute attached scripts too easily. However, then they go on to say that at most it could destroy that user's files but wouldn't harm the rest of the system.

But the user's data is very likely the most precious data on that system! Well, that's the case for me at least and probably many other people. Imagine the virus would delete the TeX-files for the thesis you have to turn in tomorrow or the source tree for your latest but yet unpublished program! This kind of data is hard and maybe impossible to recreate unless you have recent backups (which everybody hopefully has) while restoring the operating system from CDs/Internet only takes a few hours.

What can protect open source system from mail and macro viruses is that open source programmers probably won't make insecure settings the default and put suitable warning messages into the program.

Microsoft defends itself saying that the customers want programmable applications. Scriptable applications are all well and good, I'm using the perhaps most flexible and scriptable mail program existing for Unix myself, but that's no excuse for making the default configuration so insecure. I'm sure gnus will never automatically execute an elisp script just because it's attached to a mail and I happen to select it, unless I explicitly configure it that way, in which case I get what I deserve.

I haven't seen the virus myself, but from what I read, the name of the VBS file ended in .txt.vbs. This is a clever trick, because apparently many mail programs on Windows don't display the file extensions so that the file name the users saw looked just like a normal txt file. These are usually opened in Notepad, so double clicking on it doesn't seem to be a security risk. Hiding information from the user can be a dangerous thing.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!