Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs

[dpz () POBOX COM (Daniel P. Zepeda)]

Thus spake Bluefish on Sun, 14 May 2000:
> > How long would you say Perl has been "widely available" on Windows boxen?
>
> Perl is not "widely available" on Windows.
>
> > No matter how you try to fix it the security is not in the basic design,
> > so the system cannot be secure. 
>
> This is true. However the rest of the argument is entirely wrong. These
> worms we've seen lately are havily dependent upon user interaction. I
> believe a clear interface etc as I mentioned would efficiently limit (not
> stop entirely, but limit) the spread of these worms as less users would be
> fooled.

Yeah, some upgrading will band-aid the sitiuation, but...
You are still only seeing half of it. They are dependant on user
interaction *and*  the ability for a program to own the machine.  If you
don't have the latter, it doesn't matter what the user does and that is
the point. Any security system where you try to rely on the user (less
educated as you would have it) to "do the right thing" will fail. 

> > Again, No matter how you try to fix it the security is not in the basic
> > design, so the system cannot be secure. 
>
> As stated before, numerous of these problems aren't actually security
> problems but a problem with the interface.
>
> > > > only MS OS that has the hope of doing that. Please, no comments on how UNIX
> > > > does not have these limitations, that is given, but UNIX does not have the
> > > > market share to cause this problem, 9x does.
> > You mean *nix doesn't have the *desktop* market share. And who cares about
> > 9x anyway? MS wants you to upgrade now. 
>
> You're not even replying to my message here, just so you know. I didn't
> type what you're replying to.

Of course you are right, sorry. I think we have the same ideas here. 
> > Oh, please can you tell me where I can verify your claims on the education
> > level of  the respective operating systems? The second point also misses
>
> You must have missed the "or you might call me biased". I have nothing
> else than my own experience to base that upon. I have not yet found a
> single unix adminstrator who is as clueless as the avarage windows
> administrator. 
>
> But seriously, where do you look when you want find Unix users? You look
> at companies dealing with high tech products. Or you look at universities
> teaching undergraduate engineers in computer science.
>
> Where do you find the windows user? Everywhere. The avarage person use
> windows, and the avarage person is less educated than those who use unix.
> I have no proof, but I believe in real-world experience.
>
> Now we're entirely out of the scope of vuln-dev. If anyone really is
> intressted in religious wars, please send them to me off-topic ;-)
>
> > the mark. Almost any of the *nix GUI's could be set up to be "one
> > mouseclick to excute possible hostile code."
>
> 'Could be' is far from 'is'. Is there any unix mail client which allows
> you to execute attachments in one mouseclick?

Oh sure. I know for a fact that KDE, a very popular Linux  WIndow Manager
features kmail which handles mime attachments very well. I routinely have
Mathematica launched to handle an attachment. I'm fairly cetain that
popular formats like PDF, postscipt etc are handled "right out of the
box."  Even if this is the only window manager available that does this
out of the box (I doubt it) the point is, there will be soon. 

>  > > trait. But as I pointed out earlier, *nix has
compartmentization in the > > design, so even if these capabilities are
built into the GUI, the overall > > ability for hostile code to damage the
system is still much less than with > > W9x because any program can
basically "own" the computer in W9x if written > > properly. 
> I'm aware of multiuser issues, and the reasons for people to use unix, NT
> and other OSes with multiuser awareness. However, I commenting upon
> solutions to make email worms less powerfull. As long as something is
> basicly relying upon the user and not exploits, the only efficient
> meassure is a client with a clear interface so the user understands what
> it does.

You will fail.  Having experience with 12,000+ user - intranets tells me
that you can't  "educate" everybody, so that is not the solution. Clear
interfaces are the band-aid. 

> > I'll echo that *nix is not perfect. 
>
> Perfect (= perfectly secure) operating systems die out. It's the survival
> of the fittest, a trade-off between useability and security. That's why C2
> systems isn't selling very well (besides the point that C2 systems cannot
> be used upon the internet). No manufacturer who hasn't lost his mind even
> think about developing an A1 system.

> I like Unix a lot, but it's well overdue that some easier security
> meassure than SUID and GUID was offered. Lets face it, few of the
> developers of the different unixes (& unix applications) are actually able
> to handle suid root.
>
> > However, it is designed from the
> > ground up as a multi-user system. Any advancing OS that intends to
> > "conquer" the internet will have to have at least this basic idea
> > incoporated into it. 
>
> Definatly. I agree totally. 
>
> I was however thinking about what could be done quickly by MS to make
> Outlook less worm-friendly. Let's face it, whatever we say about the W9x
> problems the majority of the users won't upgrade because of it.

That's where you are really wrong.  When the general public get's into
thier head that their data (their homework, their painting
etc.) is at the mercy of almost any bored 15 year-old and there is no
permanent solution in 9x, they'll move on.  

  > 
> (sigh. some newspapers in sweden actually recommended the users to keep
> using W9x... In the same article they asked why people should care about
> "40 bit" and "128 bit", that was just tech-talk according to them)

Newspapers are not known for the tech saviness in general so I'm not
suprised and give no credence them. 

> ..:::::::::::::::::::::::::::::::::::::::::::::::::..
>      http://www.11a.nu || http://bluefish.11a.nu  
>     eleventh alliance development & security team

-- 
Daniel P. Zepeda
dpz () pobox com
Find my public keys at:
http://www.cs.utsa.edu/~dzepeda/PublicKeys.html