On Fri, Sep 26, 2003 at 09:36:10AM -0500, Kirk Strauser wrote: > I disagree. I can't think of any reason why I'd be mailing an executable to > someone instead of a URL to where they can download it themselves, with the > exception of development collaboration among people experienced enough to > use *zip.
I can. I don't have a website. > I only think that'd be a problem *if* Microsoft built an > unzip-then-execute-er into Windows (which is admittedly not implausible). I think some of the zip tools do this, or aren't far away from it, in the name of trying to make the zipped-ness of the files as transparent as possible. > Why? Because the first thing that gets permanently burned into your brain > when you work in a tech support position is "people are lazy". I can almost > guarantee that requiring an additional couple of clicks before a Trojan > installer can be run would drop infection rates by 90%. > > I think a more solid long-term strategy would be to write mail clients that > make it impossible to automatically perform any action on an attachment more > advanced than displaying a picture. Want to play an attached MP3? Save it > to your drive then load it. Want to open a .zip archive? Save it to your > drive first. Refer back to "people are lazy". Removing the "One-Click (TM) > Infection" vector would dramatically reduce trojan distribution. I do agree with this. But it's rather against the M$ philosophy, it seems... -- Pigeon Be kind to pigeons Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F
pgp00000.pgp
Description: PGP signature
